By Wade-Hahn Chan
Feb. 21, 2007
The Homeland Security Department still must do a lot of work to ensure
the security of sensitive and personally identifiable information that
is stored on its systems, according to the DHS inspector general.
DHS officials are working on the problem, falling in line with
guidelines issued by the Office of Management and Budget on security
controls, according to a memorandum from IG Richard Skinner. They have
updated DHS policies and procedures to reflect OMB's recommendations,
and they have begun the process of identifying and protecting systems
that store sensitive data.
But they have a long way to go, the memo states. The IG is especially
concerned about mobile devices. For example, 12 of 16 component agencies
in DHS have yet to encrypt sensitive information on their laptops and
other mobile computing devices.
Agency officials say they are running into problems with hardware
limitations, insufficient software licenses and incomplete inventories,
according to the memo, but they say they are making progress.
Until adequate encryption mechanisms have been implemented, there is
increased risk that sensitive data or [personally identifiable
information] may be compromised through the loss or theft of laptop
computers and mobile computing devices, the IG stated.
The IG is also concerned that the department has not followed OMB
guidelines for protecting systems that can be accessed by remote users.
In their interviews with officials at component agencies, the IG's
office found that their efforts to improve remote access and storage
controls were hindered by uncertainty regarding the applicability and
scope of the OMB recommendations and new DHS requirements.
The IG recommends that the department's chief information officer
identify those gray areas and provide additional guidance.
The IG also recommends:
* The chief privacy officer should ensure that the department wraps up
the inventory of affected systems.
* The CIO should ensure that DHS agencies encrypt all personal data
stored on laptop computers and mobile devices, as well as data
transported and stored at alternate facilities.
* The CIO should also improve the security of electronic copies or
extracts of personal data. Such data should be erased within 90 days
if no longer required.
Subscribe to the InfoSec News RSS Feed