US government security group falls short in audit

The US Department of Homeland Security (DHS) has criticised the government's online security branch for lax security practices.

The DHS said in a recently published audit report (PDF) that the US Computer Emergency Response Team had failed properly to secure its on-premise systems.

The auditors singled out the agency and its parent organisation the National Cyber Security Division (NCSD) for failing to patch its systems, provide adequate security documentation and implement consistent security policies.

Among the security shortcomings were unpatched systems in the agency's mission operating environment, which contained more than 200 unpatched high-risk security vulnerabilities.

Additionally, the audit found that the NCSD had failed properly to report on its security practices and provide employees with adequate security training or guidelines.

"Overall, the NCSD has implemented adequate physical security and logical access controls over the cyber security programme systems used to collect, process and disseminate cyber threat and warning information to the public and private sectors," the auditors said in the report.

"However, a significant effort is needed to address existing security issues in order to implement a robust programme that will enhance the cyber security posture of the federal government."

The report recommended that the agency implement systems to manage and deploy patches, provide regular reports on currently vulnerable systems and establish a formalised security training programme.