Laptop security gaps found in DHS inspector general's office

Computerworld - The U.S. Department of Homeland Security's office of the inspector general, which is responsible for auditing the department's information security practices, is itself doing a poor job protecting sensitive data on laptops computers.

That's the conclusion of a report based on a survey of nearly 100 "Sensitive But Unclassified" laptops at the inspector general's office by Frank Deffer, the department's assistant inspector general for IT. The classified report was first published in August but was recently declassified and released publicly after redaction.

Based on an audit of 94 laptops, "significant work remains to be done" by the inspector general's office in the areas of configuration, patch and inventory management, the report said.

For instance, the inspector general's office has so far failed to implement a standard laptop configuration that meets required DHS and federal guidelines, the report noted. Nearly 40% of tested laptops were discovered to have vulnerabilities because of a failure to meet standard configuration requirements.

Similarly, procedures for patching computers that were regularly connected to the inspector general's office network were also found lacking. The audit showed that the inspector general's office had procedures in place for ensuring that systems were fully patched prior to a system being put into operation. But it did not have a procedure for identifying relevant patches and updates on an ongoing basis. That means some medium-risk and serious patches were not applied.

About 20% of the systems surveyed had three or more missing patches, while two loaner and two "secondary laptops" were missing a total of 160 medium and high-risk patches between them.

An analysis of the procedures related to issues such as missing and stolen computers, labeling, reuse and disposal also showed that the inspector general's office has several gaps in the area of laptop inventory management, the report showed. For instance, there were no proper procedures for reporting laptop losses to the appropriate authorities nor was there any to ensure that systems were purged of sensitive data before being reused or disposed of.

Dealing with such issues will require the inspector general's office to fix the configuration vulnerabilities found in the tested systems and ensure that similar flaws are fixed agencywide, the report said. The report also recommended procedures for better configuration management and the deployment of an "enterprise property management system" for tracking inventory.

In a response to the report, officials in the inspector general's office outlined several measures that had already been taken or were being implemented. Those steps included the creation of a new "master image" or standard configuration for unclassified agency laptops and new procedures requiring the removal and sanitization of hard drives from systems slated for reuse.

Read more about security in Computerworld's Security Knowledge Center.