On November 14, 2014, the Office of Inspector General (OIG) for the Department of Homeland Security (DHS) issued a report critical of the agency’s performance in protecting personally identifiable information (PII) and developing adequate privacy policies and controls. The Inspector General concluded that “DHS … did not ensure it had uniform procedures to implement privacy policies and controls to integrate privacy protections for each process, program, and information system that affects sensitive PII and protected information.” This report, entitled Major Management and Performance Challenges Facing the Department of Homeland Security, assesses DHS’s management challenges on an annual basis as required by federal law.
The OIG report concluded that contractors contribute to privacy vulnerabilities at DHS because they lack adequate controls to protect PII. In one instance, a contractor reported to DHS a breach that may have exposed data from the background checks of 25,000 individuals. Another area of concern is the accessibility of passwords, sensitive IT information and unsecured credit cards and laptops to unauthorized users.
The OIG report also concluded that the National Protection and Programs Directorate (NPPD) is continuing to face challenges in sharing and integrating cyber threat information among the five federal cyber operations centers for which NPPD is responsible. NPPD has not established a common incident-management program at the five cyber centers to track, update, share and coordinate cyber information. Further, the cyber centers do not have a standardized set of categories for reporting cyber security incidents, without which their ability to share threat information and coordinate effective responses to cyber threats is impaired.
For a copy of the Inspector General’s report, OIG-15-09, please click here.