The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2014 FINAL AUDIT REPORT

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2014 FINAL AUDIT REPORT"

Transcription

1 The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2014 FINAL AUDIT REPORT This report has been reviewed for public dissemination by the Office of Counsel to the Inspector General. Information requiring protection from public dissemination has been redacted from this report in accordance with the Freedom of Information Act, 5 U.S.C ED-OIG/A11O0001 November 2014 Our mission is to promote the efficiency, effectiveness, and integrity of the Department's programs and operations. U.S Department of Education Office of Inspector General Information Technology Audit Division Washington, DC

2 NOTICE Statements that managerial practices need improvements, as well as other conclusions and recommendations in this report, represent the opinions of the Office of Inspector General. Determinations of corrective action to be taken will be made by the appropriate Department of Education officials. In accordance with the Freedom of Information Act (5 U.S.C. 552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act.

3 Abbreviations/Acronyms Used in this Report Dell Dell Services Federal Government Department U.S. Department of Education DHS Department of Homeland Security EDUCATE Education Department Utility for Communications, Applications, and Technology Environment FISMA Federal Information Security Management Act of 2002 FSA Federal Student Aid FY Fiscal Year GFE Government-Furnished Equipment IT Information Technology NAC Network Access Control NIST National Institute of Standards and Technology OCIO Office of the Chief Information Officer OIG Office of Inspector General OMB Office of Management and Budget OVMS Operational Vulnerability Management Solution PII Personally Identifiable Information POA&M Plan of Action and Milestones SP Special Publication SSN Social Security Number USB Universal Serial Bus US-CERT United States Computer Emergency Readiness Team USDA United States Department of Agriculture VDC Virtual Data Center

4 UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL INFORMATION TECHNOLOGY AUDIT DIVISION November 12, 2014 Memorandum TO: James H. Shelton, III Deputy Secretary Office of the Deputy Secretary Ted Mitchell Under Secretary Office of the Under Secretary FROM: SUBJECT: Charles E. Coe, Jr. Assistant Inspector General Information Technology Audits and Computer Crime Investigations Office of Inspector General Final Audit Report Audit of the U.S. Department of Education's Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 20 I 4 Control Number ED-OIG/A I Attached is the subject final audit report that covers the results of our review of the U.S. Department of Education s (Department) compliance with the Federal Information Security Management Act of 2002 for fiscal year An electronic copy has been provided to your Audit Liaison Officers. We received your comments on the findings and recommendations in our draft report. Corrective actions proposed (resolution phase) and implemented (closure phase) by your offices will be monitored and tracked through the Department's Audit Accountability and Resolution Tracking System. The Department's policy requires that you develop a final corrective action plan for our review in the automated system within 30 days of the issuance of this report. The corrective action plan should set forth the specific action items, and targeted completion dates, necessary to implement final corrective actions on the findings and recommendations contained in this final audit report. In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector General is required to report to Congress twice a year on the audits that remain unresolved after six months from the date of issuance. In accordance with the Freedom of Information Act (5 U.S.C. 552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. The Depanmcni of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access.

5 Memorandum Page 2of2 We appreciate the cooperation given to us during this review. If you have any questions, please call Joseph Maranto at Enclosure Cc: Danny A. Harris, PhD, Chief Information Officer, Office of the Chief Information Officer Jerry E. Williams. Chief Information Officer. Federal Student Aid Steve Grewal, Director, Information Assurance Services, Office of the Chief Information Officer Linda Wilbanks, PhD, Director, Information Technology Risk Management Group, Federal Student Aid Michael Massi no, Policy and Planning Branch Chief, Office of the Chief Information Officer Dawn Dawson. Audit Liaison, Federal Student Aid Bucky Methfessel, Senior Counsel for Information & Technology. Office of the General Counsel Charles Laster, Post Audit Group, Office of the Chief Financial Omcer L 'Wanda Rosemond, AARTS Administrator, Office of Inspector General

6 TABLE OF CONTENTS EXECUTIVE SUMMARY...1 BACKGROUND...4 AUDIT RESULTS...6 Page FINDING NO. 1 Configuration Management...7 FINDING NO. 2 Identity and Access Management (Modified Repeat Finding)...8 FINDING NO. 3 Incident Response and Reporting (Modified Repeat Finding)...11 FINDING NO. 4 Risk Management (Modified Repeat Finding)...14 FINDING NO. 5 Remote Access Management (Modified Repeat Finding)...17 FINDING NO. 6 Contingency Planning (Modified Repeat Finding)...21 FINDING NO. 7 Implementation of Corrective Action Plans...23 OTHER MATTERS...26 OBJECTIVE, SCOPE, AND METHODOLOGY...28 Enclosure 1: CyberScope FISMA Reporting Metrics...31 Enclosure 2: Management Comments...52

7 ED-OIG/A11O0001 Page 1 of 58 EXECUTIVE SUMMARY This report constitutes the Office of Inspector General s (OIG) independent evaluation of the U.S. Department of Education s (Department) information technology security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). OIG s review was based on questions and reporting metrics that the Department of Homeland Security (DHS) provided for the annual FISMA review. The objective of our audit was to determine whether the Department and Federal Student Aid s (FSA) overall information technology (IT) security program and practices were in compliance with the E-Government Act of 2002 (Public Law ), including Title III Information Security, and related information security standards identified within Office of Management and Budget guidelines. In addition, during the course of our review of the Department s actions to address previous recommendations, we became aware of issues involving the implementation of corrective action plans. Consequently, we assessed the implementation of corrective action plans by the Office of Chief Information Officer and Federal Student Aid. Based on the FY 2014 FISMA reporting metrics provided by DHS, we assessed the status of the Department s information security posture for fiscal year (FY) The reporting metrics included Continuous Monitoring, Configuration Management, Identity and Access Management, Incident Response and Reporting, Risk Management, Security Training, Plan of Actions and Milestones, Remote Access Management, Contingency Planning, Contractor Systems, and Security Capital Planning. In addition to the reporting metrics, we also assessed the Department s (1) information security policy and procedures, (2) enterprise-level information security controls, (3) management of information security weaknesses, and (4) system-level 1 security controls. Further, we evaluated the IT processes, policies, and procedures that the Department had already documented, implemented, and monitored. In addition, the OIG evaluated Department systems, contractor systems, annual self-assessments, policies, procedures, various OIG audit reports, and other Federal agency reports issued throughout the year. We also conducted vulnerability and penetration (both internal and external) testing of a major FSA system located in Columbus, Georgia. The results of the testing are summarized in the body of this report. We also observed the Department s annual disaster recovery exercise conducted in June 2014 at the Department s recovery site in Florence, Kentucky. Furthermore, in a collaborative effort with the United States Department of Agriculture OIG and other Federal OIGs, we volunteered to participate in the agency-wide Council of the Inspectors General on Integrity and Efficiency cloud computing initiative. The results of this review are summarized in the Other Matters section of this report. We determined that the Department s and FSA s IT security program generally complied with the E-Government Act of 2002 (Public Law ), including Title III Information Security, and related information security standards identified within Office of Management and Budget guidelines. We found that the Department was compliant with the Continuous Monitoring, 1 For purposes of this audit, enterprise-level security controls are controls that are expected to be implemented.

