DHS needs better information security practices, audit says
The Department of Homeland Security needs to up its game on information security, according to an audit released last week.
Private sector auditor KPMG conducted after-hours walkthroughs of employee workstations in the department’s Office of Financial Management and the Office of the Chief Information Officer, and found sensitive information — like passwords — left out and unattended.
Auditors also found unsecured government-issued laptops and mobile devices. Of the 69 workstations KPMG inspected, three breached DHS information security policy.
The audit, conducted during fiscal 2016, also reviewed DHS financial statements and found that both the OFM and OCIO use password configurations that don’t meet agency standards.
While KPMG found the physical security behavior certainly needs improvement, it did take care to note that the three unsecured workstations don’t necessarily reveal a workplace-wide trend. “The selection of inspected areas was not statistically derived; therefore, the results described here should not be used to extrapolate to OFM and OCIO as a whole,” the report says.
A separate KPMG audit, also released last week, surveyed DHS’ National Protection and Programs Directorate, and found similar information security weaknesses. For example, the report notes, account management policies at the directorate are too vague.
“Account management policies did not exist or were lacking sufficient detail in areas such as segregation of duties, recertification, elevated privileges, and disabling accounts upon user separation,” the audit states.
According to the auditors, this issue and others “collectively limited NPPD’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.”
