Smithsonian Institution



Similar documents
FY 2013 Evaluation of the Smithsonian Institution s Information Security Program

SMITHSONIAN INSTITUTION

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

VA Office of Inspector General

Evaluation of the SEC Encryption Program

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

POSTAL REGULATORY COMMISSION

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

REQUEST FOR FINAL ACTION AUDIT T PRIVACY PROTECTION TVA USE OF INFORMATION IN IDENTIFIABLE FORM

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

INSPECTION CLOUD COMPUTING SECURITY DOCUMENTATION IN THE CYBER SECURITY ASSESSMENT MANAGEMENT SOLUTION

Office of Inspector General

Motor Vehicle Fleet Operations. Smithsonian Needs to Update and Implement Vehicle-Related Policies and Procedures

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Audit of the Management of Leased Office Space. Smithsonian Needs to Finalize Its Cost-Benefit Analysis to Inform Real Estate Decisions

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Status of Cloud Computing Environments within OPM (Report No. 4A-CI )

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE

NASA s Management of its Smartphones, Tablets, and Other Mobile Devices

SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE

AUDIT OF SBA S LOAN APPLICATION TRACKING SYSTEM AUDIT REPORT NUMBER 4-18 APRIL 5, 2004

INFORMATION SECURITY AT THE HEALTH RESOURCES AND SERVICES ADMINISTRATION NEEDS IMPROVEMENT BECAUSE CONTROLS WERE NOT FULLY IMPLEMENTED AND MONITORED

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

EVALUATION OF THE SMALL BUSINESS ADMINISTRATION'S INFORMATION SECURITY PROGRAM

Department of Homeland Security

Department of Homeland Security

REPORT ON FY 2006 FISMA AUDIT OF THE SMITHSONIAN INSTITUTION S INFORMATION SECURITY PROGRAM

In Brief. Smithsonian Institution Office of the Inspector General. Smithsonian Institution Information Security Program

Office of Inspector General Audit Report

FEDERAL ELECTION COMMISSION OFFICE OF INSPECTOR GENERAL

Virginia Commonwealth University School of Medicine Information Security Standard

Department of Homeland Security Office of Inspector General

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF SURFACE MINING RECLAMAION AND ENFORCEMENT DIRECTIVES SYSTEM

Office of Inspector General

In Brief. Smithsonian Institution Office of the Inspector General

Memorandum. Audit Report No.: OAS-L REPLY TO ATTN OF: Chief Financial Officer, CF-1 TO: INTRODUCTION AND OBJECTIVE

Office of Inspector General

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

Audit Report. Mobile Device Security

Office of Inspector General Audit Report

AUDIT REPORT. Follow-up on the Department of Energy's Acquisition and Maintenance of Software Licenses

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Privacy Impact Assessment

U.S. Department of Energy Office of Inspector General Office of Audit Services. Audit Report. Security Over Wireless Networking Technologies

How To Improve Nasa'S Security

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities

For: All FSA Employees (Federal and Non-Federal) and Contractors

Office of Inspector General

Briefing Report: Improvements Needed in EPA s Information Security Program

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

THE INFORMATION TECHNOLOGY INFRASTRUCTURE

Reviews to Determine Architectural Compliance of Information Technology Acquisitions Need to Be Consistently Performed and Documented.

NARA s Information Security Program. OIG Audit Report No October 27, 2014

DOCUMENT NUMBER: IT-0514

HARPER, RAINS, KNIGHT & COMPANY, P.A. CERTIFIED PUBLIC ACCOUNTANTS RIDGELAND, MISSISSIPPI

AUDIT OF USAID s IMPLEMENTATION OF INTERNET PROTOCOL VERSION 6

How To Check If Nasa Can Protect Itself From Hackers

ADVISORY MEMORANDUM REPORT ON DEVELOPMENT OF THE LOAN MONITORING SYSTEM ADVISORY REPORT NUMBER A1-03 FEBRUARY 23, 2001

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

W September 14, Final Report on the Audit of Outsourcing of Desktop Computers (Assignment No. A-HA ) Report No.

School of Nursing Research Seminar. Data Security in The Academic Health Center. Presented By Jon Harper AHC Information Systems

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

Cloud Computing. Report No. OIG-AMR UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

March 17, 2015 OIG-15-43

Fiscal Year 2007 Federal Information Security Management Act Report

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Office of Inspector General

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

May 2, 2016 OIG-16-69

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Office of Inspector General

Hardware Inventory Management Greater Boston District

Office of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits

2008 FISMA Executive Summary Report

Introduction and Purpose... 2 Scope... 2 Auxiliary units Part-Time, Temporary faculty/staff, Volunteer, Contractor and Student Assistants...

