Use the fully defined ISA to: a. Assess enterprise, business process, and information system level risks;b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;c. Conduct an organization wide security and privacy risk assessment; and,d. Conduct a supply chain risk assessment.
Questioned Costs
$0
Funds for Better Use
$0
Recommendation Status
Open
Source UUID
257decb8-faef-4076-ac5d-cb024498df13-2
Recommendation Number
2
Additional Information
OIG Analysis: The agency did not provide an updated response pertaining to Recommendation 2a and 2b.
On September 20, 2023, the agency provided the following response:
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 2c
and 2d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address
Recommendation 2 during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.
Status: Open: Resolved. 2.a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
2.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management make more informed risk management decisions. No target date for all four parts.
2.c. DNFSB will conduct an organization wide security and privacy risk assessment once the ERM program has been established.
2.d. DNFSB will conduct a supply chain risk assessment in Q2 FY2024.
On September 20, 2023, the agency provided the following response:
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 2c
and 2d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address
Recommendation 2 during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.
Status: Open: Resolved. 2.a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
2.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management make more informed risk management decisions. No target date for all four parts.
2.c. DNFSB will conduct an organization wide security and privacy risk assessment once the ERM program has been established.
2.d. DNFSB will conduct a supply chain risk assessment in Q2 FY2024.
Significant Recommendation
Yes