Skinner: DHS needs to shield personal information

The Homeland Security Department is not doing enough to protect personal identifying information within its computer systems, according to a new report from DHS Inspector General Richard L. Skinner.

Personal identifying information is any information that can be used to identify a person. It includes, for example, full name, telephone number, e-mail address, credit card numbers and date of birth.

While the department has performed draft assessments of privacy impacts and risks to most of its 699 systems, the final validations and approvals by the DHS Privacy Office are not yet complete, the report said.

Of the 699 computer systems within the department, 95 percent or more had been subjected to a security plan, security categorization and draft privacy threshold assessment as of September 2006, the report said. Eighty-five percent had completed a risk assessment.

But only 155 systems, or 23 percent, of those assessments and plans were validated by the privacy office as of that date. Of the 52 systems required to be covered by a Privacy Impact Assessment, only 20 of those assessments were approved as of September 2006, the inspector general said.

"Until DHS completes and validates the security documentation, privacy threshold assessments and privacy impact assessments for its systems and programs, the department lacks assurance that the risks associated with sensitive data and personal identifying information have been determined and appropriate security controls have been identified," the report said.

DHS also needs to complete encryptions of data on laptop computers and to strengthen protections of data during storage, and in transit, the 26-page report concludes.