Homeland Security IG reports security gaps in portable storage devices

The Homeland Security Department has ineffective security controls for portable electronic storage devices such as flash drives, external hard drives and iPods, according to a new report from DHS' inspector general.

Comment on this article in The Forum.Auditors found that Homeland Security has not complied with an Office of Management and Budget memorandum (M-06-16) that directed agencies to encrypt data on mobile computers and devices, require two-factor authentication for remote access, implement a time-out function that kicks in after 30 minutes of inactivity and verify that all sensitive data downloaded is erased within 90 days. The deadline for implementing these protections was August 2006.

The IG also found several instances where unauthorized devices were connected to the department's unclassified networks.

This "is an indication that the controls implemented may not be effective," stated the report, released on Oct. 15. "Unless effective controls are implemented, increased risks exist for the potential mishandling or misuse of DHS' sensitive information stored on portable storage devices."

The IG noted that few Homeland Security agencies perform scans to determine whether unauthorized devices have accessed their networks. Those that do lack a set schedule for running the checks.

The department is working on a technical solution that would automatically encrypt any recordable media such as USB flash drives, music players, CDs and DVDs inserted into a Homeland Security system. Once the encryption was applied, users could access sensitive information stored on the devices only when they were connected to DHS systems. According to department officials, the new solution would be cheaper than purchasing storage devices with biometric authentication and should eliminate the need to maintain an inventory of authorized devices. But there is no timeline for implementing this solution.

The report recommended that Homeland Security's chief information officer establish a process to ensure only authorized devices can connect to DHS systems and provide training on the risks of such devices. Auditors also said the department should impose "stringent technical controls" to ensure that unauthorized devices are not hooked up to the network.

DHS concurred with the recommendations except one stating the CIO should direct additional resources to fulfilling the mandate of M-06-16. But the IG noted that it has been two years since the deadline for complying with the memorandum passed and "DHS should ensure controls outlined in OMB M-06-16 are implemented expeditiously."