Security of FEMA database questioned

Computerworld - The Federal Emergency Management Agency has not established adequate controls over sensitive data in its National Emergency Management Information System (NEMIS), according to a redacted report (download PDF) released Monday by Robert Skinner, inspector general of the U.S. Department of Homeland Security.
FEMA is now part of the DHS's Emergency Preparedness and Response (EP&R) Directorate.
Although the agency, which came under fire for its slow response to Hurricane Katrina in late August, has developed and maintained many essential security controls for NEMIS, more work needs to be done to protect the database, according to Skinner's report.
Specifically, FEMA hasn't implemented effective procedures for granting, monitoring and removing user access, nor has it conducted contingency training or testing, Skinner said. In addition, vulnerabilities were found on NEMIS servers related to access rights and password administration.
NEMIS allows incident tracking and coordination, is used by individuals and small businesses that apply for federal assistance, and processes requests from states for funding of hazard mitigation projects.
"Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," Skinner wrote in the report. "In addition, EP&R may not be able to recover NEMIS following a disaster."
He called on FEMA to make sure adequate controls over user access to NEMIS are put in place and urged it to implement an IT contingency training and testing program for NEMIS. He also said FEMA needs to develop corrective action plans to address the vulnerabilities and weaknesses Skinner found.
In response to a draft of the report, FEMA officials agreed with Skinner's recommendations and said they are moving to correct the deficiencies. Even so, Skinner said FEMA did not offer up a specific plan to address 56 deficiencies, and noted that EP&R has not fully aligned its security program with DHS's overall policies, procedures or practices.
"For example, security controls had not been tested in over a year; a contingency plan has not been tested; security control costs have not been integrated into the life cycle of the system; and system and database administrators have not obtained specialized security training," Skinner wrote.
The NEMIS database, which was implemented in 1998, was designed and developed by Fairfax, Va.-based Anteon Corp., using Oracle Corp.'s relational database management system. Although that information was redacted from Skinner's report, it was available at Anteon's Web site.
NEMIS replaced FEMA's legacy system with a fully integrated client/server architecture consisting of morethan 31 networked servers installed nationwide, according to Anteon.