Homeland Security Department offices are dropping the ball on information security controls, according to a pair of audits released last week.
Auditors with the firm KPMG walked through offices and cubicles of staff for the DHS chief information officer and chief financial officer after work hours and found unsecured laptops and mobile devices and written down passwords, according to one of the audits.
The inspectors also found unsecured documents marked “for official use only” and documents that contained employees or citizens’ personal information, according to the audit, which was performed during the 2016 fiscal year.
The unsecured information was found in three out of 69 workspaces the auditors visited, KPMG said.
The audit also found password configurations used by those officers that didn’t meet departmentwide standards and a plan for configuring access controls for sensitive data that was still in draft form.
A separate audit released Tuesday for DHS’ main cyber division, the National Protection and Programs Directorate, found deficiencies that “limited NPPD’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure their confidentiality, integrity, and availability.”
NPPD couldn’t produce a complete and accurate list of all contractors that stopped serving the division during the 2016 fiscal year, according to the audit.
The division also didn’t have sufficient controls to monitor when employee and contractor digital accounts were closed or recertified or when a user’s privileges were elevated, the audit found.
The audit also found weaknesses in ways the division scanned its systems for digital vulnerabilities and found NPPD didn’t fully comply with rules concerning database passwords and elevating user privileges.