DHS continues to improve and strengthen its information security program but components are still not executing all of the department’s policies, procedures, and practices, the DHS inspector general has said.
It said that over the past year the department drafted an ongoing authorization methodology to help improve the security of the department’s information systems through a new risk management approach, and developed and implemented the fiscal 2013 information security performance plan, which defines the performance requirements, priorities, and overall goals for the department throughout the year. It has also implemented trusted Internet connections, continuous monitoring of the department’s information systems, and strong authentication.
However, the IG said systems are being operated without authority to operate; plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and baseline security configuration settings are not being implemented for all systems.
Incident detection and analysis, specialized training, account and identity management, and contingency planning also need to be improved, the IG said.
DHS agreed with recommendations to: establish a process to ensure that baseline configuration settings are being implemented and maintained on all workstations and servers, including non-Windows platforms; ensure that all operational information systems have current authorization to operate; improve the Information Security Office’s planning and milestone review process to ensure even the most sensitive systems are being remediated timely and in compliance with DHS guidance; and, establish enterprise wide security training requirements to ensure all privileged users receive necessary role-based specialized security training.