AmeriCorps’ security program has not been effective in accordance with Federal Information Security Management Act (FISMA) since Fiscal Year 2017. In order to determine its current status, AmeriCorps OIG engaged an independent certified public accounting firm to conduct an internal penetration test of AmeriCorps’ network. The independent auditors tested AmeriCorps’ network to evaluate the effectiveness of its information security program and to identify areas of weakness. This evaluation was comprised of three phases: network penetration testing, a phishing campaign, and the testing the effectiveness of controls in preventing and detecting the execution of malicious code. The independent auditors found two weaknesses related to preventive and detective security controls. AmeriCorps concurred and agreed to implement our recommendations to (1) develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email, (2) implement a plan to increase the frequency of behavior training directed at the identification of unwanted spam emails, and (3) implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes. AmeriCorps Management’s response can be found in Appendix II of the report.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| Develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email. For example, the Subject line of an email should be modified to identify the source of the email as external to the agency. In addition, the body of the email should contain warnings concerning the dangers of external email and attachments. Finally, warnings should include how frequently the sender has interacted with the recipient. | |||||
| 2 | No | $0 | $0 | ||
| Implement a plan to increase the frequency of behaviortraining directed at the identification of unwanted spam emails with an emphasis on continual reminders of recognition techniques, appropriate actions, and confidence that self‐reporting poor behavioral actions will lead to a better outcome in the future. | |||||
| 3 | No | $0 | $0 | ||
| Implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes. | |||||
