[ISN] IG flags Commerce security problems

From: InfoSec News (alerts@private)
Date: Wed Dec 20 2006 - 22:31:33 PST


By Wade-Hahn Chan
Dec. 19, 2006

Information security is the Commerce Department's no. 1 challenge in 
this fiscal year, according to its inspector general.

In its semiannual report to Congress for the six months ending Sept. 30, 
the IG cited the department's poor track record with regard to 
protecting the privacy of personal data and its slow progress on 
certifying the security of its critical systems.

The privacy concerns stem from a late September study that found the 
department had lost 1,137 laptop computers and other mobile devices 
since 2001, 249 of which contained personally identifiable information 

Under guidelines that the Office of Management and Budget issued, 
agencies must take several steps to protect personal data. To start, 
they should encrypt all sensitive data stored on mobile devices. They 
also must incorporate two kinds of authentication -- such as passwords 
and fingerprints -- to control remote access to systems with sensitive 
data. Finally, they should set up their systems to disconnect users who 
have been logged on for too long without any activity, and they should 
log all activity on those systems.

It was unclear whether Commerce had followed those guidelines, the IG 

We found that in most cases bureaus could not demonstrate that the 
necessary steps have been taken to ensure that PII is adequately 
safeguarded, the report stated. None of the system documentation 
reviewed indicated that PII was stored or processed, a step needed to 
determine the required safeguards.

The IG also criticized the department for the mixed results of its 
efforts to certify and accredit the security of important systems. 
Commerce officials appear to have made some progress, completing the 
process for 22 of its 28 systems by August 2006 - an increase from only 
five a year earlier.

In evaluating the certification and accreditation documentation, the IG 
found that only a third of the systems fully complied with the security 
standards that the National Institute of Standards and Technology set, 
and nine of the remaining systems had serious deficiencies.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Dec 20 2006 - 22:39:15 PST