[ISN] IG flags TWIC for security holes

From: InfoSec News (alerts@private)
Date: Fri Aug 04 2006 - 09:46:39 PDT


http://www.fcw.com/article95528-08-03-06-Web

By Wade-Hahn Chan
Aug. 3, 2006

The Department of Homeland Security needs to address some basic security 
problems before fully deploying its system for issuing biometric-based 
identification cards to transportation workers nationwide, according to a 
report from the department's inspector general.

A redacted version of the report, released Aug. 2, states that the 
Transportation Worker Identification Credential (TWIC) program has 
significant security vulnerabilities in its systems, documentation and 
program management.

"The security-related issues identified may threaten the confidentiality, 
integrity and availability of sensitive TWIC data,"  the report states. 
"Until remedied, the significant security weaknesses jeopardize the 
certification and accreditation of the systems prior to full 
implementation of the TWIC program."

Specifics on the number and types of vulnerabilities were censored in the 
edited report. However, the problems are related to default security 
settings and accounts as well as patch management, the report indicates.

The program also does not comply with some requirements of the Federal 
Information Security Management Act, according to the report. The 
department needs to update its privacy assessment of the program, have the 
systems contingency plans approved and tested, and provide more security 
training to system and database administrators, the document states.

TWIC is currently in its prototype phase. Some of the systems that were 
evaluated by the IG included enrollment workstations, contractor data 
center databases and the printers and workstations used to print TWIC 
cards.

The IG recommends that vulnerabilities be dealt with and FISMA 
documentation be updated as soon as possible. TSA has concurred with the 
IG and agreed to work to solve the problems using the IG's 
recommendations. The agency also said that it would address the settings 
and accounts and patch problems through technical enhancements to the 
prototype system and by conducting security tests and evaluations.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Aug 04 2006 - 09:50:52 PDT