IG: DHS lax on portable device security controls

Related Links

IG report

The Homeland Security Department has not deployed effective controls on portable storage devices that may be attached to its unclassified computer systems, according to an audit report from DHS Inspector General Richard Skinner released today.

“DHS has not implemented effective controls to restrict unauthorized devices from being connected to DHS’ unclassified systems,” the audit stated.
.
The proliferation of portable storage devices that include external hard drives, flash drives and jump drives has been recognized as a risk for computer security. If unauthorized devices are connected to a federal network, that may result in unauthorized access or theft of sensitive information.

During the audit, which was performed from February to May, the IG identified unauthorized data storage devices connected to departmental servers and workstations at 11 DHS component agencies, though it was not clear whether the devices were functioning or whether data had been transferred from those devices.

Skinner also found that DHS' component agencies have not complied with the Office of Management and Budget’s M-06-16 requirements issued two years ago as controls on devices to protect against the unauthorized access to federal data.

Only five of the 11 agencies implemented two-factor authentication, which typically uses both a password and a security token, and none have implemented controls to ensure that data extracts are erased in 90 days or when no longer needed, the audit stated.

Department officials agreed with most of the recommendations, but did not concur with the finding on OMB M-06-16. DHS officials said they were preparing to implement those requirements based on risk and cost analysis.

Skinner said the fixes are overdue. “We maintain our position that it has been two years since OMB’s mandated milestone has elapsed and that DHS should ensure controls outlined in OMB M-06-16 are implemented expeditiously,” he wrote.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.