IG audit reveals own laptop security lapses

The Homeland Security Department's shortcomings in information security extend to its own Office of the Inspector General, according to a new report.

The inspector general's office ? which frequently criticizes the department for IT security lapses ? is not doing a good job in securing sensitive data on the office's own laptop computers, according to the audit performed by Frank W. Deffer, assistant inspector general for information technology. A redacted version was posted on the office's Web Site.

Based on testing of 94 laptop computers, it was found that the office has failed to implement required security settings on its sensitive but unclassified and classified laptops, according to the report. In addition, there are no effective procedures to patch in computers that are not regularly used, to maintain an accurate inventory, to clear sensitive data from old laptops prior to reuse and to apply appropriate classification labels.

"Significant work remains for the Office of the Inspector General to further strengthen the configuration, patch and inventory management controls necessary to protect its government-issued laptop computers," the executive summary of the report stated.

To repair the problems, the office must remedy existing vulnerabilities, establish new procedures, implement an inventory system, sanitize computers and develop a risk assessment, among other steps.