The Department of Energy’s inspector general found that none of the agency’s science offices it reviewed had fully implemented guidance for securing peripheral devices with one official saying it was technically infeasible or “extremely difficult” to comply.
Peripheral devices such as printers, scanners, copiers, fax machines, voice-over-internet-protocol phones, thumb drives and external hard drives often hold sensitive information and can be used to deliver malware to the network. They are subject to security requirements such as those outlined in “DOE Information Technology and Cybersecurity Policy Memorandum: Removable Media Security,” which was issued by the office of the chief information officer in 2018.
The IG’s office examined four DOE offices of science for compliance with the memorandum and issued a summary of its findings this week.
“Our review disclosed access control weaknesses at two Science locations in which peripheral devices had not been securely configured to protect against unauthorized access,” the report reads. “In addition, none of the four sites reviewed fully implemented security standards found within the removable media policy issued by the Office of the Chief Information Officer, including requiring that all mass storage devices provide encryption, ensuring onboard antivirus capability, and using only Government furnished devices.”
Officials interviewed by the IG’s office gave a number of reasons for not complying and even pushed back on the guidance.
“Science officials expressed concerns with the overall process in which the Office of the Chief Information Officer issued security standards, policies, and/or directives,” the IG’s office wrote.
Science officials specifically said complying with the guidance was costly, negatively affects collaboration, or would introduce other risks and would therefore be “unjustified.”
Support the originator by clicking the read the rest link below.
