[ISN] Review: Security flaws place DHS inspectors' laptops at risk

From: InfoSec News (alerts@private)
Date: Mon Oct 02 2006 - 23:00:50 PDT


http://www.govexec.com/story_page.cfm?articleid=35176

By Daniel Pulliam
dpulliam (at) govexec.com
October 2, 2006

The Homeland Security Department inspector general's office has not 
taken the necessary steps to properly secure laptop computers holding 
sensitive and classified information, a report released Monday stated.

The heavily redacted Aug. 8 report [1] from Frank Deffer, assistant 
inspector general for information technology at DHS, said considerable 
risks remain despite the many essential security controls in place, 
including adequate physical security. Most examples of inconsistent 
security practices were redacted.

The report said that stolen or missing laptops are not consistently 
reported through the chain of command to DHS' Computer Security Incident 
Response Center. This included a stolen IG laptop in 2005.

"Because the OIG had not reported the security incident to the DHS 
CSIRC, senior DHS officials may not be aware of the extent or scope of 
laptops security issues at the department," the reviewers stated.

While the IG office has procedures to make sure employees return office 
laptops, the office has not cleared sensitive data from machines with 
"sensitive but unclassified" information prior to reuse. This is a 
process that involves overwriting the hard drive three times.

Auditors reviewed an inventory of office laptops and tested 94 dubbed 
"sensitive but unclassified" and eight designated as classified. The 
inventory contained numerous discrepancies, according to the report.

Fifty of the office's 395 laptops lacked proper labels and another 46 
were missing identification numbers. Six of the 94 "sensitive but 
unclassified" laptops tested and two of the eight classified laptops 
were not included in the inventory.

"Without an accurate and current inventory, the OIG may be unaware of 
additional laptops that are missing," the report stated.

The office also has failed to fulfill its requirements under the 2002 
Federal Information Security Management Act and has not developed an 
effective way to update security software on laptops that do not 
regularly connect to the office network, the report said.

Nineteen of the laptops tested as part of the review were missing more 
than three patches, the audit said.

In addition, the IG office has not fully implemented its standard 
computer security package that includes configuration settings and 
security software, the report stated. A list of critical elements 
missing from the security package was redacted. The report stated that 
the IG office plans to formally accept these known risks.

In a response to the findings, Edward Cincinnati, assistant inspector 
general for administration, concurred with the auditors' recommendations 
and said his office is in the process of making changes.

[1] http://www.dhs.gov/interweb/assetlibrary/OIGr_06-58_Aug06.pdf


_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes!
http://www.c4i.org/ethan.html



This archive was generated by hypermail 2.1.3 : Mon Oct 02 2006 - 23:06:57 PDT