IG: Energy needs more protection for some data

Audit finds encryption of sensitive information on mobile devices is not always ensured

The Energy Department should take more steps to protect electronic information that is unclassified but sensitive, according to the department’s inspector general.

In a recent audit, the IG said the department hadn’t ensured that sensitive data stored on mobile devices, sent in e-mail messages, or sent to off-site backup storage is sufficiently protected by encryption, as appropriate. The IG also said one department site visited by the IG hadn’t put in place appropriate measures to protect sensitive data taken on foreign travel.

The IG's office said its testing showed the weaknesses were at least in part attributable to the failure of headquarters programs and field offices to put in place existing policies and procedures for protecting sensitive electronic information. The audit was done between July 2008 and this April.

The audit report, dated Aug. 4, said the department had made improvements in putting in place protective measures for personally identifiable information. However, the report states, “Additional action was needed to better protect all types of unclassified sensitive information, to include official use only and unclassified controlled nuclear information.”

The IG recommended that Energy officials:
  • Ensure that sensitive information on mobile devices, transmitted via electronic messages, or sent to off-site backup storage is adequately protected through encryption.
  • Ensure that sensitive information maintained on mobile computing devices taken on foreign travel is adequately protected.
  • Verify that sensitive data on computing devices is adequately protected through random checks.
  • Finish required privacy-impact assessments on systems that contain privacy information.
The Energy Department has dealt with other IT issues recently. and in this case said it partially agreed with the IG’s recommendation related to encryption. The department said taking adequate steps to ensure that there is no sensitive information on laptops or mobile devices should be sufficient without requiring encryption of all data on all devices.

In response to the IG’s recommendation regarding devices taken on foreign travel, Energy said that the level of protection should be determined by local risk analysis and that if no sensitive information is on the device, encryption probably wasn’t necessary.

In addition, the department said considering the need to perform random checks should be based on local risk analysis that takes into account the associated costs. The department concurred with the IG’s recommendation regarding privacy-impact assessments.

Meanwhile, in a separate response to a draft of the report, the department’s National Nuclear Security Administration raised a number of concerns with the “current structure of this report.” The NNSA said "sensitive electronic information" had no formal definition and different types of sensitive information discussed in the report had different protection requirements. NNSA management said the report didn’t appear to completely deal with whether the department or its contractors had adequately protected the information.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.