8 ED-OIG/A11O0001 Page 2 of 58 Security Training, POA&M, Contractor Systems, and Security Capital Planning reporting metrics. Specifically, the Department has established compliant programs for enterprise-wide continuous monitoring, security awareness training, tracking and monitoring known information security weaknesses, overseeing systems operated on its behalf by contractors or other entities, and security capital planning and investments, that are consistent with FISMA requirements, Office of Management and Budget policy, and applicable National Institute of Standards and Technology guidelines. While the Department made progress in strengthening its information security program, many longstanding weaknesses remain and the Department s information systems continue to be vulnerable to serious security threats. We identified findings in 6 of the 11 reporting metrics. The findings were comprised of repeat or modified repeat findings from OIG reports issued from FYs 2011 through In addition, we have a new finding regarding the implementation of corrective actions to address some of our previous recommendations. Further, we answered the questions in the U.S. Department of Homeland Security s metrics template based on our audit work, which will become the CyberScope FISMA Report as shown in Enclosure 1. We also found that: (1) the Department has not remediated outstanding issues from previous OIG audit reports and our work showed that 5 of the 11 reporting metrics contained repeat or modified repeat findings from reports issued from FY 2011 through 2013; and (2) in some instances, although the Department said it has completed a recommendation, we continue to find that the corrective actions were not implemented and we had to issue modified repeat recommendations because the exact or similar conditions continue to exist. In the areas where we have repeat or modified repeat findings, where the Department continues to implement corrective actions, we are not making additional recommendations. However, we are making 13 new recommendations in areas where we have new findings. Additionally, we are making 7 modified repeat recommendations to address repeat findings in areas where the Department has completed previous corrective actions, but where we have repeat or modified repeat findings. Implementing these new and modified recommendations will assist the Department in establishing and sustaining an effective information security program one that complies with requirements of FISMA, Office of Management and Budget, and National Institute of Standards and Technology requirements. The Department s systems contain or protect large amounts of confidential information (personal records, financial information, and other personally identifiable information (PII)) and perform vital organizational functions. Unauthorized individuals might target the systems by exploitation, but trusted individuals inside the Department and Department contractors could also target the systems. Without adequate management, operational, and technical security controls, the Department s systems and information are vulnerable to attacks. Such attacks could lead to a loss of confidentiality resulting from unauthorized access to data. Also, there is increased risk that unauthorized activities or excessive use of system resources could reduce the reliability and integrity of Department systems and its data and increased risk that sensitive data may be released, used, or modified. 2 Repeat findings are current report findings with the same or similar conditions to those contained in prior OIG reports. A modified repeat finding is identified when a similar finding condition exists; however, the factors that constitute the condition are different.

9 ED-OIG/A11O0001 Page 3 of 58 The Department concurred with 16 of the 20 recommendations and partially concurred with the remaining 4 recommendations (3.1, 3.2, 4.1, and 4.2). We summarized and responded to specific comments in the Audit Results section of this report. We considered the Department s comments but did not revise our findings or recommendations.

10 ED-OIG/A11O0001 Page 4 of 58 BACKGROUND The E-Government Act of 2002 (Public Law ), signed into law in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act of 2002, the Federal Information Security Management Act of 2002 (FISMA), permanently reauthorized the framework established by the Government Information Security Reform Act of 2000, which expired in November FISMA continued the annual review and reporting requirements introduced in the Government Information Security Reform Act of 2000, but it also included new provisions that further strengthened the Federal Government s data and information systems security, such as requiring the development of minimum control standards for agencies systems. FISMA also charged the National Institute of Standards and Technology (NIST) with the responsibility for developing information security standards and guidelines for Federal agencies, including minimum requirements for providing adequate information security for all operations and assets. The E-Government Act also assigned specific responsibilities to the Office of Management and Budget (OMB), agency heads, Chief Information Officers and Inspectors General. OMB is responsible for establishing and overseeing policies, standards, and guidelines for information security, and has the authority to approve agencies information security programs. OMB is also responsible for submitting the annual FISMA report to Congress, developing and approving the cybersecurity portions of the President s Budget, and for the budgetary and fiscal oversight of the agencies use of funds. Each agency must establish a risk-based information security program that ensures information security is practiced throughout the lifecycle of each agency s system. Specifically, the agency s Chief Information Officer is required to oversee the program, which must include the following: periodic risk assessments that consider internal and external threats to the integrity, confidentiality, and availability of systems, and to data supporting critical operations and assets; development and implementation of risk-based, cost-effective policies and procedures to provide security protections for the agency s information; training that covers security responsibilities for information security personnel and security awareness for agency personnel; periodic management testing and evaluation of the effectiveness of security policies, procedures, controls, and techniques; processes for identifying and remediating significant security deficiencies; procedures for detecting, reporting, and responding to security incidents; and annual program reviews by agency officials. In addition to the responsibilities listed above, FISMA requires each agency to have an annual independent evaluation of its information security program and practices, including control testing and a compliance assessment. These evaluations are to be performed by the agency s Inspector General or an independent evaluator, and the results of these evaluations are to be reported to OMB. For fiscal year (FY) 2014 reporting, each Inspector General was required by

