Specifically, the DHS CIO is not a member of the department's senior management team so he does not have authority to strategically manage agency-wide IT programs, the IG said. Also, there is no formal reporting structure between the CIO and the infosec managers of the agency's nine components, hindering support in implementing the DHS infosec program.
Among the other problems, DHS lacks an accurate and complete system inventory, which prevents it from effectively managing its infosec program, the IG said. Component infosec managers do not understand required program and system information, limiting DHS' ability to put together a comprehensive inventory.
The IG recommended that DHS improve its procedures for wireless technologies, remote access, vulnerability scanning, incident detection, among other areas.
In a written response, DHS's CIO generally agreed with the report's recommendations and said the department already is working to address issues raised by the IG, including compiling a comprehensive system and application inventory.