Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | Yes | $0 | $0 | ||
Develop a supply chain risk management strategy that includes (a) a supply chain risk appetite and tolerance, (b) an enterprise supply chain risk management governance structure, and (c) supply chain risk assessment processes that include migration strategies or controls. | |||||
2 | No | $0 | $0 | ||
Document and implement a baseline review and escalation process for data loss prevention alerts. | |||||
3 | No | $0 | $0 | ||
Reinforce the requirements for identifying and documenting system interconnections as part of the Board’s training on its cyber risk management application and require all relevant individuals to take the training. | |||||
4 | No | $0 | $0 | ||
Evaluate and implement options to enforce the agency’s existing guidance related to identifying and documenting system interconnections. | |||||
5 | No | $0 | $0 | ||
Develop and implement a mobile application scanning program that includes a vulnerability scanning solution and process to identify and remediate vulnerabilities. | |||||
6 | No | $0 | $0 | ||
Ensure that the Board’s Incident Notification and Breach Response Plan is reviewed, tested and approved annually. | |||||
7 | No | $0 | $0 | ||
Develop and implement a role-based privacy training program. | |||||
8 | No | $0 | $0 | ||
Incorporate targeted phishing exercises into the Board’s security awareness and training program and processes. | |||||
9 | No | $0 | $0 | ||
Update the Board’s standard contract language in cloud service provider contracts to ensure that it is consistent with Federal Risk and Authorization Management Program’s Incident Communications Procedures incident reporting requirements. |