11 ED-OIG/A11O0001 Page 5 of 58 the Department of Homeland Security to evaluate its respective agency on the following 11 reporting metrics: Continuous Monitoring Management; Configuration Management; Identity and Access Management; Incident Response and Reporting; Risk Management; Security Training; Plan of Action and Milestones (POA&M); Remote Access Management; Contingency Planning; Contractor Systems; and Security Capital Planning. Beginning in FY 2009, OMB required Federal agencies to submit FISMA reporting through the OMB Web portal, CyberScope. As of July 2014, the Department had spent a total of $683 million on information technology (IT) investments for FY The Department budgeted $32.3 million for FY 2014 on IT security and FISMA compliance costs, which equates to 4.7 percent of total IT spending. In September 2007, the Department entered into a contract with Dell Services Federal Government 3 (Dell) to provide and manage all IT infrastructure services to the Department under the Education Department Utility for Communications, Applications, and Technology Environment (EDUCATE) system. The contract established a contractor-owned and contractoroperated IT service model for the Department under which Dell provides the total IT platform and infrastructure to support Department employees in meeting the Department s mission. The contract was awarded as a 10-year, performance-based, indefinite-delivery, indefinite-quantity contract with fixed unit prices. Under this type of contract, Dell owns all of the IT hardware and operating systems to include wide-area and local-area network devices, network servers, routers, switches, external firewalls, voice mail, and the Department s laptops and workstations. Dell also provides help desk services and all personal computer services. Primarily through the Office of the Chief Information Officer (OCIO), the Department monitors and evaluates the contractor-provided IT services through a service level agreement framework. The OCIO advises and assists the Secretary and other senior officials to ensure that the Department acquires and manages IT resources in a manner that is consistent with the requirements of the Clinger-Cohen Act of 1996 and FISMA. The OCIO implements the operative principles established by legislation and regulation, establishes a management framework to improve the planning and control of IT investments, and leads change to improve the efficiency and effectiveness of the Department s operations. In addition, the Department, through Federal Student Aid (FSA), administers programs that are designed to provide financial assistance to students enrolled in postsecondary education institutions, as well as to collect outstanding student loans. FSA has consolidated many of its student financial aid program systems into a general support system called the Virtual Data Center (VDC) to improve interoperability and reduce costs. The VDC serves as the host facility for FSA systems that process student financial aid applications, provide schools and lenders with eligibility determinations, and support payments from and repayment to lenders. It consists of networks, mainframe computers, operating system platforms, and the corresponding operating systems. The VDC is also managed by Dell and is located at the contractor s facility in Plano, Texas. 3 Formerly Perot Systems, which was acquired by Dell in September 2009.

12 ED-OIG/A11O0001 Page 6 of 58 AUDIT RESULTS Based on the requirements specified in FISMA and the annual reporting instructions, our audit focused on 11 reporting metric areas of the Department s information security program Continuous Monitoring, Configuration Management, Identity and Access Management, Incident Response and Reporting, Risk Management, Security Training, POA&M, Remote Access Management, Contingency Planning, Contractor Systems, and Security Capital Planning. We determined that the Department s and FSA s IT security program generally complied with the E-Government Act of 2002 (Public Law ), including Title III Information Security, and related information security standards identified within Office of Management and Budget guidelines. However, we found that, while the Department has made progress in strengthening its information security program, many longstanding weaknesses remain and the Department s information systems continue to be vulnerable to serious security threats. Specifically, we determined that the Department was compliant with the Continuous Monitoring, Security Training, POA&M, Contractor Systems, and Security Capital Planning reporting metrics. 4 However, we identified findings in 6 of the 11 FY 2014 FISMA reporting metrics. In addition, we identified a finding regarding the implementation of corrective actions to address some of our previous recommendations. Five of the six metric areas where we had findings contained repeat or modified repeat findings from the following OIG reports issued from FYs 2011 through 2013: Education Department Utility for Communications, Applications, and Technology Environment (EDUCATE), September 2011 (ED-OIG/A11L0001); The U.S. Department of Education s Compliance with the Federal Information Security Management Act for Fiscal Year 2011, October 2011 (ED-OIG/A11L0003); Education Central Automated Processing System (EDCAPS) Information Security Audit, September 2012 (ED-OIG/A11M0002); The U.S. Department of Education s Compliance with the Federal Information Security Management Act for Fiscal Year 2012, November 2012 (ED-OIG/A11M0003); The U.S. Department of Education s Compliance with the Federal Information Security Management Act for Fiscal Year 2013, November 2013 (ED-OIG/A11N0001). In its response to the draft report, the Department concurred or partially concurred with our findings and recommendations. The comments are summarized at the end of each finding. The full text of the Department s comments on the draft report is included as Enclosure 2 to this report. 4 Because the Department has consistently complied in recent years with POA&M, Contractor Systems, and Security Capital Planning requirements, we did not perform additional fieldwork for these security areas. Instead, we relied on work conducted during the FY 2013 FISMA audit.

13 ED-OIG/A11O0001 Page 7 of 58 FINDING NO. 1 Configuration Management The Department did not fully comply with this reporting metric. Issue 1a. Configuration Management Policies, Procedures, and Plans Did Not Comply with NIST and Departmental Guidance Although the Department established configuration management policies and procedures, it did not comply with current NIST and Departmental guidance. NIST Special Publication (SP) , Revision 3, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, CM-1 Configuration Management Policy and Procedures, requires agencies to develop, disseminate, and review and update formal, documented configuration management policies and procedures as frequently as the organization determines such revisions are needed. OCIO defines this frequency as annually. Contrary to requirements, the Department s OCIO-11, Handbook for Information Technology Security Configuration Management Planning Procedures, had not been updated since 2005, and the Information Technology Security Baseline Configuration Guidance had not been updated since Lack of current policies and procedures could result in a lack of sufficient information to determine the risk, threat frequency, and the ability to safeguard the Department's information. Furthermore, the Department s configuration management plans were neither updated nor approved as required. 5 The Department s OCIO-11, Handbook for Information Technology Security Configuration Management Planning Procedures, requires configuration management plans to be reviewed and updated as needed at least annually throughout the entire [system development life cycle]. In addition, OCIO-11 states that each system must have a configuration management plan that incorporates current configuration management standards. We found that 8 of the 16 (50 percent) sampled systems configuration management plans were not updated in accordance with established Departmental timelines, with 1 dating back to 2009, 5 dating back to 2010, and 2 dating back to We also found that the configuration management plans were neither approved nor finalized as directed by Departmental guidance. Without complete and up-to-date system configuration management plans, the Department may not be able to track configuration changes to systems. FY 2014 Vulnerability and Penetration Testing Results As part of our FY 2014 FISMA audit work, we conducted penetration and vulnerability testing of a major FSA system. While the testing team discovered that some systems were missing patches that resulted in high severity findings, we found that the number of findings identified was low. 6 Compared with organizations of similar size, the testing team determined that the 5 NIST SP , Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, CM-2 Baseline Configuration and OCIO-11, Handbook for IT Security Configuration Management Planning Procedures. 6 High severity refers to a rating determined from the Common Vulnerability Scoring System. This system, under the custodianship of NIST, is a free and open industry standard used for assessing the severity of computer system vulnerabilities by establishing a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized.

