The U.S. Department of Homeland Security's Office of the Inspector General, which is responsible for auditing the agency's IT security practices, took itself to task for doing a poor job of protecting sensitive data on laptop PCs in a report released last week.
Based on an audit of 94 "sensitive but unclassified" laptops, "significant work remains to be done" by the inspector general's office in the areas of configuration, patch and inventory management, the report said.
For instance, the inspector general's office has failed to implement a standard laptop configuration that meets federal security requirements, according to the report. Nearly 40 percent of the tested laptops were found to have vulnerabilities because they didn't meet the configuration requirements.
Similarly, procedures for patching laptops that are regularly connected to the inspector general's network were found to be lacking. The audit showed that the inspector general's office had procedures for ensuring that systems were fully patched prior to being put into use. But there were no processes for identifying important patches and updates on an ongoing basis, according to the report. It said that as a result, some patches for medium- and high-risk threats weren't applied to laptops.
About 20 percent of the laptops that were surveyed had three or more missing patches, while two loaner machines and two "secondary laptops" were missing a total of 160 patches for medium- and high-risk threats between them, the report said.
The report, written by Frank Deffer, assistant inspector general for IT at the DHS, was released on a classified basis in August and kept secret until last Monday, when it was posted on the inspector general's Web site. Substantial amounts of information were redacted from the unclassified version of the report.
Pete Lindstrom, an analyst at Burton Group in Midvale, Utah, said the report's findings aren't surprising given that such vulnerabilities are likely to exist in most organizations. The shortcomings identified in the internal audit are "key indicators of security , but they don't necessarily indicate the level of risk" that the inspector general's office faces, he added. "For that, you have to also evaluate the sensitivity of the content on the laptops."
The inspector general's office shouldn't be expected to be any different from other government operations when it comes to security weaknesses, said Jonathan Penn, an analyst at Forrester Research Inc. "The problem isn't lack of awareness at an executive level," he said. The solution is funding for technology and more effective worker training, Penn added.
The report said the inspector general's office needs to fix the configuration vulnerabilities, and it recommended procedures for better configuration management and the deployment of an "enterprise property management system" for tracking inventories of IT equipment across the DHS.
In a written response dated June 14, a DHS official said the CIO in the inspector general's office concurs with the recommendations and has set a plan for addressing the various issues. Measures that had already been taken or were being implemented include the creation of a "master image" configuration for unclassified laptops and the adoption of new rules requiring the removal and sanitization of hard drives from systems slated for reuse, the official wrote.