In many cases, the Interior Department can't even tell where or to whom agency computers are assigned, the report noted. Fish and Wildlife Service records were singled out as especially poor. The Interior Department's accountability is bad enough that the 13 computers identified as missing wouldn't have even been identified as such if not for the inspector general's report.
Between October 2007 and November 2008, the department reported the loss of 66 laptops, including 17 losses identified as "high criticality." The agencies with the highest reported incidence of loss were actually the ones most able to provide information on the locations of their laptops to the inspector general, suggesting that these numbers could be even higher.
"Given the department's diverse missions, varying and often opposing constituencies, and controversial issues including environmental and Indian trust matters, infrastructure assets such as dams, bridges, and monuments, and land and minerals management activities, information control is essential," the inspector general wrote in the report.
Despite policies mandated by the Federal Information Systems Management Act and other regulations, including rules that say computers should not be left unattended in plain view and that organizations should establish policies to protect their systems from unauthorized access, the Department of the Interior doesn't require that any hardware that costs less than $5,000 -- that would cover most PCs -- be tracked in an asset management system, and the current tracking system doesn't have proper backing, according to the report.
That system, run by the National Business Center, only recently began, and the report says that it's "facing challenges" because the various Interior Department subagencies individually report laptop purchases to the NBC.
The report recommends that the department take a number of steps to improve asset management, including establishing a consistent chain of custody for computers, consistently wiping drives clean before disposing of PCs, reporting all losses or thefts to a centralized Computer Incident Response Center, and immediately encrypting all departmental PCs.
InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).