Information Security:
Department of Homeland Security Needs to Fully Implement Its Security Program
GAO-05-700, Jun 17, 2005
Additional Materials:
- Highlights Page:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.
DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets. It has developed and documented departmental policies and procedures that could provide a framework for implementing such a program; however, certain departmental components have not yet fully implemented key information security practices and controls. For example, risk assessments--needed to determine what controls are necessary and what level of resources should be expended on them--were incomplete. Elements required for information system security plans--which would provide a full understanding of existing and planned information security requirements--were missing. Testing and evaluation of security controls--which are needed to determine the effectiveness of information security policies and procedures--were incomplete or not performed. Elements required for remedial action plans--which would identify the resources needed to correct or mitigate known information security weaknesses--were missing, as were elements required for continuity of operations plans to restore critical systems in case of unexpected events. In addition, DHS had not yet fully developed a complete and accurate systems inventory. Shortfalls in executing responsibilities for ensuring compliance with the information security program allowed these weaknesses to occur. Although DHS has an organization that is responsible for overseeing the component implementation of key information security practices and controls, its primary means for doing so--an enterprisewide tool--has not been reliable. Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited.
Status Legend:
- Review Pending
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by developing, documenting, and testing continuity of operations plans.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: Closed - Implemented
Comments: Department of Homeland Security (DHS) has since developed and tested continuity of operations plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete continuity of operations plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by reporting complete remedial action plans.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: Closed - Implemented
Comments: Department of Homeland Security (DHS) has since developed and implemented complete remedial action plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete remedial action plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by fully performing testing and evaluation of security controls.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: Closed - Implemented
Comments: Department of Homeland Security (DHS) has since developed and implemented testing and evaluation of security controls. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete testing and evaluation of security controls with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by documenting comprehensive security plans.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: Closed - Implemented
Comments: Department of Homeland Security (DHS)has since developed and implemented comprehensive security plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete security plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to instruct the Chief Information Security Officer (CISO) and component agencies to fully implement the following key information security practices and controls by developing complete risk assessments.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: Closed - Implemented
Comments: Department of Homeland Security (DHS) has since developed and implemented complete risk assessments. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete risk assessments with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to establish milestones for completing verification of the components' reported performance data in Trusted Agent Federal Information Security Management Act.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: Closed - Implemented
Comments: Department of Homeland Security (DHS) has since followed documented processes and procedures for verification of the components' reported performance data in Trusted Agent FISMA (TAF). The DHS Inspector General verified and reported that milestones were completed in 2007 and the POA&M has been closed.
Jun 18, 2013
Transportation Worker Identification Credential
Jun 11, 2013
-
Combating Nuclear Smuggling
May 28, 2013
-
Coast Guard
May 21, 2013
-
Homeland Security
-
Immigration Enforcement
May 9, 2013
-
Transportation Worker Identification Credential
May 8, 2013
-
Homeland Security
-
Transportation Worker Identification Credential
Apr 30, 2013
-
National Preparedness
Apr 26, 2013
-
Department of Homeland Security
Looking for more? Browse all our products here
Explore our Key Issues on Homeland Security
Explore our other Key Issues here