DHS Cyber Security Audit FAIL

Thursday, October 20, 2011



A new report warns that the Department of Homeland Security (DHS) is falling short on some cybersecurity protocols.

The news of cybersecurity shortcomings at the agency are more than slightly concerning, as DHS has been tapped to lead information security efforts nationally for both the public and private sectors.

The report, titled DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, indicates that the DHS has failed a security audit conducted by the agency's own Inspector General:

The objective of our audit was to determine whether adequate physical and logical access controls are in place to secure the cybersecurity program systems utilized by US-CERT and safeguard the data collected and disseminated by US-CERT. Specifically, we:

  • Determined what and how cybersecurity data is collected and maintained by US-CERT
  • Evaluated the adequacy of physical security controls implemented to protect NCSD’s cybersecurity program systems
  • Determined whether US-CERT has implemented effective system security controls to safeguard the confidentiality, integrity, and availability of cybersecurity data.
  • Determined whether the system documentation for DHS’ cybersecurity program systems has been completed in compliance with DHS and FISMA requirements

"Adequate security controls have not been implemented on the [Mission Operating Environment] to protect the data processed from unauthorized access, use, disclosure, disruption, modification, or destruction," the IG concluded.

The report indicates the DHS US-CERT is grappling with more than six hundred network vulnerabilities, with more two-hundred of them having been identified as critical.

"The results of our vulnerability assessments revealed that [National Cyber Security Division] is not applying timely security and software patches on the [Mission Operating Environment]," the report continued.

DHS indicated that the agency has implemented "a software management tool [to] automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities," according to a statement by DHS spokeswoman Amy Kudwa.

Possibly Related Articles:
Government Cyber Security Headlines Network Security DHS National Security Information Security Infosec Protocols secuirty audits
Post Rating I Like this!
Gabriel Bassett Do inspector general type auditors EVER pass ANYONE?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.