IG: DHS Needs to Tighten Websites' ControlsAuditors: Department Data Could be At Risk The Department of Homeland Security public-facing websites do a pretty good job safeguarding DHS data, but needs to do more to truly secure these sites, according to a just-released audit by the DHS Inspector General.
"Overall, DHS components have followed department policy when configuring operating systems supporting their websites. Recommended security settings and controls were implemented consistently on the servers reviewed. In addition, sites using electronic authentication for web-based access were properly documented according to FISMA.
"However, patch management practices and periodic security assessments were not consistently being performed, resulting in numerous critical system vulnerabilities. These vulnerabilities could put DHS data at risk. In addition, DHS can make improvements in managing its system inventory and providing technical oversight and guidance in order to evaluate the security threats to its public-facing websites."
The inspector general evaluated nine of DHS's most frequently visited public-facing websites to determine whether the department had implemented effective security controls and practices. Auditors examined the implementation of DHS's required configuration settings and patch management practices. They also performed vulnerability assessments on these websites. In addition, the inspector general reviewed documentation regarding electronic authentication for web-based access, as detailed in the Federal Information Security Management Act .
As a result of the review, the IG recommended:
- Clarifying DHS's vulnerability assessment policy and guidelines to address threats specifically associated with its websites.
- Developing an inventory of the public-facing website elements of major applications and general support systems.
- Directing Customs and Border Protection to ensure its public-facing website is certified and accredited.
- Directing the Secret Service chief information officer to develop and implement a plan to move its website under DHS's security program.