[ISN] DHS information security plans lacking, GAO says

InfoSec News isn at c4i.org
Tue Jul 12 06:11:28 EDT 2005 

http://www.govexec.com/dailyfed/0705/0701105p1.htm

By Daniel Pulliam
dpulliam at govexec.com 
July 11, 2005 

The Homeland Security Department has yet to establish an adequate 
information security program, congressional auditors found after 
spending nearly a year reviewing its cybersecurity policies and plans. 

Since the formation of Homeland Security in 2003, the department has 
struggled to manage its various components' computer systems, 
according to a new Government Accountability Office report. Complying 
with the 2002 Federal Information Security Management Act and guidance 
from the Office of Management and Budget for securing computer systems 
has proven to be difficult. Failure to implement established security 
policies has limited the department's ability to protect its 
information, the report (GAO-05-700) [1] stated. 

"Until DHS addresses these weaknesses and fully implements a 
comprehensive, departmentwide information security program, its 
ability to protect the confidentiality, integrity and availability of 
its information and information systems will be limited," the report 
stated. 

The report, requested by Sen. Joseph Lieberman, D-Conn., ranking 
member of the Senate Homeland Security and Governmental Affairs 
Committee, commended DHS for making "significant progress in 
developing and documenting a departmentwide information security 
program," but noted that weaknesses continue to threaten the security 
of its computer systems. 

On Monday, Lieberman urged the department to follow GAO's 
recommendations.

"How can the department possibly protect the nation's critical 
cyberstructure if it cannot keep its own house in order?" Lieberman 
said. "More than two years after the department was formed, it should 
have a better grasp on protecting its own systems and information." 

The 36-page review assessed four major DHS components - the US VISIT 
program, the Immigration and Customs Enforcement bureau, the 
Transportation Security Administration, and the Emergency Preparedness 
and Response division-- in five areas of security practices and 
management. 

In the five areas - assessing risks, security plans, security testing 
and evaluations, corrective action plans, and continuity of operation 
plans - no component was satisfactory in more than two areas. 

The report stated that DHS has developed policies that could serve as 
a framework for a security program, but gaps in those plans prevent 
its implementation. 

Homeland Security received an F grade in cybersecurity [2] along with 
seven other agencies rated by a congressional committee in February. 

In a response to the GAO report, Robert West, DHS chief information 
security officer, wrote that the department is doing more than just 
documenting an information security program. 

West cited the success of a pilot certification and accreditation 
program and a departmentwide inventory of systems and applications, 
scheduled to be completed in August. 

[1] http://www.gao.gov/new.items/d05700.pdf
[2] http://www.govexec.com/dailyfed/0205/021605p1.htm

More information about the ISN mailing list