Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program Page: 21 of 36
The following text was automatically extracted from the image on this page using optical character recognition software:
Continuity of Operations
annual reporting, OMB asks the agency IGs to report on the status of the
plans of action and milestones at their agencies. IGs were asked to evaluate
the process based on several criteria, including whether systems plans are
tied directly to the system budget request through the information
technology business case, as required by OMB.
For four of the five systems that we reviewed, program officials either did
not identify any resources in their plans of action and milestones
submissions, as required by OMB, to correct or mitigate identified
information security weaknesses or had not prepared plans of action and
milestones. As part of its fiscal year 2004 FISMA evaluation, the OIG
reported that DHS's plans of action and milestones process was not
adequate. Specifically, the estimated funding necessary to correct or
mitigate information security weaknesses was not identified in the
components' plans of action and milestones submissions, system-level
plans of action and milestones were not linked to individual components'
budget submissions, and not all of the components were capturing
information security weaknesses from all sources for reporting on their
plans of action and milestones. We found that a major application at
Immigration and Customs Enforcement and a general support system at
Emergency Preparedness and Response had not allocated any funds to
correct specifically identified weaknesses. Although some actions did not
have an associated cost, there were instances where it was apparent that
costs would be incurred for the corrective action. Further, the
Transportation Security Administration did not prepare plans of action and
milestones for information security weaknesses associated with a major
application and general support system. As a result, DHS does not have
assurance that all information security weaknesses have been reported and
that corrective actions will appropriately be taken to address the
Continuity of operations plans provide specific instructions for restoring
critical systems, including such elements as arrangement for alternative
processing facilities in case the usual facilities are significantly damaged or
cannot be accessed due to unexpected events. These events may include
such things as temporary power failure, accidental loss of files, or a major
disaster. It is important that these plans be clearly documented,
communicated to potentially affected staff, and updated to reflect current
operations. According to NIST guidance, continuity planning includes
establishing thorough plans, procedures, and technical measures that can
enable a system to be recovered quickly and effectively following a service
disruption or disaster. Further, the testing of continuity of operations plans
GAO-05-700 DHS Information Security
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
United States. Government Accountability Office. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, report, June 17, 2005; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc295505/m1/21/: accessed May 24, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.