Audit finds notable security gaps in FBI's storage media management
An audit from the Department of Justice's Office of the Inspector General (OIG) identified "significant weaknesses" in FBI's inventory management and disposal of electronic storage media containing sensitive and classified information.
The report highlights multiple issues with policies and procedures or controls for tracking storage media extracted from devices, and significant physical security gaps in the media destruction process.
The FBI has acknowledged these issues and is in the process of implementing corrective actions based on the recommendations from OIG.
OIG's findings
OIG's audit highlights several weaknesses in FBI's inventory management and disposal procedures for electronic storage media containing sensitive but unclassified (SBU) as well as classified national security information (NSI).
The three key findings are summarized as follows:
- The FBI does not adequately track or account for electronic storage media, such as internal hard drives and thumb drives, once they are extracted from larger devices, which increases the risk of these media being lost or stolen.
- The FBI fails to consistently label electronic storage media with the appropriate classification levels (e.g., Secret, Top Secret), which could lead to mishandling or unauthorized access to sensitive information.
- The OIG also observed insufficient physical security at the FBI facility where media destruction occurs. This includes inadequate internal access controls, unsecured storage of media awaiting destruction, and non-functioning surveillance cameras, all of which heighten the risk of classified information being compromised.
Recommendations and FBI's response
The OIG has made three specific recommendations to the FBI to address the identified problems.
- Revise procedures to ensure all electronic storage media containing sensitive or classified information, including hard drives that are extracted from computers slated for destruction, are appropriately accounted for, tracked, timely sanitized, and destroyed.
- Implement controls to ensure its electronic storage media are marked with the appropriate NSI classification level markings, in accordance with applicable policies and guidelines.
- Strengthen the control and practices for the physical security of its electronic storage media at the facility to prevent loss or theft.
FBI acknowledged the audit's findings and stated it is in the process of developing a new directive titled "Physical Control and Destruction of Classified and Sensitive Electronic Devices and Material Policy Directive."
This new policy is expected to address the problems identified in the storage media tracking and classification markings.
Additionally, the FBI said it is in the process of installing protective "cages" to use as storage points for the media, which will be covered by video surveillance.
OIG expects the FBI to update it on the status of implementing the corrective actions within 90 days.
source: BleepingComputer
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024