Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program
GAO-05-700
Published: Jun 17, 2005. Publicly Released: Jul 08, 2005.
Skip to Highlights
Highlights
The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of the Chief Information Officer (DOD CIO) | To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to instruct the Chief Information Security Officer (CISO) and component agencies to fully implement the following key information security practices and controls by developing complete risk assessments. |
Department of Homeland Security (DHS) has since developed and implemented complete risk assessments. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete risk assessments with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
|
| Office of the Chief Information Officer (DOD CIO) | To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by documenting comprehensive security plans. |
Department of Homeland Security (DHS)has since developed and implemented comprehensive security plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete security plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
|
| Office of the Chief Information Officer (DOD CIO) | To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by fully performing testing and evaluation of security controls. |
Department of Homeland Security (DHS) has since developed and implemented testing and evaluation of security controls. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete testing and evaluation of security controls with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
|
| Office of the Chief Information Officer (DOD CIO) | To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by reporting complete remedial action plans. |
Department of Homeland Security (DHS) has since developed and implemented complete remedial action plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete remedial action plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
|
| Office of the Chief Information Officer (DOD CIO) | To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by developing, documenting, and testing continuity of operations plans. |
Department of Homeland Security (DHS) has since developed and tested continuity of operations plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete continuity of operations plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
|
| Office of the Chief Information Officer (DOD CIO) | To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to establish milestones for completing verification of the components' reported performance data in Trusted Agent Federal Information Security Management Act. |
Department of Homeland Security (DHS) has since followed documented processes and procedures for verification of the components' reported performance data in Trusted Agent FISMA (TAF). The DHS Inspector General verified and reported that milestones were completed in 2007 and the POA&M has been closed.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Chief information security officersComputer securityContinuity of operationsE-governmentHomeland securityInformation resources managementInformation securityInformation systemsInternal controlsPerformance measuresSecurity policiesStrategic information systems planningSystems evaluation