IG: Energy needs more protection for some data

Audit finds encryption of sensitive information on mobile devices is not always ensured

The Energy Department should take more steps to protect electronic information that is unclassified but sensitive, according to the department’s inspector general.

In a recent audit, the IG said the department hadn’t ensured that sensitive data stored on mobile devices, sent in e-mail messages, or sent to off-site backup storage is sufficiently protected by encryption, as appropriate. The IG also said one department site visited by the IG hadn’t put in place appropriate measures to protect sensitive data taken on foreign travel.

The IG's office said its testing showed the weaknesses were at least in part attributable to the failure of headquarters programs and field offices to put in place existing policies and procedures for protecting sensitive electronic information. The audit was done between July 2008 and this April.

The audit report, dated Aug. 4, said the department had made improvements in putting in place protective measures for personally identifiable information. However, the report states, “Additional action was needed to better protect all types of unclassified sensitive information, to include official use only and unclassified controlled nuclear information.”

The IG recommended that Energy officials:
  • Ensure that sensitive information on mobile devices, transmitted via electronic messages, or sent to off-site backup storage is adequately protected through encryption.
  • Ensure that sensitive information maintained on mobile computing devices taken on foreign travel is adequately protected.
  • Verify that sensitive data on computing devices is adequately protected through random checks.
  • Finish required privacy-impact assessments on systems that contain privacy information.
The Energy Department has dealt with other IT issues recently. and in this case said it partially agreed with the IG’s recommendation related to encryption. The department said taking adequate steps to ensure that there is no sensitive information on laptops or mobile devices should be sufficient without requiring encryption of all data on all devices.

In response to the IG’s recommendation regarding devices taken on foreign travel, Energy said that the level of protection should be determined by local risk analysis and that if no sensitive information is on the device, encryption probably wasn’t necessary.

In addition, the department said considering the need to perform random checks should be based on local risk analysis that takes into account the associated costs. The department concurred with the IG’s recommendation regarding privacy-impact assessments.

Meanwhile, in a separate response to a draft of the report, the department’s National Nuclear Security Administration raised a number of concerns with the “current structure of this report.” The NNSA said "sensitive electronic information" had no formal definition and different types of sensitive information discussed in the report had different protection requirements. NNSA management said the report didn’t appear to completely deal with whether the department or its contractors had adequately protected the information.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.