DHS’ IG office declares itself remiss on laptop PC security
An internal audit found that the office had not implemented a standard security configuration developed under NSA and DHS guidelines
- By David Hubler
- Oct 16, 2006
A two-month internal investigation found that the Homeland Security Department’s Office of Inspector General had critical vulnerabilities in unclassified and sensitive-but-unclassified laptop PCs assigned to its employees.
A DHS official speaking on background about the audit said the IG’s Office of Information Technology planned to conduct laptop security reviews in DHS’ 22 agencies and thought it would be appropriate to start at home. Specific system vulnerabilities were redacted in a recently declassified report on the audit “so as not to give too much of a road map to [certain] individuals out there in the general public,” the DHS official said.
According to the declassified report, DHS’ Computer Security Incident Response Center received reports on 12 security incidents in 2005 involving stolen DHS laptops. The thefts involved computers from Customs and Border Patrol, the Secret Service, Immigration and Customs Enforcement, and the Science and Technology Directorate.
The audit of the IG’s office, which was based on interviews with IG officials, technical tests and a review of documents, found that the office had installed many security controls, but it had not implemented a standard security configuration developed under National Security Agency and DHS guidelines to protect data on sensitive-but-unclassified and classified laptops.
Warren Suss, president of Suss Consulting, said DHS was wise to share that information with the public. “It’s not only DHS, it’s the rest of the government as well as the country that has to deal with these [security] issues,” he said.
The internal review also found that the IG’s office had not maintained an accurate inventory of its equipment, cleared sensitive data from laptops before they were reissued or applied appropriate classification labels to data.
The report recommended several measures, such as creating a new master image for sensitive-but-unclassified laptops and applying additional security controls to address the vulnerabilities identified in the review. The IG also recommended revising and testing the office’s security implementation procedures on a series of recently purchased laptops, modifying existing procedures to require the removal of hard drives from systems slated for reissue within the IG’s office, and establishing a privacy training program and training plans for the office’s employees and contractors.
One industry official defended DHS’ information security efforts, despite the recent findings. Jack Hembrough, president and chief executive officer of Application Security, said laptops are difficult to secure. He added that DHS “is doing a good job at the other end, locking down the data before it makes it onto the laptop.”
Hembrough said securing data at its entry point is a more practical measure than trying to secure it after it is on a laptop. “There are fewer sources of data than there are laptops,” he said.
David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.