DHS computer security management still needs work

Despite significant progress made in the last year, the Department of Homeland Security’s information security processes still have not been able to assure the security of the department’s systems, an Inspector General’s report said.

DHS missed its goal of having all of its systems’ security processes certified and accredited by September 30, and some systems were certified without the required security documentation, according to the report (PDF). In addition, security weaknesses and their remediation are not being tracked properly, the report said.

Security contingency plans had not been tested for 44 percent of the systems, and contingency planning and system inventory data is frequently inaccurate or incomplete, the report said.

Part of monitoring the department’s operational systems entails implementing action plans and setting security goals, the report noted. Sixty-nine percent of set goals remain unsatisfied, the report added, and the department lacks the necessary resources to reach many of the milestones. Inspectors stated that they could not accurately predict how much the department must spend to meet all its goals.

The report also stated: “DHS does not have detailed documented procedures for reporting incidents to law enforcement authorities” for information security breaches. Inspectors criticized DHS failing to “[improve] its incident detection, handling and analysis procedures during the last year.” — Government Executive

Finally, the IG report criticized DHS for providing inadequate security training to personnel responsible for IT security. A security training program that was supposed to be complete by September 30 won’t be fully operational until 2010, the report noted, and the department cannot be sure that personnel have received the security training necessary for their jobs.

The department agreed with the IG’s recommendations to improve security, but said that individuals already receive appropriate security training in a case-by-case basis. “Individuals with significant security responsibilities receive role-based training on a case-by-case basis, in direct relation to their position, experience level and duties,” wrote DHS Deputy Chief Information Officer Charles Armstrong in a response to the report.

Now to put all this in plain English, it simply means the Department doesn’t yet have a handle on exactly how bad its computer security is. The IG report cited dozens of security weaknesses that weren’t corrected until over two years after they were first identified, and hundreds which were past the estimated completion date and still outstanding. It’s going to be a long while before DHS has its own house in order. And these are the people who are supposed to be keeping us secure?