The Department of Homeland Security (DHS) is making progress overhauling its Information Technology (IT) security program, but some components are in non-compliance, pointing to the need for stronger oversight and enforcement of existing security policies, the department’s Office of Inspector General (OIG) says in a new report.
Some of the negative findings by the IG include a refusal by the Secret Service to provide the DHS Chief Information Security Officer (CISO) with “required data on its systems security;” usage by U.S. Citizenship and Immigration Services and the Federal Emergency Management Administration (FEMA) of the Windows XP operating system, which Microsoft [MSFT] stopped providing software updates for in April to mitigate security vulnerabilities; and continued use by the department and components of information systems without the proper authority to operate, which means there is no assurance “that the controls implemented are effective to protect sensitive information stored and processed by the systems.”
The report says that since the IG expressed concern to the acting director of the Secret Service, the agency has agreed to provide the required data to the CISO now and going forward.
On the positive side, DHS is improving security of information systems by expanding a risk-management approach that provides a “dynamic framework that can provide authorization officials access to security-related information on demand to make risk-based decisions” versus a “paperwork-driven, security authorization process.” DHS has also implemented a new Information Security Performance Plan, addressing the Obama administration’s cyber security priorities such as implanting trusted internet connections and performing continuous monitoring of its information systems. The department is also using stronger authentication to access information systems, the IG says.
“DHS has worked to improve and secure its vast IT resources,” John Roth, DHS Inspector General, said in a statement accompanying the release of the report, Evaluation of DHS’ Information Security Program for Fiscal Year 2014 (OIG-15-16). “But those improvements can only be effective if component agencies fully adhere to the rules and DHS management vigorously enforces compliance. Failure to do so will pose a serious threat to DHS and its homeland security missions.”
The IG made six recommendations for the DHS CISO, such as expanding the department’s continuous monitoring strategy to secret and top secret systems, establishing a process so that components follow proper security policies, and ensuring that all DHS systems have the proper authority to operate. DHS concurred with all of the recommendations.