DHS gets low marks for security

The Homeland Security Department is showing major weaknesses in ensuring information security for its computer systems, according to a Government Accountability Office report released today.

"DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets," the GAO said.

Shortcomings include incomplete risk assessments, lack of security plans and incomplete or absent testing and evaluation of existing policies and procedures. The "enterprisewide tool" that DHS has been using to implement key information security practices and controls is "unreliable," the GAO found.

"Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited," the GAO said.

The GAO reviewed Homeland Security's program to comply with the Federal Information Security Management Act of 2002 [FISMA] and other federal requirements. It found that DHS' chief information security officer (CISO) has developed some policies and procedures that could be a framework for a departmentwide security program; however, some of the elements have not yet been implemented as required.

"Although the CISO has made significant progress in developing and documenting a departmentwide information security program, certain DHS components have not yet fully implemented key information security practices and controls as required by the program," the GAO said.

"We identified weaknesses in information security documentation for the three major applications and three general support systems that we selected for review that place DHS' operations and assets at risk." The applications include the U.S. Visit traveler program, as well as unspecified applications and general support systems at Immigration and Customs Enforcement, Transportation Security Administration and the Emergency Preparedness & Response Directorate.

DHS also fell short in continuity of operations plans to restore critical systems following an unexpected failure or disaster. "For all five of the continuity of operations plans reviewed, program officials either did not include all information necessary to restore operations in the event of a disaster or have a documented plan," the GAO said.

To correct the problems, the GAO advises that DHS perform the risk assessments, document security plans, test and evaluate security controls, report remedial action plans and test continuity of operation.

The DHS, in its comments, agreed with the findings and said the agency is working on the corrections that were advised and on strengthening the reliability of the enterprisewide tool.