14 ED-OIG/A11O0001 Page 8 of 58 contractor was performing a satisfactory job in ensuring that the patches and security configurations of the servers were met. Recommendation We recommend that the Deputy Secretary require OCIO to: 1.1 Update current configuration management policies, procedures, and plans in accordance with NIST and Departmental guidelines. Management Comments The Department concurred with the recommendation. OIG Response The Department s planned corrective actions, if properly implemented, are responsive to the finding and recommendation. FINDING NO. 2 Identity and Access Management (Modified Repeat Finding) The Department did not fully comply with this reporting metric. Issue 2a. Identity Access and Management Process Needs Improvement (Modified Repeat Finding) OCIO has still not fully established and implemented processes for identity and access management. Specifically, we found that the OCIO had not fully established policies and procedures to identify all devices that were attached to the network, distinguish those devices from users, and authenticate devices that were connected to the network. NIST SP , Revision 3, IA-2, Identification and Authentication (Organizational Users), and IA-3, Device Identification and Authentication, require that information systems uniquely identify and authenticate users and specific devices before establishing a connection. Although OCIO has taken several actions, it is still in the process of finalizing its implementation of an enterprise-wide Network Access Control (NAC) solution and implementing procedures for identity and access management in response to the OIG s recommendation from the FY 2011 FISMA report. 7 Without the ability to account for and authenticate all devices connected to the network, the Department cannot effectively monitor, track, and authenticate all devices and users of the devices. Also, without proper logical access control in place, the Department cannot ensure that the identification and authentication controls are operating as intended and are preventing 7 A NAC solution is a method of bolstering the security of a network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.

15 ED-OIG/A11O0001 Page 9 of 58 unauthorized transactions or functions. Further, there is increased risk that unauthorized activities or excessive use of system resources could reduce the reliability and integrity of Department systems and its data, as well as the potential that sensitive data may be released, used, or modified. We also identified this condition in our FY 2011, 2012 and 2013 FISMA audits. Issue 2b. Password Authentication Process Needs Improvement (Modified Repeat Finding) The Department did not consistently follow and enforce the required Federal and Departmental guidelines requiring users to update their network passwords. OCIO-01, Handbook for Information Assurance Security Policy, October 2011, states that passwords must be (1) obscured during login and during transmission, (2) changed after the initial login, and (3) forced by the system to be changed every 90 days. To validate whether the Department was following and enforcing the 90-day password change requirement for all users, including both Federal employees and contractors, we requested a listing of all users and the date of all users last password change as of July 21, We found that of the 6,597 users, 1,840 (28 percent) did not change their passwords for more than 90 days. We also found that the Department did not enforce the password change requirement by locking out users who did not change their passwords. NIST SP , Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, IA-5 Authenticator Management, requires agencies to manage information system authenticators for users and devices by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. Password expiration policies exist to mitigate the issues that would occur if an attacker were to acquire the password hashes of a system and took action to exploit them. If an attacker were to acquire a user s shadow password file, they could then start brute forcing the passwords without further accessing the system. 8 Password policies help to decrease the potential for unauthorized users to obtain and use an account password. Issue 2c. Users Logical Access Controls Not Fully Implemented FSA did not fully establish effective access controls for a major FSA system to ensure users of an application were not able to manipulate their user settings. Specifically, during penetration testing of this FSA system, the OIG s testing team was able to perform unauthorized actions by elevating the privileges of a basic user account. For example, the team modified the hypertext transfer protocol request and then gained access to portions of the system which we were not authorized to access. 9 8 A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number. 9 Hypertext transfer protocol is the underlying protocol (set of rules) used by the World Wide Web. It defines what actions Web servers and browsers should take in response to various commands. When you enter a uniform resource locator into a browser, this actually sends a hypertext transfer protocol command to the Web server directing it to fetch and transmit the requested Web page.

16 ED-OIG/A11O0001 Page 10 of 58 NIST SP , Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, AC-3 Access Enforcement, requires agencies to enforce approved authorizations for logical access to the system in accordance with applicable policy. Without effective access controls in place, FSA runs the risk of allowing users to manipulate their access privileges and perform unauthorized actions that could compromise the confidentiality, integrity, and availability of the network and data. Recommendations We recommend that the Deputy Secretary require OCIO to: 2.1 Update and implement policies and procedures, including a NAC solution, consistent with NIST and FISMA guidelines to (1) identify all devices that are attached to the network; (2) distinguish the devices from users; and (3) authenticate devices that are connected to the network. (Modified Repeat Recommendation) 2.2 Develop and implement a detailed action plan on how OCIO-01, Handbook for Information Assurance Security Policy will be enforced to require that passwords are changed every 90 days. (Modified Repeat Recommendation) We recommend that the Under Secretary require FSA to: 2.3 Restrict access rights so users of the major FSA system tested are allowed to access only authorized areas based on their pre-established roles. We initially made the recommendation concerning the identity and access management process in FY In its corrective action plan for FY 2011, OCIO contracted for an engineering study that concluded that the implementation of a NAC solution on the network would allow the Department to (1) identify all devices that are attached to the network; (2) distinguish the devices from users; and, (3) authenticate devices that are connected to the network consistent with FISMA, OMB, and NIST guidance. While the Department completed its corrective actions in FY 2013, we noted that OCIO has consistently extended the implementation of the NAC solution and is still in the process of finalizing its implementation. Since we found the same conditions existed this year, we are making a modified repeat recommendation that emphasizes the need to implement a NAC solution. We initially made the recommendation concerning password authentication in FY In its corrective action plan for our FY 2013 recommendation concerning passwords, OCIO stated it set the Maximum Password Age configuration on the network to 90 days. The Department stated that it had completed its corrections in FY However, during our fieldwork we found that more than a quarter of Departmental users did not change their passwords for more than 90 days. Consequently, we are making a modified repeat recommendation to develop a detailed action plan on how OCIO will address this issue.

