IG: Energy needs more protection for some data

Audit finds encryption of sensitive information on mobile devices is not always ensured

The Energy Department should take more steps to protect electronic information that is unclassified but sensitive, according to the department’s inspector general.

In a recent audit, the IG said the department hadn’t ensured that sensitive data stored on mobile devices, sent in e-mail messages, or sent to off-site backup storage is sufficiently protected by encryption, as appropriate. The IG also said one department site visited by the IG hadn’t put in place appropriate measures to protect sensitive data taken on foreign travel.

The IG's office said its testing showed the weaknesses were at least in part attributable to the failure of headquarters programs and field offices to put in place existing policies and procedures for protecting sensitive electronic information. The audit was done between July 2008 and this April.

The audit report, dated Aug. 4, said the department had made improvements in putting in place protective measures for personally identifiable information. However, the report states, “Additional action was needed to better protect all types of unclassified sensitive information, to include official use only and unclassified controlled nuclear information.”

The IG recommended that Energy officials:
  • Ensure that sensitive information on mobile devices, transmitted via electronic messages, or sent to off-site backup storage is adequately protected through encryption.
  • Ensure that sensitive information maintained on mobile computing devices taken on foreign travel is adequately protected.
  • Verify that sensitive data on computing devices is adequately protected through random checks.
  • Finish required privacy-impact assessments on systems that contain privacy information.
The Energy Department has dealt with other IT issues recently. and in this case said it partially agreed with the IG’s recommendation related to encryption. The department said taking adequate steps to ensure that there is no sensitive information on laptops or mobile devices should be sufficient without requiring encryption of all data on all devices.

In response to the IG’s recommendation regarding devices taken on foreign travel, Energy said that the level of protection should be determined by local risk analysis and that if no sensitive information is on the device, encryption probably wasn’t necessary.

In addition, the department said considering the need to perform random checks should be based on local risk analysis that takes into account the associated costs. The department concurred with the IG’s recommendation regarding privacy-impact assessments.

Meanwhile, in a separate response to a draft of the report, the department’s National Nuclear Security Administration raised a number of concerns with the “current structure of this report.” The NNSA said "sensitive electronic information" had no formal definition and different types of sensitive information discussed in the report had different protection requirements. NNSA management said the report didn’t appear to completely deal with whether the department or its contractors had adequately protected the information.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.