IG: DHS lax on portable device security controls

The Homeland Security Department has not deployed effective controls on portable storage devices that may be attached to its unclassified computer systems, according to an audit report from DHS Inspector General Richard Skinner released today. “DHS has not implemented effective controls to restrict unauthorized devices from being connected to DHS’ unclassified systems,” the audit stated. . The proliferation of portable storage devices that include external hard drives, flash drives and jump drives has been recognized as a risk for computer security. If unauthorized devices are connected to a federal network, that may result in unauthorized access or theft of sensitive information. During the audit, which was performed from February to May, the IG identified unauthorized data storage devices connected to departmental servers and workstations at 11 DHS component agencies, though it was not clear whether the devices were functioning or whether data had been transferred from those devices. Skinner also found that DHS' component agencies have not complied with the Office of Management and Budget’s M-06-16 requirements issued two years ago as controls on devices to protect against the unauthorized access to federal data. Only five of the 11 agencies implemented two-factor authentication, which typically uses both a password and a security token, and none have implemented controls to ensure that data extracts are erased in 90 days or when no longer needed, the audit stated. Department officials agreed with most of the recommendations, but did not concur with the finding on OMB M-06-16. DHS officials said they were preparing to implement those requirements based on risk and cost analysis. Skinner said the fixes are overdue. “We maintain our position that it has been two years since OMB’s mandated milestone has elapsed and that DHS should ensure controls outlined in OMB M-06-16 are implemented expeditiously,” he wrote.