[ISN] DHS progresses in IT security

From: InfoSec News (alerts@private)
Date: Thu Oct 05 2006 - 01:40:23 PDT


http://www.washingtontechnology.com/news/1_1/daily_news/29452-1.html

By Wilson P. Dizard III
Contributing Writer
10/04/06

Homeland Security Department officials cited progress in securing IT 
systems across the sprawling organization as reflected in an Inspector 
General Office report issued today. They expressed confidence that their 
department would receive a passing grade for the first time in next 
years federal IT security report card.

The report forms part of the process that leads to the assignment of a 
letter grade for IT security. Todays report, for the first time, does 
not point to DHS performance as a material weakness that would lower the 
grade.

Even as the IG report mentioned significant improvements in IT security, 
it pointed to specific areas where DHS has much work to do. DHS 
officials concurred in the auditors evaluation of needed security 
upgrades and described their planned improvements in an annex to the 
report.

According to the report, Some of the issues that we identified and 
recommendations made in our FY 2005 report to assist DHS and its 
components in the implementation of its information program have been 
addressed. The report cited improvements in developing a comprehensive 
system inventory and increasing the number of systems that have been 
certified and accredited.

The report tagged five major problems with DHS technology security:

    * Not all DHS systems have been certified and accredited.
    * Some of the IT security weaknesses in DHS agencies dont appear in 
      the departments Plan of Action and Milestones.
    * Data in the departments enterprise management tool, Trusted Agent 
      FISMA, is not complete or current.
    * System contingency plans have not been tested for all systems and
    * The departments IT security procedures should be improved.

Charles Armstrong, the departments deputy CIO, said in a telephone 
interview today, Weve made huge progress since 2003. There were 
components that got their IT ripped apart and glued into ours [when DHS 
was created]. We still are in the throes of trying to rationalize and 
get to one IT structure, so to go from [approximately] 20 percent of 
systems being certified and accredited to 90-plus percent is a really a 
good feat.

Armstrong predicted that This is one year where we look forward to 
testifying in front of [House Government Reform Committee chairman Rep.] 
Tom Davis [R-Va.] and telling him our stories of success."

Department spokesman Larry Orluskie said in an e-mail message, DHS has a 
total inventory of 692 DHS IT systems; 589 systems, or 85 percent, were 
certified and accredited as of Sept. 15, 2006. And, this is the number 
reported in the department's 2006 [Federal Information Management 
Security Act] report to OMB. Orluskie added, We anticipate 100 percent 
[of the systems will be certified and accredited] by the end of calendar 
year 2006!

DHS received an F for its IT security under the FISMA process for 2003, 
2004 and 2005, years in which the departments Inspector General 
highlighted serious material weaknesses in the area. But Orluskie said 
that the department expects to receive its first passing score when the 
report cards for 2006 are issued in early 2007.

Armstrong assigned much of the credit for the improved performance to 
chief information security officer Bob West.


_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes!
http://www.c4i.org/ethan.html



This archive was generated by hypermail 2.1.3 : Thu Oct 05 2006 - 01:46:18 PDT