DHS said it agreed with the recommendations and is in the process of implementing corrective measures.
DHS continues to improve the action plan and milestone process and will increase its focus on quality and timeliness in fiscal 2007, and it recently changed the personnel responsible for validating its C-and-A documents to provide additional quality assurance safeguards, adjustments the IG said were adequate.
The department plans to improve its vulnerability management as part of its enterprise Network Operations Center-Security Operations in fiscal 2007, and a Concept of Operations for the NOC-SOC, which will provide detailed guidance, is under development and will be completed by March 30, 2007, according to the report.
However, the IG maintained that a department-wide incident analysis process and vulnerability program should be part of the NOC-SOC.
DHS plans to improve its security incident analysis and reporting with the implementation of its enterprise NOC-SOC CONOPS in fiscal 2007, though the IG stated that the CSIRC should ensure that all incidents are reported, something the department did not address.
While the CISO provides specialized security training during its annual security conference and individuals receive role-based training on a case-by-case basis, DHS still needs to establish appropriate training for all individuals with significant security responsibilities and ensure that these individuals complete the required training, the IG said in response to management’s comments on the report.
