Information security staff in U.S. embassies and consulates are falling down on the job, according to an inspector general’s audit out this week.
State’s internal auditors reviewed information security at 51 overseas posts between fiscal years 2014 and 2016 and found one-third of them, 17 posts, weren’t performing basic tasks such as regularly analyzing information systems or reviewing email systems, user libraries, servers and hard drives for indications of inappropriate activity.
In some cases, information security leaders weren’t performing these audits because competing priorities were eating up their time. In other cases, supervisors weren’t ensuring responsible staff were getting the job done, the report found.
“Failure by overseas information management personnel to perform information systems security duties creates vulnerabilities for department networks,” the audit states.
State’s Bureau of Diplomatic Security, which manages embassy security, found vulnerabilities in overseas email systems during 2016 that could have been prevented with better monitoring and reviews, the report said.
The auditor recommends State’s Bureau of Information Resource Management, the department’s main IT wing, should create a plan to enforce regular information security checks at overseas posts, the auditor recommends.
IRM responded it has limited ability to ensure such a plan is implemented because overseas information security workers report through centralized regional bureaus. The information bureau plans to work with the regional bureaus on ensuring implementation, though, the report said.