The review found some exceptions to having a strong and effective information security program, the most significant issues of which are the same ones that face most large enterprises: there are too many systems being operated without authority to operate; plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and baseline security configuration settings are not being implemented for all systems.
Additional information security program areas that need improvement include incident detection and analysis, specialized training, account and identity management, and contingency planning.
Finally, the review noted that DHS still needs to consolidate all of its external connections, and complete the implementation of personal identity verification-compliant logical access on its information systems and networks.
It’s not all bad news though. “DHS continues to improve and strengthen its information security program,” the Inspector General said in the report. “During the past year, DHS drafted an ongoing authorization methodology to help improve the security of the Department’s information systems through a new risk management approach. This revised approach transitions the Department from a static, paperwork-driven, security authorization process to a dynamic framework that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports, and hardware and software inventories.”
The report also noted that DHS has developed and implemented the Fiscal Year 2013 Information Security Performance Plan, which defines the performance requirements, priorities and overall goals for the Department throughout the year. DHS has also taken actions to address the Administration’s cybersecurity priorities, which include the implementation of trusted internet connections, continuous monitoring and strong authentication.
The Inspector General is making five recommendations to the department's CISO. The DHS concurred with all recommendations and has begun to take actions to implement them.
The first recommendation is for DHS to establish a process to ensure that baseline configuration settings are being implemented and maintained on all workstations and servers, including non-Windows platforms. During 2013, DHS completed major steps toward achieving this goal, with 11 out of 12 components now using the approved baseline configuration settings. The rigor of configuration management will be increased next year by expanding relevant scorecard metrics to include devices beyond Windows platforms. The DHS FY 2014 Information Security Scorecard will employ continuous monitoring data feeds from component tools as well, to monitor the implementation of baseline configuration settings.
The second recommendation, to ensure that all operational information systems have current authorization to operate, will be implemented using a new security authorization tool with more dynamic settings to improve stakeholders' visibility into the security posture of operational infonnation systems. Also, the FY 2014 Information Security Scorecard will continue monitoring and communication of these systems authorization statuses.
A third recommendation is to improve the ISO's Plans of Action and Milestones (POA&M) review process to ensure that all POA&Ms, including Top Secret systems, are remediated in a timely manner and in compliance with DHS guidance. ISO is exploring options within the new automated compliance tool that may be leveraged to improve the POA&M review process, to be implemented by February 28, 2014.
Recommendation No. 4 is to establish enterprise-wide security training requirements to ensure all privileged users receive necessary role-based specialized security training. To this end, the DHS ISO will seek to better address privileged user role-based specialized security training requirements. The privileged user training metric in the FY 2014 Performance Plan will be enhanced by tracking specific categories of privileged users such as database administrators or system administrators, by March 31, 2014.
The last recommendation is to strengthen the department's oversight of its Top Secret systems by performing critical control reviews on selected systems to ensure the required controls are implemented. Next year, the DHS ISO will conduct modified critical control reviews of select systems, to act as external "spot checks" that will accompany existing active on-site quality reviews of security authorization and facts of these systems. This will be complete by August 31, 2014.