DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Audit of US DOE on Incidents

Posted on June 26, 2009 by Dissent

Parts of the report were redacted, indicated by x’s below.

Executive Summary:

The Office of Inspector General (OIG) performed a review of the Department of Education’s (Department) external web sites. This audit was conducted in accordance with the Federal Information Security Management Act (FISMA) as enacted by Title III of the E-Government Act of 2002, Public Law 107-347, and the Privacy Act of 1974. Specifically, we assessed whether information technology (IT) security controls were in place to protect Department resources in the areas of incident handling, security awareness and training, and Privacy Act compliance. FISMA requires the OIG to perform independent evaluations and testing of the effectiveness of information security control techniques and to provide an assessment of the Department’s compliance.

Based on our review, the Department’s Chief Information Officer (CIO) must improve security controls over the incident response and handling program and accelerate two-factor authentication for protecting Privacy Act information to adequately protect the confidentiality, integrity, and availability of the personally identifiable information (PII) data residing on public web sites. During our audit, we also identified significant conditions related to the work performed regarding xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and public domain web site establishment and maintenance

Incident Handling

• The Department did not have an effective incident response and handling program. The Department’s CIO: (a) did not provide sufficient security awareness to Department users regarding xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; (b) provided conflicting guidance regarding incident response reporting procedures; and (c) did not properly oversee the Department’s Customer Service staff. The Department has a responsibility to implement all precautions to protect all vital PII data residing on the Department’s network. Compromise of this data would cause substantial harm and embarrassment to the Department and may lead to identity theft or other fraudulent use of the information.

Two-Factor Authentication

• The Department’s CIO did not implement two-factor authentication or other effective compensating controls commensurate with the risk and magnitude of harm resulting from a Department data compromise. Specifically, using information from two public web sites, we were able to use xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx techniques to remotely obtain access to sensitive Department information and PII. If sensitive Department information and PII data are compromised, the Department could suffer substantial embarrassment and that compromise may lead to fraudulent misuse of the information.

XXX Configuration

• The Department did not configure the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Our tests demonstrated that unauthorized access to the system through xxxxxxxxxxxxxxxx attacks could provide a potential malicious attacker with the capability of exploiting systems, deleting and/or modifying sensitive data, and causing serious harm to Department information. Users with malicious intent could gain access to the xxxxx xxxxxxxxxxxxxxxxxxxxx for email spoofing, social engineering, and other possible malicious attacks.

Public Domain Web Sites

• The Department did not properly establish and maintain public domain web sites. Specifically, the Department did not: (a) properly track, update, and verify a directory of public web sites; (b) properly control internet protocol address assignment; (c) properly issue and administer web site certificates; (d) properly monitor public domain web sites; and (e) use approved domain names. The Department’s CIO has the overall responsibility to implement all precautions to protect Department data residing on public domain web sites. Additionally, the public has the right to assume that web sites hosted or provided by the Department are valid and trusted. It is essential that the Department validate its public web sites and adequately protect the confidentiality, integrity, and availability of the PII data residing on public web sites.
In response to our draft report, the Department thanked the OIG for the opportunity to provide comments for this audit report. The Department also stated it concurred, as of the start date of this audit, with the findings and recommendations identified. In response to our system security review, management stated that corrective action plans for the weaknesses will be finalized through the Department’s normal audit resolution process. xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ED-OIG/A11I0006, June 10, 2009

Related posts:

  • The BreachForums case: The HHS-OIG did WHAT?!? Why?
Category: Commentaries and AnalysesOf Note

Post navigation

← UCM notifying 7000 of Breach
MA Regs Trumps the Feds →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Pembroke Regional Hospital reported canceling appointments due to service delays from “an incident”
  • Iran-linked hackers threaten to release emails allegedly stolen from Trump associates
  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.