IG flags Commerce security problems

Subscribe Now!

Table of Contents

Business
BPM
CXOs
Columns
Columnists
Defense
E-Government
Elections 2008
Enterprise Architecture
Funding
Homeland Security
Health IT
IPv6
LOB
Management
Procurement
Privacy
Policy
Program Management
State and Local
Security
Technology
Telework
Training and Certification
Workforce

More Topics

Home
Letters to the Editor
Current Issue/Download
Print/Online Archives
Editorial Calendar

Communications for Continuity Operations

Oracle Resource Center

NEW - Data Center Virtualization
NEW - Air Force ELSG Contract Guide
NEW - Security Management
NEW - DOD and Security Guide
Networx Contract Guide
SEWP IV Contract Guide
Priority Report: Virtualization
NEW - CHESS formerly ASCP
New - SATCOM II

More >>

Tech Watch: Ruggedized Computing GWAC Buyers Guide GSA Agency Report Green Solutions Guide Government Leadership Survey Report: Information Sharing DISA IT Strategy & Vision Emergency Preparedness Report Report: Green Computing PEO EIS Guidebook Content Library

IG flags Commerce security problems

The department must improve its handling of sensitive data and revisit key systems previously certified as secure, according to the inspector general

By Wade-Hahn Chan
Published on December 19, 2006

Comment

Click here to comment on this article

Related story links

Davis highlights problems of data leakers

Security training no longer on the back burner

Commerce loses more than 1,100 laptops

Newsletters

You might also be interested in these FCW newsletters:

Daily

To learn more, click here.

Information security is the Commerce Department's no. 1 challenge in this fiscal year, according to its inspector general.

In its semiannual report to Congress for the six months ending Sept. 30, the IG cited the department's poor track record with regard to protecting the privacy of personal data and its slow progress on certifying the security of its critical systems.

The privacy concerns stem from a late September study that found the department had lost 1,137 laptop computers and other mobile devices since 2001, 249 of which contained personally identifiable information (PII).

Under guidelines that the Office of Management and Budget issued, agencies must take several steps to protect personal data. To start, they should encrypt all sensitive data stored on mobile devices. They also must incorporate two kinds of authentication -- such as passwords and fingerprints -- to control remote access to systems with sensitive data. Finally, they should set up their systems to disconnect users who have been logged on for too long without any activity, and they should log all activity on those systems.

It was unclear whether Commerce had followed those guidelines, the IG reported.

“We found that in most cases bureaus could not demonstrate that the necessary steps have been taken to ensure that PII is adequately safeguarded,” the report stated. “None of the system documentation reviewed indicated that PII was stored or processed, a step needed to determine the required safeguards.”

The IG also criticized the department for the mixed results of its efforts to certify and accredit the security of important systems. Commerce officials appear to have made some progress, completing the process for 22 of its 28 systems by August 2006 –- an increase from only five a year earlier.

In evaluating the certification and accreditation documentation, the IG found that only a third of the systems fully complied with the security standards that the National Institute of Standards and Technology set, and nine of the remaining systems had serious deficiencies.

Enterprise Architecture 2008 - Washington, DC
September 9 - September 10, 2008

Occupational Health & Safety Executive Summit - Arlington, VA
October 6 - October 7, 2008

First Name			State
Last Name			Zip
Title			Email