[ISN] DHS IT security spanked again

From: InfoSec News (isn@private)
Date: Tue Jan 24 2006 - 22:33:36 PST


http://www.gcn.com/vol1_no1/daily-updates/38088-1.html

By Wilson P. Dizard III 
GCN Staff
01/24/06 

The Homeland Security Department's forlorn IT security came in for
another pasting today from the department's inspector general and from
Sen. Judd Gregg (R-N.H.), chairman of the Senate Appropriations
Subcommittee on Homeland Security.

The department's IT security has been the subject of several critical
reports and evaluations, and DHS has earned three consecutive failing
grades [1] in its annual IT security evaluation under the Federal
Information Systems Management Act.

Department officials said they would reserve at least part of their
response to Gregg's comments on what he called the "disturbing IG
reports on weaknesses in DHS operations" until a hearing tomorrow
morning in the senator's subcommittee about the U.S. Visitor and
Immigrant Status Indicator Technology system. U.S. Visit program
manager Jim Williams and Government Accountability Office architecture
expert Randy Hite are slated to testify at the hearing.

Gregg praised DHS officials for pledging to address the problems
raised in the three reports. Homeland Security CIO Scott Charbo
responded to the reports with detailed letters describing DHS' plans
to improve database security and the management of the department’s
OneNet network.

DHS officials responsible for IT used in border security, which
formerly fell under the authority of the now-dissolved Border and
Transportation Security Directorate, submitted a detailed reply to an
IG report on border systems.

Gregg issued comments in a press release on three IG reports, with the
following titles:

* Management of the DHS Wide Area Network Needs Improvement

* Security Weaknesses Increase Risks to Critical DHS Databases and
  
* U.S. Visit System Security Management Needs Strengthening.

Gregg said that during a time when the government is spending billions
on security, it is unacceptable that DHS has failed to properly manage
and secure its systems.

"The reports of threats posed by holes in the department's information
technology and infrastructure are a concern," Gregg said in his
statement. "The U.S. Visit program, for example, is a major IT
investment, and the department must concentrate on this program
operating effectively."

The IG reports include extensive blank spaces that omit sensitive IT
security information about issues such as database configuration
guidelines and database security and audit trail procedures. DHS also
blanked out the locations of DHS database facilities in six states.

The IG reported that DHS officials have not yet fully aligned their
databases with FISMA procedures, failing, for example, to test and
evaluate security controls, to integrate security control costs into
system life cycle costs and to provide specialized security training
to system administrators.

The auditors said DHS had not followed its own procedures to clear an
upgrade of the department's wide area network, and had relied on a
network security operation at Immigration and Customs Enforcement
rather than creating a separate security operations center. They
pointed out ineffective network monitoring and the lack of
interconnection service agreements as additional problems with the
WAN.

[1] http://www.gcn.com/vol1_no1/FISMA/35548-1.html



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Jan 24 2006 - 22:44:56 PST