Report: DHS must do more to protect personal info

The Homeland Security Department is not doing enough to protect personal identifying information within its computer systems, according to a new report from DHS Inspector General Richard L. Skinner.

Personal identifying information is any information that can be used to identify a person. It includes, for example, full name, telephone number, e-mail address, credit card numbers and date of birth.

While the department has performed draft assessments of privacy impacts and risks to most of its 699 systems, the final validations and approvals by the DHS Privacy Office are not yet complete, the report said.

Of the 699 computer systems within the department, 95 percent or more had been subjected to a security plan, security categorization and draft privacy threshold assessment as of September 2006, the report said. Eighty-five percent had completed a risk assessment.

But only 155 systems, or 23 percent, of those assessments and plans were validated by the privacy office as of that date. Of the 52 systems required to be covered by a Privacy Impact Assessment, only 20 of those assessments were approved as of September 2006, the inspector general said.

'Until DHS completes and validates the security documentation, privacy threshold assessments and privacy impact assessments for its systems and programs, the department lacks assurance that the risks associated with sensitive data and personal identifying information have been determined and appropriate security controls have been identified,' the report said.

DHS also needs to complete encryptions of data on laptop computers and to strengthen protections of data during storage, and in transit, the 26-page report concludes.

Alice Lipowicz is a staff writer for Government Computer News' affiliate publication, Washington Technology.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.