17 ED-OIG/A11O0001 Page 11 of 58 Management Comments The Department concurred with the recommendations. OIG Response The Department s planned corrective actions, if properly implemented, are responsive to the finding and recommendations. FINDING NO. 3 Incident Response and Reporting (Modified Repeat Finding) The Department did not fully comply with this reporting metric. Issue 3a. Incident Response and Reporting to the United States Computer Emergency Readiness Team Needs Improvement (Modified Repeat Finding) OCIO did not report security incidents to the United States Computer Emergency Readiness Team (US-CERT) consistent with NIST SP , Revision 2, Computer Security Incident Handling Guide and the US-CERT Federal Incident Reporting Guidelines. OCIO officials stated the Department relies on the US-CERT standards category listings and timelines for incident response reporting. As outlined in the US-CERT Federal Incident Reporting Guidelines, all computer incidents should be reported as follows: Category 1 unauthorized access should be reported within 1 hour; Category 2 denial of service should be reported within 2 hours if the successful attack is ongoing and the agency is unable to mitigate; Category 3 malicious code should be reported daily, or within 1 hour if it is widespread across the agency; Category 4, improper usage (violation of security policy), should be reported weekly; and Category 5 scans, probes, or attempted access should be reported monthly. To determine whether OCIO complied with reporting security incidents to US-CERT, we judgmentally sampled 45 incident tickets from the Operational Vulnerability Management Solution (OVMS). 10 We found that 4 (9 percent) of the 45 sampled incidents were not reported to US-CERT as required. Specifically, we found that: For the four Category 1 and 2 incidents we reviewed, we found no reporting problems; One of the eleven Category 3 incidents from the OVMS was never reported to US-CERT after discovery/detection; Two of the twenty-six Category 4 incidents from the OVMS were never reported to US- CERT after discovery/detection; and One of the four Category 5 incidents from the OVMS was never reported to US-CERT after discovery/detection. In accordance with NIST SP , Revision 2, all Federal agencies must ensure that their incident response procedures adhere to US-CERT s reporting requirements and that the 10 The Department uses OVMS for the purpose of managing, coordinating and tracking the remediation of security weaknesses and vulnerabilities identified on behalf of its applications, information systems, and networks.

18 ED-OIG/A11O0001 Page 12 of 58 procedures are followed properly. Not reporting incidents to US-CERT as required could impede US-CERT s ability to properly analyze the information to identify trends and precursors of attacks. It is critical to notify US-CERT so it can effectively assist in coordinating communications with the other agencies in handling incident response and reporting. We also identified this condition in our FY 2011 and 2013 FISMA audits. Issue 3b. Incident Response and Reporting to Law Enforcement Needs Improvement (Modified Repeat Finding) The Department did not report security incidents to law enforcement in accordance with organizational procedures. To determine whether the Department correctly and timely reported incidents to law enforcement, we judgmentally sampled 45 incident tickets from OVMS. Based on our sample of the 45 incident tickets, a total of 17 incidents met the requirements to be reported to law enforcement. Of those 17 incidents, 16 (94 percent) were either not reported in a timely manner or not reported at all. According to NIST SP , Revision 2, law enforcement should be contacted through designated individuals in a manner consistent with the requirements of the law and the organization s procedures. In addition, OCIO-14 Handbook for Information Security Incident Response and Reporting Procedures, states that incidents that may constitute a computer crime (violations of applicable Federal or State laws) must be reported to the OIG Technology Crimes Division. These incidents may include, but are not limited to, the following: compromise of system privileges (root access), compromise of information protected by law, events that include exposure or release of Personally Identifiable Information, unauthorized access of the Department s IT systems and/or electronic data, exceeding authorized access of the Department s IT systems and/or electronic data, denial of service of major IT resources, child pornography, and malicious destruction or modification of the Department s data or information (Website defacement). The failure to provide law enforcement timely incident reports may directly impede criminal investigative activities and jeopardize the success of detection. If incidents are not reported as soon as possible, information that is vital to the securing of evidence may be lost, and law enforcement agencies may lose the ability to make important connections to ongoing cases and decisions about initiating new cases. We also identified this condition in our FY 2013 FISMA audit. Recommendations We recommend that the Deputy Secretary require OCIO to: 3.1 Develop and implement a detailed action plan of how existing policies and procedures will be fully implemented to ensure security incidents are reported to US-CERT within the required timeframes. (Modified Repeat Recommendation)

19 ED-OIG/A11O0001 Page 13 of Develop and implement a detailed action plan of how existing policies and procedures will be fully implemented to ensure applicable security incidents are correctly and timely reported to law enforcement. (Modified Repeat Recommendation) A recommendation similar to 3.1 was made in FY 2013 and corrective action was completed in FY In its corrective action plan, OCIO stated that it developed a new policy called the Cyber Security Operations Standard Operating Procedure OIG Incident Coordination, dated January 14, 2014, to reflect reporting criteria and provide a user communication plan to ensure that third party customers are aware of and respond to US-CERT reportable incidents in a timely manner. The Department stated that it had completed this corrective action in FY 2014, but during our fieldwork we continued to find that incidents were still not reported to US-CERT as required. Consequently, we are making a modified repeat recommendation to develop a detailed action plan on how OCIO will address this issue. A recommendation similar to 3.2 was made in FY 2013 and corrective action was completed in FY In its corrective action plan, OCIO again stated that it developed the Cyber Security Operations Standard Operating Procedure OIG Incident Coordination, dated January 14, 2014, to reflect reporting criteria to include the required documentation for the notifications. The Department stated that it had completed this corrective action in FY 2014, but during our fieldwork we continued to find that incidents were still not reported to OIG as required. Consequently, we are making a modified repeat recommendation to develop a detailed action plan on how OCIO will address this issue. Management Comments The Department partially concurred with the recommendations. For Recommendation 3.1, the Department stated that currently OVMS does not allow the downgrading of events after an entry is initially created and that if an event is created as a category (CAT #), it retains that CAT # designation in the system until resolved. As a result, several of the identified events were deemed not reportable, downgraded before reporting, or downgraded by US-CERT. OCIO, in conjunction with FSA, has conducted market research and is acquiring a new tool specifically focused on incident handling that will address this limitation. The new solution is currently scheduled to be in production by June 30, In addition, the Cybersecurity Operations US- CERT reporting guide will be modified to add a daily audit by the Education Security Operations Center Management Team and a weekly audit by a government team member to ensure appropriate and timely reporting. The target completion date is December 30, For Recommendation 3.2, the Department stated that the previous year s corrective action plan was implemented in January 2014, with a revision in March 2014, and the majority of the cited events occurred before the corrective action plan was completed. In addition, OCIO will meet with OIG s Technology Crimes Division to validate the incidents that require notification. Any changes to OCIO-level existing processes will be updated by December 30, For documents that require Department-wide review and coordination, the process will be started by January 30, 2015.

