Report: DHS needs to better monitor IT security
Department must report crimes involving information systems to authorities, inspector general says.
The Homeland Security Department needs to keep closer track of its information security systems and improve training for the employees responsible for them, inspectors said in a report released Monday.
Systems that need departmentally mandated certification went unchecked, according to the report from the DHS inspector general, and contingency plans remain incomplete. In addition, staff responsible for information security must be fully trained, the report said.
Managing DHS' information technology systems is a task that requires securing nearly 700 separate operational systems.
Part of monitoring the department's operational systems entails implementing action plans and setting security goals, the report noted. Sixty-nine percent of goals set remain unsatisfied, the report said, and the department lacks the necessary resources to reach many of the milestones. Inspectors stated that they could not accurately predict how much the department must spend to meet all its goals.
The report also stated: "DHS does not have detailed documented procedures for reporting incidents to law enforcement authorities" for information security breaches. Inspectors criticized DHS failing to "[improve] its incident detection, handling and analysis procedures during the last year."
In a Sept. 18 letter to DHS' assistant inspector general for information technology, Charles Armstrong, the department's deputy chief information officer, said the report also reflected "the department's significant progress over the last year."
DHS is in the process of completing a concept of operations plan for reporting incidents to law enforcement, Armstrong wrote. This will be completed midway through fiscal 2007.
The department also sought to dispel assertions that training for employees who oversee information security was inadequate: "Individuals with significant security responsibilities receive role-based training on a case-by-case basis, in direct relation to their position, experience level and duties," Armstrong said.