Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program Page: 19 of 36
The following text was automatically extracted from the image on this page using optical character recognition software:
appropriate controls over potential threats have been identified to reduce
or eliminate the associated risk.
The purpose of an information system security plan is to provide an
overview of the security requirements of the system and describe the
controls that are in place or planned for meeting those requirements. The
information security plan also delineates the responsibilities and expected
behavior of all individuals who access the system. The information security
plan can be viewed as documentation of the structured process of planning
adequate, cost-effective security protection for a system and should form
the basis for the system authorization, supplemented by more specific
studies as needed. According to NIST guidance, security plans should
include all interconnected systems (including the Internet) and interaction
among systems in regard to the authorization for the connection to other
systems or the sharing of information. Also according to NIST guidance,
security plans should include rules of behavior and reflect input from
various individuals who have responsibility for the system, including
information system owners. In addition, the security plans require periodic
reviews, modifications, and milestone or completion dates for planned
The information security plans for two of the six systems we reviewed
lacked required elements. Specifically, the information security plan for a
US-VISIT major application did not include authorizations for
interconnected systems or the sharing of information for primary and
secondary systems and for other infrastructures. In addition, the Internet
was not included in the list of interconnected systems. Further, rules of
behavior, another required element for security plans, did not cover all
pertinent elements such as work at home, dial-in access, connection to the
Internet, use of copyrighted works, unofficial use of government
equipment, the assignment and limitation of system privileges, and
individual accountability. The information security plan for the general
support system at the Emergency Preparedness and Response directorate
did not identify a designated information system owner or procedures for
reviewing the information security plan and following up on planned
controls. The OIG, as part of its fiscal year 2004 FISMA evaluation, found
that security plans for the DHS systems that it had selected for review had
either not been updated or not approved. As a result of these weaknesses,
DHS does not have assurance that its information systems are adequately
GAO-05-700 DHS Information Security
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
United States. Government Accountability Office. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, report, June 17, 2005; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc295505/m1/19/: accessed May 23, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.