Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program Page: 6 of 36
The following text was automatically extracted from the image on this page using optical character recognition software:
requirements of the Federal Information Security Management Act of 2002
(FISMA)2 and relevant Office of Management and Budget (OMB) policies3
and National Institute of Standards and Technology (NIST) guidance
related to performing risk assessments, developing information security
plans, testing and evaluating security controls, documenting remedial
action plans, and documenting and testing continuity of operations plans.
Details on our scope and methodology are included in appendix I.
We performed our review at DHS facilities in the Washington, D.C.,
metropolitan area, Denver, Colorado, and at our headquarters in
Washington, D.C., from July 2004 through May 2005, in accordance with
generally accepted government auditing standards.
Results in Brief
DHS has not fully effectively implemented a comprehensive,
departmentwide information security program to protect the information
and information systems that support its operations and assets. It has
developed and documented departmental policies and procedures that
could provide a framework for implementing a departmentwide
information security program; however, certain departmental components
have not yet fully implemented key information security practices and
controls. For example, components' weaknesses in implementing the
program included incomplete risk assessments for determining the
required controls and the level of resources that should be expended on
them; missing required elements from information system security plans
for providing a full understanding of the existing and planned information
security requirements; incomplete or nonexistent test and evaluation of
security controls for determining the effectiveness of information security
policies and procedures; missing required elements from remedial action
plans for identifying the resources needed to correct or mitigate identified
information security weaknesses; and incomplete, nonexistent or untested
continuity of operations plans for restoring critical systems in the case of
unexpected events. In addition, DHS had not yet fully developed a
complete and accurate systems inventory.
2Federal Information Security Management Act of 2002, Title III, E-Government Act of
2002, Pub. L. No. 107-347, Dec.17, 2002.
3Office of Management and Budget, Circular A-130, Appendix III, Security of Federal
Automated Information Resources (Washington, D.C.: Nov. 28, 2000).
GAO-05-700 DHS Information Security
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
United States. Government Accountability Office. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, report, June 17, 2005; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc295505/m1/6/: accessed May 22, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.