Skip to main content
Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation
Advanced Search
Search form
Search
Reports
OIG Reports
State/Local Homepage
State and Local Reports
Recommendations
Investigations
Investigative Press Releases
Disaster Oversight
IG Vacancies
About
Inspector General Open Recommendations
10/29/2021
-
Consumer Product Safety Commission
Evaluation of the CPSC's FISMA Implementation for FY 2021
[Report Details]
Inspection / Evaluation
-
Open Recommendations
46
Integrate documented contingency plans with the other relevant agency planning areas (Contingency Planning iii).
45
Develop, document, and distribute all required Contingency Planning documents (e.g.. organization-wide Continuity of Operation Plan and Business Impact Assessment, Disaster Recovery Plan, Business Continuity Plans, and Information System Contingency Plans) in accordance with appropriate federal and best practice guidance (Contingency Planning ii/iv).
40
Implement Information Security Continuous Monitoring procedures, including those procedures related to the monitoring of performance measures and metrics , that support the Information Security Continuous Monitoring program (Information Security Continuous Monitoring ii) (2021 recommendation).
39
Integrate the established strategy for identifying organizational risk tolerance into the Information Security Continuous Monitoring plan (Information Security Continuous Monitoring i).
38
Develop and tailor security training content for all CPSC personnel with significant security responsibilities and provide this training to the appropriate individuals (Security Training iv/v).
37
Document and implement a process for ensuring that all personnel with significant security roles and responsibilities are provided specialized security training to perform assigned duties (Security Training ii/iii) (2021 recommendation).
36
Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities (Security Training i).
35
Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training (Data Protection and Privacy iii).
33
Document and implement a process for periodically reviewing for and removing unnecessary Personally Identifiable Information from agency systems (Data Protection and Privacy i).
32
Document and implement a process for inventorying and securing systems that contain Personally Identifiable Information or other sensitive agency data (e.g., proprietary information) (Data Protection and Privacy i).
31
Define and implement processes for provisioning, managing, and reviewing privileged accounts (Identity and Access Management vii) (2021 recommendation).
30
Define and implement the identification and authentication policies and procedures (Identity and Access Management ii).
29
Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (Identity and Access Management vii).
26
Identify and document potentially incompatible duties permitted by privileged accounts (Identity and Access Management vii).
24
Define and implement a process to ensure the completion of access agreements for all CPSC users. (Identity and Access Management v).
23
Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements: • Performance of periodic reviews of risk designations at least annually, • Explicit position screening criteria for information security role appointments, and • Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).
22
Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).
21
Define and document a strategy (including specific milestones) to implement the Federal Identity, Credential, and Access Management architecture (Identity and Access Management i/ii/iii).
20
Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).
19
Identify and document the characteristics of items that are to be placed under Configuration Management control (Configuration Management vii).
Pages
« first
‹ previous
…
428
429
430
431
432
433
434
435
436
…
next ›
last »