Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | ||
We recommend that OIT update policies and procedures to ensure that OIT (a) thoroughly documents and understands changes to the SEC’s mobile device management system before such changes are implemented; (b) maintains an accurate inventory of mobile devices enrolled in the SEC’s mobile device management system (including timely follow-up and removal of inactive devices); (c) reviews and escalates mobile device management system notifications involving Capstone officials’ devices; and (d) regularly obtains and, as necessary, responds to information about technical risks from vendors whose products may impact the SEC’s mobile devices. | |||||
2 | No | $0 | $0 | ||
We recommend that OIT ensure that all SEC Capstone officials’ devices were backed up at the time OIT removed the texting application from SEC devices, and (for each device) document the date OIT verified that all electronic records, including text messages, were successfully saved (as of the October 2022 Capstone initiative and with each subsequent backup). If text messages from any Capstone officials’ devices were not successfully saved, work with ORMS to determine if NARA notification is required. | |||||
3 | No | $0 | $0 | ||
We recommend that OIT update the applicable system security plan(s) to accurately reflect the mobile device management system audit events and logs that should be forwarded to the SEC’s security information and event management tool, and ensure that those logs support after-the-fact investigations of incidents. | |||||
4 | No | $0 | $0 | ||
We recommend that OIT develop procedures to periodically verify that the mobile device management system audit events and logs identified in the applicable system security plan(s) are successfully retained in the SEC’s security information and event management tool. | |||||
5 | No | $0 | $0 | ||
We recommend that OIT update policies and procedures to require OIT management’s approval of commands during troubleshooting activities that result in a factory reset of Capstone officials’ devices, and verification that appropriate device logs and forensic data have been collected and retained beforehand. |