IG: Energy needs more protection for some data

Audit finds encryption of sensitive information on mobile devices is not always ensured

• By Ben Bain
• Aug 12, 2009

The Energy Department should take more steps to protect electronic information that is unclassified but sensitive, according to the department’s inspector general.

In a recent audit, the IG said the department hadn’t ensured that sensitive data stored on mobile devices, sent in e-mail messages, or sent to off-site backup storage is sufficiently protected by encryption, as appropriate. The IG also said one department site visited by the IG hadn’t put in place appropriate measures to protect sensitive data taken on foreign travel.

The IG's office said its testing showed the weaknesses were at least in part attributable to the failure of headquarters programs and field offices to put in place existing policies and procedures for protecting sensitive electronic information. The audit was done between July 2008 and this April.

The audit report, dated Aug. 4, said the department had made improvements in putting in place protective measures for personally identifiable information. However, the report states, “Additional action was needed to better protect all types of unclassified sensitive information, to include official use only and unclassified controlled nuclear information.”

The IG recommended that Energy officials:

• Ensure that sensitive information on mobile devices, transmitted via electronic messages, or sent to off-site backup storage is adequately protected through encryption.
• Ensure that sensitive information maintained on mobile computing devices taken on foreign travel is adequately protected.
• Verify that sensitive data on computing devices is adequately protected through random checks.
• Finish required privacy-impact assessments on systems that contain privacy information.
  

The Energy Department has dealt with other IT issues recently. and in this case said it partially agreed with the IG’s recommendation related to encryption. The department said taking adequate steps to ensure that there is no sensitive information on laptops or mobile devices should be sufficient without requiring encryption of all data on all devices.

In response to the IG’s recommendation regarding devices taken on foreign travel, Energy said that the level of protection should be determined by local risk analysis and that if no sensitive information is on the device, encryption probably wasn’t necessary.

In addition, the department said considering the need to perform random checks should be based on local risk analysis that takes into account the associated costs. The department concurred with the IG’s recommendation regarding privacy-impact assessments.

Meanwhile, in a separate response to a draft of the report, the department’s National Nuclear Security Administration raised a number of concerns with the “current structure of this report.” The NNSA said "sensitive electronic information" had no formal definition and different types of sensitive information discussed in the report had different protection requirements. NNSA management said the report didn’t appear to completely deal with whether the department or its contractors had adequately protected the information.

Reader comments