What OIG Evaluated:
- Identify Fiscal Year risk metrics associated with the cybersecurity control areas included in the scope of our evaluation.
- Determine maturity levels for the four aforementioned cybersecurity control areas using a defined maturity model spectrum.
- Report findings identified during the performance of evaluation procedures over selected cybersecurity controls.
What OIG Found:
- Lack of Signed IT Contingency Plans
- Lack of Complete and Accurate Inventory of Hardware Assets
- Lack of Formal Policies and Procedures for Software Asset Management
- Lack of Periodic Review/Update over the Library’s Organization-Tier Policies
- Lack of Annual System Security y Plan Compliance Reviews
- Inconsistent System-Level Ongoing Control Assessments
- Inconsistent Completing and Reviewing of Security y Assessments Reports
What OIG Recommends:
- Confirm and enforce a quality y control procedure to ensure that IT CPs are signed by the responsible personnel (Information System Business Owner, its ervice Operations Director, and Business Continuity y and Disaster Recovery Official) and uploaded to the Library’s governance risk and compliance (GRC) platform, as required by Library policies. 2.1 Develop formal procedures for maintaining an up-to-date inventory of hardware assets and removing unauthorized or unmanaged hardware assets in a timely manner.
- Implement tools to a) track and monitor or all authorized hardware assets on the Library network and b) report or prevent unauthorized devices connecting to the network.
- Maintain a complete, accurate, and centralized repository of all hardware assets connected to the Library network.
- Develop and implement formal policies and procedures over their process for maintaining an up to-date software inventory that incorporates security y controls requirements from National Institute of Standards and Technology Special Publication (SP) 800-53, Configuration Management (CM-8), and industry practices from National Institute of Standards and TechnologySP 800-37 and National Institute of Standards and TechnologySP 800-128.
- Complete the implementation of its Configuration Management Database (CMDB) to track and manage the inventory of software assets.
- Identify Fiscal Year and authorize backup personnel to perform the annual review of the Library Security &A Guidance and Library Information Security y Continuous Monitoring (ISCM) Guidance in the event that the responsible personnel is unavailable.
- Identify Fiscal Year and authorize backup personnel to perform the annual System Security Plan (SSP) compliance review in the event that the responsible personnel is unavailable.
- Remediate or enter Plan of Action and Milestones (POA&Ms) for control assessment discrepancies associated with relevant information systems so they are in alignment with the Library’s policies and procedures and notifying the Authorizing Official (AO) of all updates or changes.
- Identify Fiscal Year adequate resources to perform system control assessments.
- Enhance the Library’s procedures for validating the completion and tracking of ongoing control assessments to ensure they are being performed in accordance with the Library’s policies and procedures.
- Complete Security Assessment Reports (SARs) for the respective systems and notifying the AO of the results.
- Implement a quality control process to validate the completion of SARs in accordance with the Library’s policies and procedures.
