Submitting OIG:
Report Description:
Although the Department had several notable improvements in implementing its cybersecurity initiatives, its overall IT security programs and practices were not effective in all of the five security functions. We had findings in all eight metric domains, which included findings with the same or similar conditions identified in prior reports. Specifically, we found that the Department can strengthen its controls in areas such as -
(1) Risk Management. Remediation process for its Plan of Action and Milestones; enterprise supply chain assessment strategy; IT inventory reporting; and required IT security clauses for its contracts: (2) Configuration Management. Use of unsecure connections and appropriate
application connection protocols; and reliance on unsupported operating systems, databases, and applications in its production environments:
(3) Identify and Access Management. Removing access of terminated users to the Department’s network and database management: and
(4) Incident Response. Timely reporting of incidents; and ensuring data loss prevention tools work accordingly. Until the Department improves in these areas, it cannot ensure that its overall information security program adequately protects its systems and resources from
compromise and loss.
Date Issued:
Friday, October 30, 2020
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
A11U0001
Component, if applicable:
Office of Chief Information Officer
Location(s):
Agency-Wide
Type of Report:
Audit
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
24
View Document:
| Attachment | Size |
|---|---|
 a11u0001.pdf | 19.53 MB |
Additional Details Link: