TRENDING:

IG: DHS Needs to Tighten Websites' Controls

Auditors: Department Data Could be At Risk Eric Chabrow (GovInfoSecurity) • October 8, 2009     The Department of Homeland Security public-facing websites do a pretty good job safeguarding DHS data, but needs to do more to truly secure these sites, according to a just-released audit by the DHS Inspector General.

"Overall, DHS components have followed department policy when configuring operating systems supporting their websites. Recommended security settings and controls were implemented consistently on the servers reviewed. In addition, sites using electronic authentication for web-based access were properly documented according to FISMA.

"However, patch management practices and periodic security assessments were not consistently being performed, resulting in numerous critical system vulnerabilities. These vulnerabilities could put DHS data at risk. In addition, DHS can make improvements in managing its system inventory and providing technical oversight and guidance in order to evaluate the security threats to its public-facing websites."

The inspector general evaluated nine of DHS's most frequently visited public-facing websites to determine whether the department had implemented effective security controls and practices. Auditors examined the implementation of DHS's required configuration settings and patch management practices. They also performed vulnerability assessments on these websites. In addition, the inspector general reviewed documentation regarding electronic authentication for web-based access, as detailed in the Federal Information Security Management Act .

As a result of the review, the IG recommended:

  • Clarifying DHS's vulnerability assessment policy and guidelines to address threats specifically associated with its websites.

  • Developing an inventory of the public-facing website elements of major applications and general support systems.

  • Directing Customs and Border Protection to ensure its public-facing website is certified and accredited.

  • Directing the Secret Service chief information officer to develop and implement a plan to move its website under DHS's security program.
Previous
Phishing Sites Masking as IRS Soar
Next
Aggressive Cyber Offense Questioned

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.