DHS Top Secret System Not FISMA ReadyIG: Progress Made, But More Work Needed In an all-too typical good news, bad news audit, The Department of Homeland Security's inspector general says the agency's top secret/sensitive compartmented information system has made significant progress in its IT security program, but more must be done to meet requirements under the Federal Information Security Management Act.
"Overall, information security procedures have been documented and controls have been implemented, providing an effective level of security for the department's intelligence systems," according the IG, which was issued the report in February but did not publicly release a summary of its findings until Wednesday. "Yet, the department has not fully addressed the issues and remaining recommendations reported in our FY 2007 evaluation."
Specifically, the IG said, DHS must take steps to improve the development of a contingency/disaster recovery plan and testing of controls and the implementation of a formal information system security education, training and awareness program for intelligence operations and personnel.
Further, the IG reported, Intelligence and Analysis Directorate has taken on the responsibility for the reporting of the Coast Guard compliance with the FISMA for its intelligence systems and should continue to provide management oversight to ensure that the Coast Guard maintains its information technology security program. The IG recommended that the undersecretary of intelligence and analysis address the open recommendations and the chief information officer address the system control issues that the IG identified during its review.
What did DHS do right?
According to the IG, DHS finalized its Sensitive Compartmented Information Systems Information Assurance Handbook, which provides department intelligence personnel with security procedures and requirements to administer its intelligence systems and the information processed. The handbook is accompanied by policies and procedures pertaining to DHS's pan of action and milestones, incident reporting and systems security plan development processes.
The IG said DHS certified and accredited its classified network extension as well as realigned the Coast Guard's intelligence systems. DHS administrators concurred with the IG's findings, and have a plan of action to remedy the remaining issues.