20 ED-OIG/A11O0001 Page 14 of 58 OIG Response For Recommendation 3.1, the Department did not provide any further evidence to support that some of the incidents cited were later deemed not reportable and downgraded before reporting or downgraded by US-CERT. In addition, we were not informed of this limitation in OVMS during our testing of these incidents. Further, if OVMS prevented changes to the initial designation assigned to an incident, we would have expected to see documentation explaining this limitation. For Recommendation 3.2, although the Department stated that a majority of the cited incidents occurred before the corrective action plan was completed (January 2014), we still found that 5 incidents occurring after January 2014 were either not reported in a timely manner or not reported at all. A complete validation of this corrective action will be conducted during our FY 2015 FISMA work. However, the Department s planned corrective actions, if properly implemented, are responsive to the finding and recommendations. FINDING NO. 4 Risk Management (Modified Repeat Finding) The Department did not fully comply with this reporting metric. Issue 4a. Risk Management Program Is Not Fully Implemented (Repeat Finding) The Department has still not fully implemented NIST SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, February Since 2010, the OCIO has been in the process of updating and implementing the risk management policies and procedures for continuous security authorization to be in accordance with NIST , Revision 1. During the past four years, OCIO has extended the completion date several times from its original October 2012 planned completion date. As a result, personnel do not have Departmental guidance that is consistent with NIST guidance on the risk management framework, and the Department may be authorizing systems to operate on the network that are not in accordance with the most current NIST guidelines. We also identified this condition in our FY 2011, 2012 and 2013 FISMA audits. Issue 4b. System Authorization Process Needs Improvement (Modified Repeat Finding) The Department s system authorization process needs improvement. Our review identified many deficiencies in system security plans, authorization to operate documents, security assessment reports, and expired system authorizations (formerly called certification and accreditation). As of March 2014, the Department reported a total of 242 systems in its inventory. Of the 242 systems, we found that 72 systems (30 percent) have been operating on the Department s network on expired system authorization documentation to include security authorizations, selfassessments dates, and contingency plans that were not timely tested. Specifically, from the reported 242 systems we identified:

21 ED-OIG/A11O0001 Page 15 of (24 percent) were operating on expired security authorizations, 41 (17 percent) were operating on expired self-assessment dates, and 49 (20 percent) were operating on expired contingency plans that were not timely tested. Further, for a more in-depth review of the system authorization process for the Department s risk management program, we judgmentally selected 16 of the 242 systems. Of the 16 systems we reviewed, we found that: two systems did not have a consistent Federal Information Processing Standards Publication 199 system categorization level for its system security plan; 11 five systems did not contain proper support for the system interconnections; and two systems had authority to operate letters that were over three years old. NIST SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, requires security authorization packages to contain the security plan, the security assessment report, and a POA&M. Authorizing officials use the information in these key documents to make risk-based authorization decisions. Providing orderly, disciplined, and timely updates to the security plan, security assessment report, and POA&M supports the concept of near real-time risk management and ongoing authorization. Although NIST SP , Revision 1, emphasizes the importance of maintaining up-to-date security authorization packages for systems authorization to operate, the Department did not have adequate controls in place to ensure the effective and consistent certifying and accrediting of systems within the required 3-year timeframe, which allowed security authorizations to expire. As a result, Department operations and assets can be exposed to significant security risks until such security weaknesses are corrected or mitigated. We also identified this condition in our FY 2011, 2012 and 2013 FISMA audits. Recommendations We recommend that the Deputy Secretary require OCIO to: 4.1 Develop and implement a detailed action plan to ensure that all system authorization documentation is readily available and complies with Federal and Department standards and guidance, and take immediate action to resolve the deficiencies identified (a list of systems and applicable documentation was provided to OCIO). (Modified Repeat Recommendation) 4.2 Develop and implement controls to ensure timely re-authorizations for systems, avoiding gaps in authority to operate coverage. (Modified Repeat Recommendation) 11 Federal Information Processing Standards Publication 199 system categorization levels are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.

22 ED-OIG/A11O0001 Page 16 of 58 A recommendation similar to 4.1 was made in FY 2011 and corrective action was completed in FY In the completion of its corrective action plan for this finding, OCIO stated that OCIO-05 Handbook for Information Technology Security Certification and Accreditation Procedures, dated March 6, 2006, would be revised to require that all system authorization documentation be uploaded to OVMS to ensure it is readily available. However, to date, OCIO- 05 has not been revised. Since we found the same conditions existed this year, we are issuing modified repeat recommendation that focuses on the need to develop and implement a detailed action plan. A recommendation similar to 4.2 was made in FY 2011 and corrective action was completed in FY In its corrective action plan, the Department stated that it would implement procedures to ensure OVMS automated tracking was being utilized to track Department systems reaccreditation and recertification and that this procedure will be finalized by October 30, However, we continued to find that the Department is not timely completing the reauthorizations. Therefore, we are making a modified repeat recommendation that focuses on the need to develop and implement a detailed action plan. In addition, for Issue 4a, we are not making an additional recommendation. We initially made the recommendation concerning this condition in FY Although OCIO is working on implementing a risk management program, corrective actions are still not completed because the implementation process is taking longer than originally planned. Management Comments The Department partially concurred with the recommendations. For Recommendation 4.1, the Department stated it has made significant efforts towards improving system security documentation and ensuring that it is readily available and complies with Federal and Department standards and guidance. OCIO has worked extensively with program offices, authorizing officials, system owners, and information system security officers through monthly meetings, targeted workshops, and one-on-one sessions in order to communicate requirements, provide templates and resources, and provide any guidance necessary. Through OCIO s concerted efforts and collaboration with program offices to properly dispose of systems, accurately characterize and document systems, and increase understanding of overall information system security requirements, the Department has experienced improvements. For the list of systems cited in the report, OCIO will ensure all documentation gaps are addressed by March 31, For Recommendation 4.2, the Department stated it has made significant efforts towards improving the system authorization process, and since the OIG s fieldwork was completed, the Department s system inventory has been reduced to 164 FISMA reportable systems. Of the 164 systems, 31 (19 percent) are currently operating with invalid authorities to operate, but 16 of the systems have been through the assessment process and are currently pending final authority to operate signatures. OCIO is progressing with its implementation of an enterprise-wide risk management framework in accordance with NIST , and will publish guidance to address the initial and ongoing authorization of systems by June 30, 2015.

