The Office of the Inspector General sent this report to the Department of Homeland Security on November 9, 2013, in compliance with Federal Information Security Management Act.
We conducted an independent evaluation of the Department of Homeland Security (DHS) information security program and practices to comply with the requirements of the Federal Information Security Management Act . In evaluating DHS' progress in implementing its agency-wide information security program, we specifically assessed the Department's plans of action and milestones, security authorization processes, and continuous monitoring programs. DHS continues to improve and strengthen its information security program. During the past year, DHS drafted an ongoing authorization methodology to help improve the security of the Department's information systems through a new risk management approach. This revised approach transitions the Department from a static, paperwork-driven, security authorization process to a dynamic framework that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports, and hardware and software inventories.
Additionally, DHS developed and implemented the Fiscal Year 2013 Information Security Performance Plan which defines the performance requirements, priorities, and overall goals for the Department throughout the year. DHS has also taken actions to address the Administration's cybersecurity p riorities, which include the implementation of trusted internet connections, continuous monitoring, and strong authentication. While these efforts have resulted in some improvements, components are still not executing all of the Department's policies, procedures, and practices. Our review identified the following more significant exceptions to a strong and effective information security program: (1) systems are being operated without authority to operate; (2) plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and (3) baseline security configuration settings are not being implemented for all systems. Additional information security program areas that need improvement include incident detection and analysis, specialized training, account and identity management, and contingency planning. Finally, the Department still needs to consolidate all of its external connections, and complete the implementation of personal identity verification compliant logical access on its information systems and networks.