By Daniel Pulliam
dpulliam (at) govexec.com
October 2, 2006
The Homeland Security Department inspector general's office has not
taken the necessary steps to properly secure laptop computers holding
sensitive and classified information, a report released Monday stated.
The heavily redacted Aug. 8 report  from Frank Deffer, assistant
inspector general for information technology at DHS, said considerable
risks remain despite the many essential security controls in place,
including adequate physical security. Most examples of inconsistent
security practices were redacted.
The report said that stolen or missing laptops are not consistently
reported through the chain of command to DHS' Computer Security Incident
Response Center. This included a stolen IG laptop in 2005.
"Because the OIG had not reported the security incident to the DHS
CSIRC, senior DHS officials may not be aware of the extent or scope of
laptops security issues at the department," the reviewers stated.
While the IG office has procedures to make sure employees return office
laptops, the office has not cleared sensitive data from machines with
"sensitive but unclassified" information prior to reuse. This is a
process that involves overwriting the hard drive three times.
Auditors reviewed an inventory of office laptops and tested 94 dubbed
"sensitive but unclassified" and eight designated as classified. The
inventory contained numerous discrepancies, according to the report.
Fifty of the office's 395 laptops lacked proper labels and another 46
were missing identification numbers. Six of the 94 "sensitive but
unclassified" laptops tested and two of the eight classified laptops
were not included in the inventory.
"Without an accurate and current inventory, the OIG may be unaware of
additional laptops that are missing," the report stated.
The office also has failed to fulfill its requirements under the 2002
Federal Information Security Management Act and has not developed an
effective way to update security software on laptops that do not
regularly connect to the office network, the report said.
Nineteen of the laptops tested as part of the review were missing more
than three patches, the audit said.
In addition, the IG office has not fully implemented its standard
computer security package that includes configuration settings and
security software, the report stated. A list of critical elements
missing from the security package was redacted. The report stated that
the IG office plans to formally accept these known risks.
In a response to the findings, Edward Cincinnati, assistant inspector
general for administration, concurred with the auditors' recommendations
and said his office is in the process of making changes.
Donate online for the Ron Santo Walk to Cure Diabetes!