The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 FINAL AUDIT REPORT

The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 FINAL AUDIT REPORT The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 FINAL AUDIT REPORT ED-OIG/A11N0001 November 2013 Our mission is to promote

More information

The U.S. Department of Education s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2015 FINAL AUDIT REPORT

The U.S. Department of Education s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2015 FINAL AUDIT REPORT The U.S. Department of Education s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2015 FINAL AUDIT REPORT ED-OIG/A11P0001 November 13, 2015 Our mission is to promote the

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

More information

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. September 22, 20 14

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. September 22, 20 14 UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL INFORMATION TECHNOLOGY AUDIT DIVISION September 22, 20 14 FINAL MANAGEMENT INFORMATION REPORT To: From: Subject: James W. Runcie ChiefOperating

More information

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12 Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General

More information

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION

More information

Audit of the Department of State Information Security Program

Audit of the Department of State Information Security Program UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Final Audit Report. Report No. 4A-CI-OO-12-014

Final Audit Report. Report No. 4A-CI-OO-12-014 U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S

More information

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.

More information

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR

More information

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL September 5, 2012 Information Technology Audit Division Memorandum FROM: SUBJECT: Charles E. Coe, Jr. Assistant Inspector General Information

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

United States Department of Agriculture. Office of Inspector General

United States Department of Agriculture. Office of Inspector General United States Department of Agriculture Office of Inspector General U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2013 Federal Information Security Management Act

More information

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938

More information

SMITHSONIAN INSTITUTION

SMITHSONIAN INSTITUTION SMITHSONIAN INSTITUTION FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012 INDEPENDENT EVALUATION REPORT TABLE OF CONTENTS PURPOSE 1 BACKGROUND 1 OBJECTIVES, SCOPE, AND METHODOLOGY 2 SUMMARY OF RESULTS

More information

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009 U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009 ISD-EV-MOA-0002-2009 Contents Acronyms and Other Reference

More information

NASA OFFICE OF INSPECTOR GENERAL

NASA OFFICE OF INSPECTOR GENERAL NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA

More information

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management

More information

REPORT OF THE INDEPENDENT AUDITORS

REPORT OF THE INDEPENDENT AUDITORS REPORT OF THE INDEPENDENT AUDITORS Education Central Automated Processing System (EDCAPS) Information Security Audit Prepared by: Williams, Adley & Company-DC, LLP 1030 15th Street, NW Washington, DC 20005

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Final Audit Report -- CAUTION --

Final Audit Report -- CAUTION -- U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management

More information

2014 Audit of the Board s Information Security Program

2014 Audit of the Board s Information Security Program O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL

More information

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 THE DIRECTOR August 6, 2003 M-03-19 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES FROM: SUBJECT: Joshua

More information

Department of Homeland Security

Department of Homeland Security Evaluation of DHS Information Security Program for Fiscal Year 2013 OIG-14-09 November 2013 Washington, DC 20528 / www.oig.dhs.gov November 21, 2013 MEMORANDUM FOR: FROM: SUBJECT: Jeffrey Eisensmith Chief

More information

AUDIT REPORT. The Energy Information Administration s Information Technology Program

AUDIT REPORT. The Energy Information Administration s Information Technology Program U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Energy Information Administration s Information Technology Program DOE-OIG-16-04 November 2015 Department

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Modernization Act Audit for Fiscal Year 2015 March 15, 2016 15-01957-100 ACRONYMS

More information

NARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014

NARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014 NARA s Information Security Program OIG Audit Report No. 15-01 October 27, 2014 Table of Contents Executive Summary... 3 Background... 4 Objectives, Scope, Methodology... 7 Audit Results... 8 Appendix

More information

FSIS DIRECTIVE 1306.3

FSIS DIRECTIVE 1306.3 UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS

More information

Review of the SEC s Systems Certification and Accreditation Process

Review of the SEC s Systems Certification and Accreditation Process Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure May 18, 2010 Reference Number: 2010-20-051 This report

More information

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act. OFFICE OF INSPECTOR GENERAL Report of Evaluation OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s Evaluation of the Farm Compliance Credit Administration s with the Federal Information

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. ELECTION ASSISTANCE COMMISSION EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2014 May 19, 2015 14-01820-355 ACRONYMS CRISP

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department

More information

Information Security Series: Security Practices. Integrated Contract Management System

Information Security Series: Security Practices. Integrated Contract Management System OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment Information Security Series: Security Practices Integrated Contract Management System Report No. 2006-P-00010 January 31,

More information

Office of Inspector General

Office of Inspector General Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases

More information

Fiscal Year 2007 Federal Information Security Management Act Report

Fiscal Year 2007 Federal Information Security Management Act Report OFFICE OF INSPECTOR GENERAL Special Report Catalyst for Improving the Environment Fiscal Year 2007 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report No.

More information

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies United States Government Accountability Office Report to Congressional Requesters June 2014 INFORMATION SECURITY Additional Oversight Needed to Improve Programs at Small Agencies GAO-14-344 June 2014 INFORMATION

More information

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014 U.S. Department of Energy Office of Inspector General Office of Audits and Inspections EVALUATION REPORT The Department of Energy's Unclassified Cybersecurity Program 2014 DOE/IG-0925 October 2014 Department

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Improvements Are Needed to the Information Security Program March 11, 2008 Reference Number: 2008-20-076 This report has cleared the Treasury Inspector

More information

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

Audit Report. Management of Naval Reactors' Cyber Security Program

Audit Report. Management of Naval Reactors' Cyber Security Program U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Naval Reactors' Cyber Security Program DOE/IG-0884 April 2013 Department of Energy Washington,

More information

Department of Homeland Security Office of Inspector General

Department of Homeland Security Office of Inspector General Department of Homeland Security Office of Inspector General Vulnerabilities Highlight the Need for More Effective Web Security Management (Redacted) OIG-09-101 September 2009 Office of Inspector General

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,

More information

Audit of the Board s Information Security Program

Audit of the Board s Information Security Program Board of Governors of the Federal Reserve System Audit of the Board s Information Security Program Office of Inspector General November 2011 November 14, 2011 Board of Governors of the Federal Reserve

More information

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program FINAL REPORT NO. OIG-12-037-A SEPTEMBER 27, 2012 U.S. Department of Commerce Office

More information

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,

More information

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 An effective risk management program and compliance with the Federal Information Security Management Act (FISMA) requires the U.S.

