Auditors: Energy lost counterspies' PCs

Department dawdled on IT standardization

The Energy
Department, which repeatedly hasbungled IT security in recent years, took two more hits fully
or partly related to problems in recent reports from its inspector
general.



DOE's
apparent loss of 14 desktop computers that had processed classified
information surfaced in a report
titled 'Internal Controls Over Computer Property at the
Department's Counterintelligence
Directorate.'



The report stated
that DOE's counterspies couldn't locate 20 desktop
computers that were part of its documented inventory. In addition
to the 14 desktops that were known to have held classified data,
the report said, 'The remaining six computers may have been
used to process such data.



'Further,
the inventory records were so imprecise and inaccurate that the
directorate had to resort to extraordinary means to locate an
additional 125 computers,' the report continued. 'Those
computers should have been readily accessible, had property record
keeping been current and complete.'



The report stated
that:




  • The
    Counterintelligence Directorate hadn't entered an additional
    57 computers in its property inventory.

  • The
    directorate's loan agreements for 96 computers that had been
    transferred from headquarters to field offices had
    expired.

  • DOE officials had
    failed to put the proper security classification labels on 74
    computers, as the department's rules require.



'Problems
with the control and accountability of desktop and laptop computers
have plagued the department for a number of years,' the
auditors observed. 'As we found in several recent reviews,
strict property management procedures need to be consistently
applied to ensure the control of sensitive property, such as
computers.'



DOE officials
concurred with several recommendations the auditors offered on the
computer inventory control issue. But the report noted that the
officials failed to provide planned corrective actions with target
completion dates, so further action by senior managers would be
necessary. DOE responded by describing actions it had taken in
response to previous, similar reports, such as appointing an
official responsible for keeping track of its inventories and
mandating the immediate reporting of property
relocations.



DOE added that
while not all its records complied with department policy, there
were records that had been created in another format.



In a secondreport, titled 'The Department's Efforts to
Implement Common Information Technology Services at
Headquarters,' the Inspector General Office said DOE
hadn't fully met its goals in adopting a common operational
environment.



The standardized
IT framework, which cost the department $980 million in fiscal
2006, calls for a consolidated environment covering desktop
support, application hosting and equipment distribution services.
Various organizations at DOE headquarters had been managing the
functions separately when the department launched the
reorganization.



The department
called the project Extended Common Integrated Technology
Environment at first but then renamed it the Department of
Energy's Common Operating Environment.



The
department's CIO is overseeing the DOE-COE project. The
IG's audit found that:




  • Five major
    organizations, accounting for 40 percent of users, or 2,473 from a
    total covered workforce of 6,199, hadn't been migrated to the
    common environment within the project's first twelve months,
    in a delay that eliminated $15 million of possible
    savings.

  • In some
    organizations, officials did not cut off services provided to
    workers who had been shifted to the new environment, a mistake that
    cost $700,000 in needless user fees and caused 'potential
    cybersecurity vulnerabilities.'



The auditors
praised the DOE for completing the migration process for 23 of the
28 organizations within headquarters. But they cautioned that their
review didn't include DOE's far-flung field
offices.



The
department's CIO office agreed with the conclusions of the
second report and described measures that it had taken to end the
problems.



inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group