The Department of Homeland Security has not fully
implemented a comprehensive information security program
to protect information and information systems, the
Government Accountability Office has said.
It said the department has developed and documented a
framework for implementing such a program but that certain
components have not fully implemented key information
security practices and controls.
Risk assessments, needed to determine necessary levels of
control and resources have been incomplete – and elements
needed to provide a full understanding of existing and
planned information security requirements are missing,
according to GAO-05-700.
Further, it said testing and evaluation of security
controls were incomplete or not performed.
Other elements required for remedial action plans that
would identify resources needed to correct security
weaknesses are missing — and DHS “has not yet fully
developed a complete and accurate systems inventory,”
the report said.
The department’s enterprise-wide tool for overseeing
the component implementation of information security
practices and controls “has not been reliable,” said
GAO, which attributed the weaknesses to “shortfalls in
executing responsibilities for ensuring compliance”
with the program.
“Until DHS addresses weaknesses with using the tool
and implements a comprehensive, department-wide
information security program,” it will be held back,
said GAO.
It recommended that DHS fully implement key
information security practices and controls, and
establish milestones for developing a comprehensive
information systems inventory.
