Information Security

Department of Homeland Security Needs to Fully Implement Its Security Program Gao ID: GAO-05-700 June 17, 2005

The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.

DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets. It has developed and documented departmental policies and procedures that could provide a framework for implementing such a program; however, certain departmental components have not yet fully implemented key information security practices and controls. For example, risk assessments--needed to determine what controls are necessary and what level of resources should be expended on them--were incomplete. Elements required for information system security plans--which would provide a full understanding of existing and planned information security requirements--were missing. Testing and evaluation of security controls--which are needed to determine the effectiveness of information security policies and procedures--were incomplete or not performed. Elements required for remedial action plans--which would identify the resources needed to correct or mitigate known information security weaknesses--were missing, as were elements required for continuity of operations plans to restore critical systems in case of unexpected events. In addition, DHS had not yet fully developed a complete and accurate systems inventory. Shortfalls in executing responsibilities for ensuring compliance with the information security program allowed these weaknesses to occur. Although DHS has an organization that is responsible for overseeing the component implementation of key information security practices and controls, its primary means for doing so--an enterprisewide tool--has not been reliable. Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.