Audit finds gaps in FEMA’s database security
Lapses leave sensitive emergency preparedness information vulnerable, inspector general says.
An audit released Monday found weaknesses in a central database used by the Federal Emergency Management Agency, meaning that sensitive information has been susceptible to hackers and attacks.
The audit, which was redacted for public release, concluded that the Homeland Security Department's Emergency Preparedness and Response Directorate failed to establish adequate or effective database security measures for its information technology network, which is called the National Emergency Management Information System. NEMIS is used by FEMA for incident tracking and coordination; allows individuals and small businesses to apply for assistance; and processes state requests for funding of hazard mitigation projects.
Auditors found at least 56 vulnerabilities, including a lack of effective procedures for granting, monitoring and removing user access. The report also cited the need for contingency training and testing to respond to an attack, and the need to provide system administrators with specialized security training.
"Due to these database security exposures, there is increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," the report stated. "In addition, EP&R may not be able to recover NEMIS following a disaster."
The audit was conducted by the department's inspector general and was based on research and field work completed by January 2005.
In a written response to the report, department officials said that they agreed with the auditors' findings and recommendations, and had taken steps to improve security.
DHS is implementing 71 out of 100 recommendations made by the auditors, stated Barry West, FEMA's chief information officer, in an Aug. 10 letter. FEMA spokeswoman Nicol Andrews said the agency is addressing the remaining recommendations.
At the time the audit was conducted, the EP&R directorate was managed by Michael Brown, who resigned in September under mounting criticism regarding how FEMA handled the response to Hurricane Katrina.
The directorate was abolished last month, however, in favor of a new Preparedness Directorate, which will include an assistant secretary for cyber and telecommunications security. FEMA has become a stand-alone agency reporting directly to Homeland Security Secretary Michael Chertoff.
The fiscal 2006 DHS budget, which President Bush signed last month, provides $4 billion for the creation of the new preparedness directorate. Additionally, Bush recently named George Foresman to manage it. Foresman currently serves as assistant for preparedness to Virginia's governor, where he is the principal adviser and overall coordinator for homeland security, preparedness and relations with military commands and the private sector.