Report: DHS Had “Significant” I.T. Security Weaknesses

The Department of Homeland Security, which melded together 22 federal departments in 2002, had “significant information security weaknesses” that limited its ability to ensure the confidentiality and integrity of internal information as of September 2005, according to a report from the agency’s Office of Inspector General.

The report was part of a financial audit of DHS for the fiscal year ended September 2005 but wasn’t released publicly until July. The disclosure of the agency’s information security gaps came shortly before British authorities announced in August that they had disrupted a plot by 24 Islamic terrorists to blow up several transatlantic airliners.

The report noted that DHS had fixed many I.T. shortcomings identified the previous year. But the Office of Inspector General still found a number of security problems, including:

  • Missing and weak user passwords on key servers and databases.
  • Excessive access privileges for certain group users’ accounts.
  • Five critical financial systems that lacked certifications and accreditations.
  • Instances in which necessary security patches were not applied.
  • Computers that were not configured to automatically log off after a period of inactivity.

    “Collectively, these I.T. control weaknesses limit DHS’ ability to ensure that critical financial and operational data is maintained in such a manner to ensure confidentiality, integrity and availability,” the report said.

    DHS did not respond to requests for comment by press time. But the inspector general’s report said the agency’s chief information officer, Scott Charbo, generally agreed with the report’s findings and has committed to taking unspecified “corrective actions.”