IG: DHS has yet to properly secure networks

The Homeland Security Department, chastised by Congress and security experts for having some of the worst information security practices in government, has improved its security plan and policies but now must begin deploying its plan, according to a report recently released by the department's inspector general.

"The department continues to improve and strengthen its security program," the IG concluded. "During the past year, the department implemented a performance plan to measure the component's progress toward full compliance with its information security program. The performance plan tracks key elements indicative of a strong, functioning security program."

But the IG also concluded that despite "this oversight, components are again not executing all of the department's policies, procedures and practices."

According to the report, DHS has accredited systems without ensuring that proper security checks have been conducted. In addition, plans of action and milestones that are in DHS' information security program do not address all of the information security weaknesses, nor is DHS monitoring or resolving the weaknesses in a timely manner. The IG also found that baseline security configurations are not being implemented for all systems.

"What [this report shows] is progress by DHS on developing and implementing management-level policy guidance on information security," said Andrew Howell, partner with Monument Policy Group and former homeland security director for the U.S. Chamber of Commerce.

But Howell added that putting the security plan into practice will be the real test of whether DHS can secure its systems. "Implementation is now the key," he said. "It will be most interesting to see what happens over the next year, as DHS focuses on implementing improvements identified by the IG, and information security managers have some experience enacting these new policies, particularly since many of them were rolled out in 2007."

The IG offered five recommendations to DHS Chief Information Officer Scott Charbo to accelerate progress in implementing the information security program. Among them is improving the review process to ensure that all DHS information security objectives are complete, accurate and current, and that all certification and accreditation documents are properly prepared before a system is accepted by the chief information security officer.

The CIO, the IG stated, also should establish a process to ensure that configuration requirements are implemented and maintained on all systems; deploy a departmentwide vulnerability assessment program to test DHS' security posture; and establish appropriate training for all individuals with significant security responsibilities.