Poor DOI data center security could expose sensitive info


An evaluation of select information technology security controls within a Department of Interior data center has found over 20,000 critical, high-risk vulnerabilities left unmitigated on 24 systems owned by the Bureau of Indian Affairs and the Bureau of Indian Education

An Inspector General review of the BIA Continuous Diagnostics and Mitigation program found it to be immature and not fully effective in offering protection to personally identifiable information. Management practices did not support the capacity for BIA systems to identify unauthorized computer access or detect and remove potential malware.

In addition, inadequate contingency planning allowed for temporary disruption to DOI mission operations in March 2016.

Incomplete hardware asset inventories and software asset management controls not being implemented contributed to the issues. Software updates and security patches that could help deter compromises were not applied and computer servers were not securely configured.

The IG’s findings reflect that the Office of the Chief Information Officer doesn’t provide effective oversight of all bureaus implementing the Interior’s IT security program.

Security measures recommendations included:

  • An ongoing inventory process;
  • Installing IBM BigFix where applicable;
  • Implementing controls to identify and remove unauthorized/unsupported products;
  • Mitigating critical, high-risk vulnerabilities within 30 days of detection;
  • Reviewing contractor agreements to meet appropriate federal computer security requirements;
  • Monitoring operating systems and configurations to assure they remain secure; and
  • Ensuring independent verification and validation functions to ensure IT security needs are met.

BIA and the OCIO concurred with these recommendations, setting a target date of June 30, 2018, for many to be completed.

The complete report can be accessed on the OIG website.