Underscoring the logic behind the recent state laws that require encryption, a Department of Homeland Security report concludes that DHS itself does not have adequate security for portable electronic devices. The report issues recommendations for best practices in encryption, which are not only relevant to DHS, but for any business or government agency that has portable devices that may contain personal information.

The report is based on an audit in which the Inspector General’s office identified several unauthorized data storage devices connected to internal servers and workstations. According to the audit, DHC has not fully complied with OMB requirements to control devices and protect against unauthorized access. Only five out of 11 agencies have implemented two-factor authentication, and none of them have controls to ensure that data extracts are erased within 90 days.

Portable storage devices do represent a major emerging security threat to any business or agency. Uncontrolled use of these portable devices, which may include flash drives, external hard drives, or even portable music players, according to the DHS report, “increases the risk of theft and mishandling of sensitive information when users insert their personal or unauthorized devices into their agencies’ computers’ Universal Serial Bus (USB) or FireWire ports.”

The portability of these devices, and the fact that more people have them on ordinary consumer devices such as the iPod, increases risk all around, and measures have to be taken to ensure that an employee can’t simply download data onto their music players.

The report highlights a few very startling breaches. In New Mexico, USB flash drives containing classified government information from Los Alamos National Laboratory was found at a contract employee’s home; and stolen military flash drives containing military records were found being sold at an Afghanistan street market.

The report recommends that all sensitive data stored on laptops and mobile devices be encrypted, that two-factor authentication be used for remote access, that a timeout feature for remote access be enabled, and that all data extracts of sensitive information be logged and that those extracts are erased within 90 days.