[ISN] IG: DHS falls short on security

From: InfoSec News (alerts@private)
Date: Thu Oct 18 2007 - 22:09:32 PDT


http://www.fcw.com/online/news/150553-1.html

By Alice Lipowicz
October 18, 2007

Despite improvements, the Homeland Security Department still falls short 
in protecting its critical IT systems and data, according to a new 
report [1] from the department’s Inspector General Richard L. Skinner.

Among the shortcomings cited in the report are systems being accredited 
as secure without key documents or information, information security 
weaknesses failing to be addressed with plans of action, system 
weaknesses not being monitored and resolved in a timely manner and 
baseline security configurations not being applied to all systems.

As of July 31, DHS’ chief information security officer reported that 530 
out of the department’s 603 operational systems had been certified and 
accredited to meet information security requirements. However, the 
inspector general found that only 486 systems should be considered 
certified and accredited.

For example, when the inspector general reviewed 28 departmental 
information technology systems that had been issued an authority to 
operate, 17 of the accreditations were judged to be incomplete because 
they are missing key documents or data, the report said.

The inspector general also found gaps in plans of action to correct 
known weaknesses. For example, three DHS components — the Federal 
Emergency Management Agency, National Programs and Protection 
Directorate and the Science and Technology Directorate — did not create 
action plans in response to weaknesses identified by the inspector 
general in fiscal 2007, the report said.

In addition, while FEMA and the Immigration and Customs Enforcement 
agency reported that they had implemented recommended security 
configurations, the inspector general found that the configurations were 
not fully implemented. Controls that were not fully in effect included 
those related to access control, identification management, system 
integrity and audit.

DHS officials agreed with the inspector general’s five recommendations 
for improvement, the report said.

[1] http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_07-77_Sep07.pdf



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 18 2007 - 22:41:42 PDT