[ISN] DHS needs to wrap up effort to protect personal data, IG says

From: InfoSec News (alerts@private)
Date: Wed Feb 21 2007 - 23:10:21 PST


By Wade-Hahn Chan
Feb. 21, 2007

The Homeland Security Department still must do a lot of work to ensure 
the security of sensitive and personally identifiable information that 
is stored on its systems, according to the DHS inspector general.

DHS officials are working on the problem, falling in line with 
guidelines issued by the Office of Management and Budget on security 
controls, according to a memorandum from IG Richard Skinner. They have 
updated DHS policies and procedures to reflect OMB's recommendations, 
and they have begun the process of identifying and protecting systems 
that store sensitive data.

But they have a long way to go, the memo states. The IG is especially 
concerned about mobile devices. For example, 12 of 16 component agencies 
in DHS have yet to encrypt sensitive information on their laptops and 
other mobile computing devices.

Agency officials say they are running into problems with hardware 
limitations, insufficient software licenses and incomplete inventories, 
according to the memo, but they say they are making progress.

Until adequate encryption mechanisms have been implemented, there is 
increased risk that sensitive data or [personally identifiable 
information] may be compromised through the loss or theft of laptop 
computers and mobile computing devices, the IG stated.

The IG is also concerned that the department has not followed OMB 
guidelines for protecting systems that can be accessed by remote users. 
In their interviews with officials at component agencies, the IG's 
office found that their efforts to improve remote access and storage 
controls were hindered by uncertainty regarding the applicability and 
scope of the OMB recommendations and new DHS requirements.

The IG recommends that the department's chief information officer 
identify those gray areas and provide additional guidance.

The IG also recommends:

* The chief privacy officer should ensure that the department wraps up 
  the inventory of affected systems.

* The CIO should ensure that DHS agencies encrypt all personal data 
  stored on laptop computers and mobile devices, as well as data 
  transported and stored at alternate facilities.

* The CIO should also improve the security of electronic copies or 
  extracts of personal data. Such data should be erased within 90 days 
  if no longer required.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Wed Feb 21 2007 - 23:28:42 PST