Audit: DHS beset by weak information security

Despite improvements, the Homeland Security Department still has weak information security programs overall, according to a new report from DHS Inspector General Richard L. Skinner.

The IG's audit found that many of the department's IT systems remain uncertified and unaccredited, while plans to correct weaknesses are undeveloped. The report also said contingency plans have not been developed and tested for all systems, and added that tools used to measure progress are neither complete nor current.

"We recommend that DHS continue to consider its information security program a significant deficiency for [fiscal] 2005," the IG concluded.

DHS officials agreed with the recommendations, and have developed remediation plans for fiscal 2006, according to the report.

Skinner evaluated DHS' compliance with the Federal Information Security Management Act of 2002, which focuses on program management, implementation and evaluation of the security of unclassified and national security IT systems.

The department has made progress on several fronts, including developing so-called Plans of Action and Milestones, as well as a Trusted Agent FISMA tool to collect and track data related to FISMA compliance.

DHS also performed a comprehensive inventory of its IT systems, identifying 795 operational systems as of Aug. 25. That's more than double the 295 systems it reported the previous year, the report said. However, DHS does not yet have a process to update its inventory annually.

Other deficiencies in DHS' IT security cited in the report included:

• Self-assessments have been performed on only 46 percent of contractor systems used on behalf of DHS.
• 
  
• The Transportation Security Administration and the Secret Service have no contingency plans for network security, and the Citizenship and Immigration Services agency, the Coast Guard and the Secret Service have no contingency plans for database security.


• Fifteen out of 16 certification and accreditation packages reviewed at DHS were incomplete, with some key security documents either not prepared, in draft, or failing to meet appropriate guidelines.


• The Customs and Border Protection, CIS and Emergency Preparedness and Response agencies and the Federal Law Enforcement Training Center did not submit weekly reports to the DHS Computer Security Incident Response Center as required, based on a 10-week evaluation period.