Justice IG finds IT security vulnerabilities

The Justice Department's inspector general said that although the department has done a good job in complying with FISMA's requirements, it still has IT security vulnerabilities.

Despite getting high marks for its compliance with computer security legislation, the Justice Department had major systemic information technology vulnerabilities and did not fully implement policies and procedures meant to increase IT security, according to an audit by the department’s inspector general.

The IG found vulnerabilities that require immediate attention, including inadequate access controls and outdated security patches. The IG determined that Justice lacks effective methodologies for tracking corrective action, applying departmentwide fixes and maintaining an inventory of devices connected to the department’s various IT networks, the Dec. 12 report states. Portions of the document were redacted.

Justice received an A-plus for its compliance with the Federal Information Security Management Act (FISMA) in fiscal 2007 on an annual report card released by Rep. Tom Davis (R-Va.), ranking member of the House Oversight and Government Reform Committee. However, the department’s focus on meeting FISMA requirements might have affected its ability to secure its IT environment, according to the IG’s report.

For the audit, the Justice IG used data for calendar year 2007 and the report card issued in May 2008. In response to a draft of the report, Vance Hitch, Justice’s chief information officer, said the department has taken a number of steps to bolster IT security since the audit was conducted, including creating an IT governance structure to support the security program.

The IG said the department had documented a comprehensive IT security program, created an IT oversight council and implemented a tool to track FISMA compliance, but it still lacked an effective vulnerability management program.

“We are concerned that the security of the department’s IT systems may be compromised because of its inability to consistently and systematically mitigate identified security vulnerabilities,” the IG wrote.

According to Justice’s fiscal 2007 FISMA report to the Office of Management and Budget, the department ran 225 IT systems in fiscal 2007, and all of them were accredited at the end of the fiscal year, the IG’s report states.

“Although the department is ensuring that it meets FISMA requirements, it is still responsible for ensuring the security of the information contained within its IT systems, even if FISMA does not require a specific remediation step,” the IG wrote. “We believe that a structured process for monitoring vulnerability remediation would improve the accuracy of the department’s assessment of the security controls environment of its IT systems.”

The IG recommended that the department:

• Establish a structured process for monitoring and tracking the remediation of critical vulnerabilities identified during monthly scans.

• Ensure that the new monitoring processes conduct a detailed review and analysis of critical vulnerabilities.

• Develop a system to monitor the department’s IT environment in real time.

• Take an inventory of networked devices departmentwide.

In a written response to the report, Hitch said he agreed with the recommendations. He also described the steps the department has already taken or planned to take to address the issues the IG raised.

Hitch said Justice will deploy a framework to track vulnerabilities and corrective actions and will implement a tool for monitoring critical vulnerabilities, Hitch said.

The new framework, set to be launched by Jan. 31, 2009, will require security and operations reviews of new vulnerabilities and regular meetings to discuss them, he said.

Hitch also said Justice has had a system that provides real-time monitoring of its IT security environment since October 2007, and he considers the IG's recommendation in that area to be addressed.

Finally, Hitch said Justice i taking an inventory of all the department’s IT assets, which it will complete by Jan. 31.

The IG said that based on Justice’s responses, the report was considered resolved.