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

MINNESOTA STATE STANDARD

Federal Information Security Management Act: Fiscal Year 2014 Evaluation

In Brief. Smithsonian Institution Office of the Inspector General. Smithsonian Institution Network Report Number A-06-07, August 10, 2007

2014 Audit of the CFPB s Information Security Program

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACT WITH DELL MARKETING, L.P., FOR MICROSOFT LICENSING AND MAINTENANCE

2014 Audit of the Board s Information Security Program

Department of Homeland Security Office of Inspector General

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

ACTING VICE PRESIDENT, INFORMATION TECHNOLOGY. Michael L. Thompson Acting Deputy Assistant Inspector General for Technology, Investment and Cost

Information Security Series: Security Practices. Integrated Contract Management System

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Final Audit Report -- CAUTION --

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES LAPTOP ENCRYPTION. Report No

EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes

Controls Over the SEC s Inventory of Laptop Computers

Wireless Local Area Network Deployment and Security Practices

OFFICIAL USE ONLY. Department of Energy. DATE: January 31, 2007 Audit Report Number: OAS-L-07-06

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Transcription:

Smithsonian Institution Office of the Inspector General Date March 4, 2013 To cc From Subject Albert Horvath, Under Secretary for Finance and Administration and Chief Financial Officer Deron Burba, Chief Information Officer Patricia Bartlett, Chief of Staff, Office of the Secretary Judith Leonard, General Counsel Rebecca Hutchings, Acting Director of IT Security Scott S. Dahl, Inspector General Management Advisory Regarding Portable Computer Encryption (M-13-01) INTRODUCTION In our fiscal year 2010 FISMA review of the Smithsonian s information security program (Smithsonian Institution Information Security Program, March 15, 2011, Report No. A-10-01), we found that the Smithsonian was not enforcing its policy requiring that all mobile devices that may be used to store sensitive information be encrypted. We recommended that the Smithsonian implement controls to ensure that policy is enforced. In a memorandum dated September 30, 2012, management informed us that it implemented the recommendation and requested that we close it. To determine if the actions management took were effective, we examined a sample of portable computers in units that routinely handle sensitive information. We found that most of the portable computers we tested were not encrypted. Management needs to ensure that portable computers that may be used to store sensitive information are properly encrypted. In addition, management needs to ensure that users are aware if a laptop is unencrypted and that it should not be used to store sensitive information. Therefore, we are keeping the recommendation open and making three more recommendations to assist management in implementing the original one. BACKGROUND The Office of Management and Budget issued Memorandum M-06-16 in June 2006 requiring all executive departments and agencies to encrypt all data on mobile computers/devices which carry agency data, unless the data is determined to be non-sensitive, in writing, by the Deputy Secretary or designee. The Smithsonian is not required to follow OMB memorandums but has issued policies requiring devices containing sensitive data be encrypted.

Smithsonian Directive 931, Use of Computers, Telecommunication Devices and Networks, dated September 18, 2009, requires users to ensure that sensitive data stored on laptops or other portable hardware is encrypted. The OCIO technical note IT-930-TN28 establishes the procedures and responsibilities for implementing encryption. According to the technical note, the computing device user is responsible for determining that the device may be used to store sensitive information. The computing device user contacts the unit s IT staff, who is responsible for licensing and installing encryption software. The technical note establishes that whole disk encryption must be used if sensitive data is stored on a laptop computer. In response to the original audit recommendation, management took the following measures: The Office of the Chief Information Officer (OCIO) provided information for Smithsonian units to directly procure a range of approved encrypted devices and encryption software. The CIO distributed a Smithsonian-wide email to remind staff of their role and responsibilities for protecting sensitive Smithsonian information using these approved technologies. In addition, OCIO installs encryption on portable or desktop computers on request. RESULTS OF OIG REVIEW In December 2012 and January 2013, we tested a sample of laptops in four units that routinely handle sensitive information and found that many laptop computers were not encrypted. We found that 11 of 15 laptops tested did not have whole disk encryption installed. Of the four units visited, three units did not have encryption installed on any of the laptop computers tested. Several of the computers tested were used by senior-level management. Several staff indicated that they assumed the laptop computers were configured according to Smithsonian requirements and were unaware that encryption was not installed. If a laptop computer that is not secured with encryption is lost or stolen, the information contained on the laptop can be easily obtained without knowledge of user passwords. If the information on the laptop computer is securely encrypted, it would be unlikely or impractical for anyone to retrieve it without the decryption key. CONCLUSION AND RECOMMENDATION The controls in place are not adequate to ensure that laptop computers that may contain sensitive information are secured with an appropriate encryption technology. Staff were not knowledgeable about how the equipment they use was configured and expected it to be configured appropriately for its intended use. Therefore, the original recommendation will remain open and we further recommend that the USFA/CFO, in coordination with the other Under Secretaries, direct Unit IT staff to: 2

1. Determine which laptop computers in their inventory may be used to store sensitive data and, with assistance from OCIO, configure those computers with whole drive encryption. 2. Identify all laptop computers that will not be configured with encryption and clearly indicate to users with a prominent label that those computers must not be used to store sensitive information. In addition, we recommend that the Chief Information Officer: 3. Revise IT-930-TN28 to assign responsibility to staff with the knowledge and skills to ensure laptop computers are configured with appropriate encryption technology. Management has concurred with the recommendations and developed a plan to implement them. We believe that the proposed actions, when implemented, will meet the intent of these recommendations. We have included management s full response in Appendix A. We note that the original recommendation is to enforce the existing Smithsonian policy, which requires all mobile devices that may be used to store sensitive information be encrypted. This includes devices such as portable storage, tablets, and smart phones. When requesting that we close the original recommendation, please address how the Smithsonian is implementing its policy with respect to other types of mobile devices. 3

APPENDIX A. MANAGEMENT S RESPONSE 4

APPENDIX A. MANAGEMENT S RESPONSE (CONTINUED) 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information