Fixing the DHS cybersecurity gap

Management experts aren't surprised that an audit turns up cybersecurity struggles at DHS.

The Homeland Security Department's inspector general has completed an information security audit of the agency, which shows DHS officials are still struggling with internal cybersecurity issues. But that comes as no surprise to management experts.

The public flogging of DHS and all federal agencies is fine as long as people have reasonable expectations about cybersecurity, said Paul Proctor, vice president of security and risk strategies at the META Group, an information technology and business consulting company.

"I say, keep up the hammering, but recognize that many agencies are doing the work necessary to get there eventually," Proctor said.

The report, released Oct. 27, highlights areas in which DHS officials have improved the department's information security practices and policies. But the overall tone of the report is negative. "We recommend that DHS continue to consider its information systems security program a significant deficiency" for fiscal 2004, the auditors state in the report's summary.

They conducted the information security audit between April and September, according to guidelines set by Office of Management and Budget officials. OMB officials developed the guidelines to help federal agencies comply with the Federal Information Security Management Act of 2002.

The report cites the chief information officer's lack of authority to manage DHS' departmentwide IT programs and spending as a significant factor in the department officials' struggle to secure the agency's information systems. It states that the absence of a formal reporting relationship between the CIO and the program organizations within the department continues to undermine DHS' information security program.

Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium and a former government computer security official, was quick to defend DHS' information security efforts in light of the constraints on its CIO.

"He doesn't have command authority over what is going on in the 27 different agencies in DHS," McNulty said. "Unless they want to give him that, then all he can do is plead with them and offer constructive alternatives, but he has no mechanism to force compliance."

In a written response to the audit, Steve Cooper, DHS' CIO, said he generally concurred with the findings. He also expressed appreciation for what he described as "the open dialogue and strengthened relationship ...that have emerged in the past year" between his office and the inspector general's office.

***

Audit reveals no surprises

A new audit by the Homeland Security Department's inspector general highlights the following areas:

Progress: DHS officials have hired a contractor to develop a methodology for conducting a systems inventory across the 27 agencies that merged in March 2003 to become DHS.

Concern: The department still lacks a comprehensive inventory of its information systems, as required by the Federal Information Security Management Act of 2002.

Source: Homeland Security Department

NEXT STORY: Postal Service prized for privacy