The US government agency tasked with securing the nation “could protect its information and systems more fully and effectively,” according to a damning new report.
Government watchdog the Office of Inspector General (OIG) audited the Department of Homeland Security (DHS) for fiscal year 2017 only to find the department does not practice what it preaches when it comes to information security.
The DHS’ program scored only a three out of a possible five on the maturity scale in three of five areas. That’s one below the target of Level 4: “managed and measureable.”
Specifically, the OIG claimed that 64 systems “lacked valid authority to operate, and components did not remediate security weaknesses” in a timely manner.
In addition, the DHS “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems.” Some servers hadn’t been patched for years, the report revealed.
Given the highly classified information stored on many of the DHS systems and the increasing activity of nation state operatives, such security issues would need to be fixed with some urgency.
That’s not all: the OIG also claimed that the DHS did not monitor software licenses for unclassified systems and “relied on data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents.”
Instead, it should have been using an approved enterprise management tool.
Further, the DHS “did not test all system contingency plans, develop procedures for handling sensitive information, or identify alternate facilities to recover processing in the event of service disruptions.”
The OIG claimed the “repeated deficiencies” highlighted above run counter to the President’s Cybersecurity Executive Order, and show that departmental oversight of the information security program needs to be strengthened.
“Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process,” it concluded.
The DHS has agreed with the five recommendations made in the report.