The DOJ Criminal Division’s Laptop Computer Encryption Program and Practices – Audit Report
From the summary of findings in The Criminal Division’s Laptop Computer Encryption Program and Practices, Audit Report 10-23, March 2010:
Criminal Division-Owned Laptop Computers
Our review found that of the 40 laptops we tested for encryption software, 10 did not have encryption, and 9 of those 10 did not have Windows passwords enabled. All of the unencrypted laptops were in one Criminal Division section, the International Criminal Investigative Training Assistance Program (ICITAP), and all of those laptops contained sensitive departmental data.
In addition to our testing of laptops for encryption, we found weaknesses in other areas of the Criminal Division’s laptop encryption program. We determined that at least 43 laptops did not comply with DOJ standards and Criminal Division requirements for laptop security settings. Also, documentation was not maintained to verify the successful installation of whole disk encryption software for all laptop computers. In addition, the Criminal Division was unable to produce an accurate inventory of the universe of laptop computers it owns from ARGIS, DOJ’s official property management system.
Non-Criminal Division-Owned Laptop Computers
We found serious deficiencies with the [Offices, Boards, and Divisions] OBD 47 contractor-owned laptops. Specifically, seven out of nine OBD 47 contractors we tested processed sensitive Department data on laptops without encryption.
In addition to our testing of contractor laptops for encryption, we found weaknesses in oversight of data security policies for the Criminal Division’s contractors. For both the Mega 3 and OBD 47 contracts, we found that these contracts did not have the required security clause requiring encryption, and the Criminal Division had not implemented alternative controls to compensate for the contract deficiencies.
The entire audit can be found here (pdf).