DHS IT security spanked again
- By Wilson P. Dizard III
- Jan 24, 2006
The Homeland Security Department's forlorn IT security came in for another pasting today from the department's inspector general and from Sen. Judd Gregg (R-N.H.), chairman of the Senate Appropriations Subcommittee on Homeland Security.
The department's IT security has been the subject of several critical reports and evaluations, and DHS has earned three consecutive failing grades
in its annual IT security evaluation under the Federal Information Systems Management Act.
Department officials said they would reserve at least part of their response to Gregg's comments on what he called the 'disturbing IG reports on weaknesses in DHS operations' until a hearing tomorrow morning in the senator's subcommittee about the U.S. Visitor and Immigrant Status Indicator Technology system. U.S. Visit program manager Jim Williams and Government Accountability Office architecture expert Randy Hite are slated to testify at the hearing.
Gregg praised DHS officials for pledging to address the problems raised in the three reports. Homeland Security CIO Scott Charbo responded to the reports with detailed letters describing DHS' plans to improve database security and the management of the department's OneNet network.
DHS officials responsible for IT used in border security, which formerly fell under the authority of the now-dissolved Border and Transportation Security Directorate, submitted a detailed reply to an IG report on border systems.
Gregg issued comments in a press release on three IG reports, with the following titles:
- Management of the DHS Wide Area Network Needs Improvement
- Security Weaknesses Increase Risks to Critical DHS Databases and
- U.S. Visit System Security Management Needs Strengthening.
Gregg said that during a time when the government is spending billions on security, it is unacceptable that DHS has failed to properly manage and secure its systems.
'The reports of threats posed by holes in the department's information technology and infrastructure are a concern,' Gregg said in his statement. 'The U.S. Visit program, for example, is a major IT investment, and the department must concentrate on this program operating effectively.'
The IG reports include extensive blank spaces that omit sensitive IT security information about issues such as database configuration guidelines and database security and audit trail procedures. DHS also blanked out the locations of DHS database facilities in six states.
The IG reported that DHS officials have not yet fully aligned their databases with FISMA procedures, failing, for example, to test and evaluate security controls, to integrate security control costs into system life cycle costs and to provide specialized security training to system administrators.
The auditors said DHS had not followed its own procedures to clear an upgrade of the department's wide area network, and had relied on a network security operation at Immigration and Customs Enforcement rather than creating a separate security operations center. They pointed out ineffective network monitoring and the lack of interconnection service agreements as additional problems with the WAN.