More information

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2012. Report No. 4A-CI-00-12-016

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2012. Report No. 4A-CI-00-12-016 U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2012 Report No. 4A-CI-00-12-016 Date:

More information

SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE

SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE FOR OFFICIAL USE ONLY SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE Department of Transportation Report No. FI-2013-123 Date Issued: September 10,

More information

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES Report No.: ISD-IS-OCIO-0001-2014 June 2014 OFFICE OF INSPECTOR GENERAL U.S.DEPARTMENT OF THE INTERIOR Memorandum JUN 0 4 2014 To: From:

More information

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Evaluation of DHS' Information Security Program for Fiscal Year 2015 Evaluation of DHS' Information Security Program for Fiscal Year 2015 January 5, 2016 OIG-16-08 (Revised) DHS OIG HIGHLIGHTS Evaluation of DHS Information Security Program for Fiscal Year 2015 January 5,

More information

REVIEW OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2015

REVIEW OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2015 Department of Health and Human Services OFFICE OF INSPECTOR GENERAL REVIEW OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR

More information

NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS

NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

Department of Veterans Affairs VA Handbook 6500. Information Security Program

Department of Veterans Affairs VA Handbook 6500. Information Security Program Department of Veterans Affairs VA Handbook 6500 Washington, DC 20420 Transmittal Sheet September 18, 2007 Information Security Program 1. REASON FOR ISSUE: To provide specific procedures and establish

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

Briefing Report: Improvements Needed in EPA s Information Security Program

Briefing Report: Improvements Needed in EPA s Information Security Program U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Briefing Report: Improvements Needed in EPA s Information Security Program Report No. 13-P-0257 May 13, 2013 Scan this mobile code to learn

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

In Brief. Smithsonian Institution Office of the Inspector General

In Brief. Smithsonian Institution Office of the Inspector General In Brief Smithsonian Institution Office of the Inspector General Smithsonian Institution Network Infrastructure (SINet) Report Number A-09-01, September 30, 2009 Why We Did This Audit Under the Federal

More information

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,

More information

OFFICE OF INSPECTOR GENERAL

OFFICE OF INSPECTOR GENERAL OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment Evaluation of U.S. Chemical Safety and Hazard Investigation Board s Compliance with the Federal Information Security Management

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Enhanced Configuration Controls and Management Policies Can Improve USCG Network Security (Redacted) Notice: The Department of Homeland Security,

More information

Evaluation of DHS' Information Security Program for Fiscal Year 2014

Evaluation of DHS' Information Security Program for Fiscal Year 2014 Evaluation of DHS' Information Security Program for Fiscal Year 2014 December 12, 2014 HIGHLIGHTS Evaluation of DHS Information Security Program for Fiscal Year 2014 December 12, 2014 Why We Did This We

More information

United States Patent and Trademark Office

United States Patent and Trademark Office U.S. DEPARTMENT OF COMMERCE Office of Inspector General United States Patent and Trademark Office FY 2009 FISMA Assessment of the Patent Cooperation Treaty Search Recordation System (PTOC-018-00) Final

More information

Final Audit Report. Federal Information Security Modernization Act Audit FY 2015. Report Number 4A-CI-00-15-011 November 10, 2015

Final Audit Report. Federal Information Security Modernization Act Audit FY 2015. Report Number 4A-CI-00-15-011 November 10, 2015 U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Federal Information Security Modernization Act Audit FY 2015 Report Number 4A-CI-00-15-011 November

More information

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Department of Health and Human Services OFFICE OF INSPECTOR GENERAL REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Inquiries about this report may be addressed

More information

Department of Homeland Security

Department of Homeland Security for the Immigration and Customs Enforcement Component of the FY 2013 Department of Homeland Security s Financial Statement Audit OIG-14-85 April 2014 OFFICE OF INSPECTOR GENERAL Department of Homeland

More information

Compliance Risk Management IT Governance Assurance

Compliance Risk Management IT Governance Assurance Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon U.S. Department of Agriculture Office of Inspector General Western Region Audit Report Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness United States Government Accountability Office Report to Congressional Committees September 2013 FEDERAL INFORMATION SECURITY Mixed Progress in Implementing Program Components; Improved Metrics Needed

More information

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2013. Report No. 4A-CI-00-13-021. Date:

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2013. Report No. 4A-CI-00-13-021. Date: U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2013 Report No. 4A-CI-00-13-021 Date:

More information

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011 O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Follow-up Audit of the Department's Cyber Security Incident Management Program DOE/IG-0878 December 2012

More information

March 17, 2015 OIG-15-43

March 17, 2015 OIG-15-43 Information Technology Management Letter for the U.S. Citizenship and Immigration Services Component of the FY 2014 Department of Homeland Security Financial Statement Audit March 17, 2015 OIG-15-43 HIGHLIGHTS

More information

Office of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits

Office of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits Office of the Inspector General United States Office of Personnel Management Statement of Michael R. Esser Assistant Inspector General for Audits before the Committee on Appropriations United States Senate

More information

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport May 7, 2015 DHS OIG HIGHLIGHTS Audit of Security Controls for DHS Information Technology Systems

More information

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL Clifton Gunderson LLP s Independent Audit of the Federal Housing Finance Agency s Information Security Program - 2011 Audit Report: AUD-2011-002

More information

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015 For Person Authentication Service (PAS) Date: January 9, 2015 Point of Contact and Author: Hanan Abu Lebdeh Hanan.Abulebdeh@ed.gov System Owner: Ganesh Reddy Ganesh.Reddy@ed.gov Office of Federal Student

More information

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security OFFICE OF INSPECTOR GENERAL Audit Report Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security Report No. 08-04 September 26, 2008 RAILROAD RETIREMENT BOARD INTRODUCTION

More information

The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness. August 2004

The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness. August 2004 The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness August 2004 Reference Number: 2004-20-129 This report has cleared the Treasury Inspector

More information

EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents

EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents Report No. 2007-P-00007 January 11, 2007

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information