DHS’ IG office declares itself remiss on laptop PC security

Featured eBooks
Health Tech
Read Now

Next-Generation Computing

Read Now

Space Tech

Read Now
Insights & Reports
Stay Ahead of the Latest Threats with Intelligence-driven Security Operations
Presented By Google Cloud
Download Now
Strengthening cloud security for federal agencies
Presented By Wiz
Download Now
By David Hubler

By David Hubler

|

An internal audit found that the office had not implemented a standard security configuration developed under NSA and DHS guidelines.

Related Links

Security training no longer on the back burner

DHS rule might get industry to open up

omeland Security Department Office of Inspector General Laptop Computers are Susceptible to Compromi

A two-month internal investigation found that the Homeland Security Department’s Office of Inspector General had critical vulnerabilities in unclassified and sensitive-but-unclassified laptop PCs assigned to its employees.

A DHS official speaking on background about the audit said the IG’s Office of Information Technology planned to conduct laptop security reviews in DHS’ 22 agencies and thought it would be appropriate to start at home. Specific system vulnerabilities were redacted in a recently declassified report on the audit “so as not to give too much of a road map to [certain] individuals out there in the general public,” the DHS official said.

According to the declassified report, DHS’ Computer Security Incident Response Center received reports on 12 security incidents in 2005 involving stolen DHS laptops. The thefts involved computers from Customs and Border Patrol, the Secret Service, Immigration and Customs Enforcement, and the Science and Technology Directorate.

The audit of the IG’s office, which was based on interviews with IG officials, technical tests and a review of documents, found that the office had installed many security controls, but it had not implemented a standard security configuration developed under National Security Agency and DHS guidelines to protect data on sensitive-but-unclassified and classified laptops.

Warren Suss, president of Suss Consulting, said DHS was wise to share that information with the public. “It’s not only DHS, it’s the rest of the government as well as the country that has to deal with these [security] issues,” he said.

The internal review also found that the IG’s office had not maintained an accurate inventory of its equipment, cleared sensitive data from laptops before they were reissued or applied appropriate classification labels to data.

The report recommended several measures, such as creating a new master image for sensitive-but-unclassified laptops and applying additional security controls to address the vulnerabilities identified in the review. The IG also recommended revising and testing the office’s security implementation procedures on a series of recently purchased laptops, modifying existing procedures to require the removal of hard drives from systems slated for reissue within the IG’s office, and establishing a privacy training program and training plans for the office’s employees and contractors.

One industry official defended DHS’ information security efforts, despite the recent findings. Jack Hembrough, president and chief executive officer of Application Security, said laptops are difficult to secure. He added that DHS “is doing a good job at the other end, locking down the data before it makes it onto the laptop.”

Hembrough said securing data at its entry point is a more practical measure than trying to secure it after it is on a laptop. “There are fewer sources of data than there are laptops,” he said.

NEXT STORY: Program managers need to understand security, panel says