[ISN] Fixing the DHS cybersecurity gap

InfoSec News isn at c4i.org
Mon Nov 8 05:32:22 EST 2004


By Florence Olsen 
Nov. 8, 2004 

The Homeland Security Department's inspector general has completed an
information security audit of the agency, which shows DHS officials
are still struggling with internal cybersecurity issues. But that
comes as no surprise to management experts.

The public flogging of DHS and all federal agencies is fine as long as
people have reasonable expectations about cybersecurity, said Paul
Proctor, vice president of security and risk strategies at the META
Group, an information technology and business consulting company.

"I say, keep up the hammering, but recognize that many agencies are
doing the work necessary to get there eventually," Proctor said.

The report, released Oct. 27, highlights areas in which DHS officials
have improved the department's information security practices and
policies. But the overall tone of the report is negative. "We
recommend that DHS continue to consider its information systems
security program a significant deficiency" for fiscal 2004, the
auditors state in the report's summary.

They conducted the information security audit between April and
September, according to guidelines set by Office of Management and
Budget officials. OMB officials developed the guidelines to help
federal agencies comply with the Federal Information Security
Management Act of 2002.

The report cites the chief information officer's lack of authority to
manage DHS' departmentwide IT programs and spending as a significant
factor in the department officials' struggle to secure the agency's
information systems. It states that the absence of a formal reporting
relationship between the CIO and the program organizations within the
department continues to undermine DHS' information security program.

Lynn McNulty, director of government affairs at the International
Information Systems Security Certification Consortium and a former
government computer security official, was quick to defend DHS'
information security efforts in light of the constraints on its CIO.

"He doesn't have command authority over what is going on in the 27
different agencies in DHS," McNulty said. "Unless they want to give
him that, then all he can do is plead with them and offer constructive
alternatives, but he has no mechanism to force compliance."

In a written response to the audit, Steve Cooper, DHS' CIO, said he
generally concurred with the findings. He also expressed appreciation
for what he described as "the open dialogue and strengthened
relationship ...that have emerged in the past year" between his office
and the inspector general's office.


Audit reveals no surprises

A new audit by the Homeland Security Department's inspector general
highlights the following areas:

Progress: DHS officials have hired a contractor to develop a
methodology for conducting a systems inventory across the 27 agencies
that merged in March 2003 to become DHS.

Concern: The department still lacks a comprehensive inventory of its
information systems, as required by the Federal Information Security
Management Act of 2002.

Source: Homeland Security Department

More information about the ISN mailing list