An audit at DHS has found that even some employees of the CIO’s office, who presumably would be among the most security conscious of all, left devices and information vulnerable to unauthorized access.

An outside auditor working for the IG’s office tested what it called “non-technical information security procedures” in the CIO office and the office of financial management. That consisted of an after-hours walkthrough of cubicles, offices, shared workspaces, and common areas to determine whether employees had complied with requirements for safeguarding sensitive material or assets from unauthorized access or disclosure.

Of 89 workspaces, the auditors found that three had materials such as laptops, mobile devices, or storage media unattended and unsecured. Vulnerable information included system passwords, information marked sensitive but unclassified, and documents containing sensitive personally identifiable information.

The report said the results could not be projected more broadly because the selection of areas inspected was not designed to be statistically valid.