[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Report: DHS has 'significant deficiency' in info security
By Florence Olsen
Oct. 28, 2004
The Homeland Security Department's inspector general has completed an
information security audit of the agency, which shows DHS officials
are still struggling with internal cybersecurity issues.
The report , released Oct. 27, highlights areas in which DHS
officials have improved the department's information security
practices and policies. But the overall tone of the report is
negative. "We recommend that DHS continue to consider its information
systems security program a significant deficiency for" fiscal 2004,
the IG auditors state in the report's summary.
The IG conducted the information security audit between April and
September 2004 according to guidelines set by Office of Management and
Budget officials. OMB developed the guidelines to help federal
agencies comply with the Federal Information Security Management Act
The report cited the chief information officer's lack of authority to
manage DHS' departmentwide information technology programs and
spending as a significant factor in the department's struggle to
secure its information systems. It stated that the absence of a formal
reporting relationship between the CIO and the program organizations
within the department continues to undermine DHS' information security
Among the problems cited in the report, the inspector general found 12
systems had been accredited even though key documentation did not meet
the requirements for accreditation.
On a positive note, the IG commended DHS officials for developing
departmentwide security configurations policies and procedures for
Microsoft Corp. Windows 2000 and Sun Microsystems Inc. Solaris
systems. But the report also noted that no DHS organization had
completed configuration requirements for all of its systems.
Steven Cooper, DHS' CIO, was more positive in his written response to
the report. After stating that he generally concurred with the IG's
findings, Cooper wrote that DHS officials have begun a comprehensive
inventory of general support systems and major applications and will
review data captured in the agency's automated FISMA data collection
and reporting system, Trusted Agent FISMA.
The IG's audit revealed problems with verifying the data in the
automated system. For example, Trusted Agent FISMA does not identify
applications and systems that are due for recertification and
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/