In the midst of a barrage of criticism regarding its handling of Hurricane Katrina, the Federal Emergency Management Agency is also now facing criticism that its Emergency Preparedness and Response database has lousy security controls.
A recent report from the Department of Homeland Securitys Office of Inspector General (PDF download required) states that it has audited the DHS and its organizational components security program in order to evaluate the security and integrity of certain sensitive—although unclassified—mission-critical databases.
The audit covered access controls, continuity of operations, and change management policies and procedures in order to determine whether FEMA had implemented adequate security over sensitive data in NEMIS, its National Emergency Management Information System.
The audit found that although FEMA has implemented some security controls for NEMIS, more work needs to be done.
Specifically, the DHS Inspector General found that FEMA has failed to implement effective procedures for granting, monitoring and removing user access. Nor has FEMA conducted IT contingency training or testing, according to the report.
Also, NEMIS servers suffer vulnerabilities in the form of access rights, password administration and configuration management, the audit found.
“Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data,” wrote Richard L. Skinner, inspector general, in the report.
Whats at stake? EP&R may be unable to recover NEMIS following a disaster, Skinner wrote.
The report was edited to omit the name of the databases vendor and any identifying details. But according to the Web site of Anteon, a major Oracle reseller, the system runs on Oracle 8 databases. The reseller developed NEMIS using Microsoft NT, workflow mapping and a fully distributed Oracle 8 database.
According to Anteons site, NEMIS comprises an online reference library to improve FEMAs communication and information dissemination; a Web-based image storage and retrieval system to provide access to disaster-related documents; interfaces to facilitate the exchange of related data between NEMIS and partner systems; and nationally distributed system architecture and cross-program/replicated database structure.
“We designed and implemented the distributed databases using the symmetric replication feature of Oracle 8 to manage and consolidate data synchronization, ensuring timely data availability to FEMA and FEMA partner personnel around the country,” Anteon says on its site.
According to the DHS report, FEMA officials have pledged to take corrective action to address certain vulnerabilities identified during technical testing. However, the auditors had not verified that the vulnerabilities had been remedied by the time the report was published. In addition, EP&R failed to provide a plan of action for correcting some 56 vulnerabilities.
The DHS is recommending that FEMA direct its CIO to ensure that adequate controls for granting, monitoring and removing user access to NEMIS be implemented; that an IT contingency training and testing program for NEMIS be rolled out; and that FEMA draw up a corrective action plan to address other vulnerabilities and configuration weaknesses.
As it now stands, Skinner wrote, FEMA has failed to “[fully align] its security program with DHS overall policies, procedures, or practices.”
For example, Skinner wrote, “security controls had not been tested in over a year; a contingency plan has not been tested; security control costs have not been integrated into the life cycle of the system; and system and database administrators have not obtained specialized security training.”
FEMAs response, included in an appendix to the report, states that in order to address the audits complaints, one of its responses will be to implement Oracle Database Auditing “in the near future.”
“These audit logs, along with system, Oracle Listener, Apache and application logs, will be stored in a central location and will be archived for seven years, in accordance with DHS policy,” FEMA wrote in its response.