IG: DHS lax on portable device security controls

Related Links

IG report

The Homeland Security Department has not deployed effective controls on portable storage devices that may be attached to its unclassified computer systems, according to an audit report from DHS Inspector General Richard Skinner released today.

“DHS has not implemented effective controls to restrict unauthorized devices from being connected to DHS’ unclassified systems,” the audit stated.
.
The proliferation of portable storage devices that include external hard drives, flash drives and jump drives has been recognized as a risk for computer security. If unauthorized devices are connected to a federal network, that may result in unauthorized access or theft of sensitive information.

During the audit, which was performed from February to May, the IG identified unauthorized data storage devices connected to departmental servers and workstations at 11 DHS component agencies, though it was not clear whether the devices were functioning or whether data had been transferred from those devices.

Skinner also found that DHS' component agencies have not complied with the Office of Management and Budget’s M-06-16 requirements issued two years ago as controls on devices to protect against the unauthorized access to federal data.

Only five of the 11 agencies implemented two-factor authentication, which typically uses both a password and a security token, and none have implemented controls to ensure that data extracts are erased in 90 days or when no longer needed, the audit stated.

Department officials agreed with most of the recommendations, but did not concur with the finding on OMB M-06-16. DHS officials said they were preparing to implement those requirements based on risk and cost analysis.

Skinner said the fixes are overdue. “We maintain our position that it has been two years since OMB’s mandated milestone has elapsed and that DHS should ensure controls outlined in OMB M-06-16 are implemented expeditiously,” he wrote.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.