Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program Page: 30 of 36
The following text was automatically extracted from the image on this page using optical character recognition software:
Comments from the Department of Homeland
The following observations clarify the implementation weaknesses noted in your rTport.
Trusted Agent FISMA
The report reiterates the DHS Office of Inspector General (OIG) 2004 Federal
Information Security anagement Act (FISMA) Report statement that the DHS cannot
rely on the accuracy and completeness of the data contained in Trusted Agent FISMA,
the Department's F[SMA reporting tool. In response to the OIG report that Ithe data in
Trusted Agent FISMA cannot be verified, mechanisms for verifying infonnation security
performance metric were added to Trusted Agent FISMA. These enhancements provide
verification of the data input by Component personnel. The following enhancements
improve the reliability of the Component data and the associated information security
* If a system is accrexlited, a copy of the Acereditation letter must be uploaded into
Trusted Agent FISMA for the system to be counted as having a C&A.
* ISSM/Management Approval for sell assessment data is required for calculating
the number systems with annual evaluations.
* Each system must be "Approved for Reporting'' by the ISSM or ISSM designee
For TAF to include the system data in the information security performance
* Once the Component system inventory project data is entered into Trusted Agent
FIS MA, the inventory can only be changed with an approval of the CISO.
* Data integrity reports display data inconsistencies for system identification, self
assessment, and security petrormancc measures.
* Robust audit trail reports include Systemr'ProgramiSite Audit Report and User
We agree that periodic risk assessments of our information systems are necessary to
assure that appropriate controls over potential threats have been identified to reduce or
clirninatc the associated risk. We recognize that this is one area that has not received
sufficient attention to date. Although, our information security policy mandates
completion of risk assessment, we have only just begun to focus on the development of
an enterprise risk assessment program.
As a first step in develop ng a risk assessment methodology, the CISO distributed an
Information Security Categorization Workbook. This workbook can be used for
identifying the Federal lnlbrmation Processing Standards (FIPS) 199 security
categorizations (c.g., High, Medium, and Low for Confidentially, Integrity, and
Availability). We are working to incorporate Recommended Security Controlsfobr
Federal Information Systems, N [ST 800-53, into Trusted Agent FISMA and tihe C&A
Tool, A contract to provide assist visits to the Components includes the requiremrwnl to
review system risk assessments and should lead to improved completion and accuracy of
DItS risk assessments.
GAO-05-700 DHS Information Security
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
United States. Government Accountability Office. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, report, June 17, 2005; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc295505/m1/30/: accessed May 24, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.