author photo
By SecureWorld News Team
Tue | Jan 24, 2017 | 2:24 PM PST

A special report from the Office of Inspector General (OIG) of the U.S. Department of Homeland Security shows its components are not fully compliant with recommendations made in the Federal Information Security Modernization Act of 2014.

Not only were policies and procedures not being followed in a complete or timely manner, but 79 systems were operating both as unclassified and with expired permissions. The department also had not yet merged all traffic from unsupported operating systems, putting its data at risk.

In response, the report gave four recommendations to Jeffrey Eisensmith, the Chief Information Security Officer for DHS:

"We recommended that DHS further strengthen its oversight of the Department’s information security program in the areas of continuous monitoring, plan of action and milestones, security authorization, and configuration management."

However, recommendations such as redirecting all traffic to trusted internet connections were first issued on July 22, 2015, in response to government cyber attacks, to be fulfilled within 30 days. 

And while the report says progress has been made, it's still requesting the same recommendations a year and a half later.

Even worse, the investigation found that one DHS classified server was still using a Windows 2003 server and that of 100 configuration settings on Unix servers, only 65 met even baseline requirements.

Even so, the report found that all four of their recommendations were beginning to be satisfied with the steps that DHS is planning to take. 

For the sake of us all, let's hope this time around these security policies are actually fulfilled.

Tags: DHS, GRC,
Comments