DHS IT security smacked again
- By Wilson P. Dizard III
- Jan 26, 2006
The Homeland Security Department's forlorn IT security came in for another pasting this month from the department's inspector general and from Sen. Judd Gregg (R-N.H.), chairman of the Senate Appropriations Subcommittee on Homeland Security.
The agency's IT security has been the subject of several critical reports and evaluations, and DHS has earned three consecutive failing grades in its annual IT security evaluation under the Federal Information Systems Management Act.
Gregg praised DHS officials for pledging to address the problems raised in the three reports. Homeland Security CIO Scott Charbo responded with detailed letters describing DHS' plans to improve database security and managing the agency's OneNet network.
DHS officials responsible for IT used in border security submitted a detailed reply to an IG report on border systems.
During a time when the government is spending billions on security, Gregg said, it is unacceptable that DHS has failed to properly manage and secure its systems.
"The reports of threats posed by holes in the department's information technology and infrastructure are a concern," Gregg said. "The U.S. Visit program, for example, is a major IT investment, and the department must concentrate on this program operating effectively."
The IG reports include extensive blank spaces that omit sensitive IT security information about issues such as database configuration guidelines and security.
The IG reported that DHS officials have not yet fully aligned their databases with Federal Information Security Management Act procedures, failing, for example, to test and evaluate security controls, to integrate security control costs into system lifecycle costs, among other issues.
The auditors said DHS had not followed its own procedures to clear an upgrade of the agency's wide area network, and had relied on a network security operation at Immigration and Customs Enforcement rather than creating a separate security operations center. They noted ineffective network monitoring and the lack of interconnection service agreements as additional problems with the WAN.
Government Computer News' Wilson Dizard can be reached at email@example.com.