Review: Security flaws place DHS inspectors’ laptops at risk

The Homeland Security Department inspector general's office has not taken the necessary steps to properly secure laptop computers holding sensitive and classified information, a report released Monday stated.

The heavily redacted Aug. 8 report from Frank Deffer, assistant inspector general for information technology at DHS, said considerable risks remain despite the many essential security controls in place, including adequate physical security. Most examples of inconsistent security practices were redacted.

The report said that stolen or missing laptops are not consistently reported through the chain of command to DHS' Computer Security Incident Response Center. This included a stolen IG laptop in 2005.

"Because the OIG had not reported the security incident to the DHS CSIRC, senior DHS officials may not be aware of the extent or scope of laptops security issues at the department," the reviewers stated.

While the IG office has procedures to make sure employees return office laptops, the office has not cleared sensitive data from machines with "sensitive but unclassified" information prior to reuse. This is a process that involves overwriting the hard drive three times.

Auditors reviewed an inventory of office laptops and tested 94 dubbed "sensitive but unclassified" and eight designated as classified. The inventory contained numerous discrepancies, according to the report.

Fifty of the office's 395 laptops lacked proper labels and another 46 were missing identification numbers. Six of the 94 "sensitive but unclassified" laptops tested and two of the eight classified laptops were not included in the inventory.

"Without an accurate and current inventory, the OIG may be unaware of additional laptops that are missing," the report stated.

The office also has failed to fulfill its requirements under the 2002 Federal Information Security Management Act and has not developed an effective way to update security software on laptops that do not regularly connect to the office network, the report said.

Nineteen of the laptops tested as part of the review were missing more than three patches, the audit said.

In addition, the IG office has not fully implemented its standard computer security package that includes configuration settings and security software, the report stated. A list of critical elements missing from the security package was redacted. The report stated that the IG office plans to formally accept these known risks.

In a response to the findings, Edward Cincinnati, assistant inspector general for administration, concurred with the auditors' recommendations and said his office is in the process of making changes.