Evaluation of Department of State Information Security Program ...

More documents

Recommendations

Info

UNCLASSIFIED accounts for separated Full Time Equivalent employee accounts, and 104 of those accounts had Department issued security tokens 4 for remote access. Documentation (Password/Receipt Form) had not been received for all of 25 new user accounts created within the past fiscal year and documentation had not been received for all seven Network Administrators’ accounts created within the past fiscal year. The Department permitted one of 25 OpenNet Domain Administrators/Administrators’ accounts to be used as a group account. These control weaknesses increase the potential that unauthorized activities can occur without timely detection, which adversely impacts confidentiality, integrity, and availability of the data on OpenNet and ClassNet. G. Continuous Monitoring The Department does not have an effective means of implementing continuous monitoring at the organization level or the system level, and the Department had not taken action to resolve the continuous monitoring control weaknesses identified in the FY 2010 FISMA report on the Department’s information security program. The ISSC had not developed a formal continuous monitoring strategy that addresses framing risk, assessing risk, responding to risk, and monitoring risk, all of which are required by NIST Special Publication (SP) 800-39, Managing Information Security Risk. Also, based on our review of the actions taken by the Department regarding weaknesses identified in the FY 2010 FISMA report on the Department’s information security program, we found the following repeat deficiencies: � The scanning tools do not assess Oracle, the Department’s most common database management system, for configuration control weaknesses that could adversely impact application access controls. � Scanning results for routers, firewalls, and Demilitarized Zone servers were not available in iPost; 5 therefore, the results were not used in risk scoring. H. The Continuity of Operations Program Needs to Be Improved The Department’s Continuity of Operations Program is not operating effectively and is not documented in accordance with NIST SP 800-34 and Federal Continuity Directive (FCD)-2. The Department is required by NIST to have a collection of plans to prepare for response, continuity, recovery, and resumption of mission/business processes and information systems. 4 A token (sometimes called a security token) is an object that controls access to a digital asset. It is a small device used in a networked environment to create a one-time password that the owner enters into a login screen along with a user identification and a personal identification number. 5 iPost is a system that provides the ability to monitor outputs of the various network monitoring applications. It allows key personnel to monitor network, computer, and application resources; check for potential problems; initiate corrective actions; and gather performance, compliance, and security data for near real-time and historical reporting. 3 UNCLASSIFIED
UNCLASSIFIED We found that the Continuity of Operations Plan (COOP) Communication Plan (CCP) for emergency communications and the network had not been updated with significant changes since 2008. The COOP CCP was not updated in accordance with NIST SP 800-34 because the Bureau of Information Resource Management (IRM) is focused on the Bureau Emergency Action Plan (BEAP) instead of the COOP CCP that contributes to the continuation of communications and the network for the entire Department. I. Information Systems Contingency Planning The Department needs to improve the information system contingency planning program. An effective contingency planning program is designed to mitigate the risk of system and service unavailability by providing effective and efficient solutions to enhance system availability. From a sample of 25 information system contingency plans tested, we found several deficiencies. For example, three systems’ (OpenNet, WebPass, and TDS) Contingency Plans did not document the alternate recovery site information. J. Oversight of Contractor Systems The Department had not implemented an effective oversight program of its contractor systems and contractor extensions. All five Contractor-Owned Contractor-Operated (COCO) systems reviewed did not have contract agreements or security-related documentation available for review. For four of five COCO systems, IRM did not provide ATO memorandums after several requests. We also found that the Department did not have an effective mechanism in place to identify the total number of contractors’ personnel who had access to and privileges within the Department’s network, applications, databases, and data. K. Capital Planning Information security is not fully integrated into the Department’s Capital Planning and Investment Control (CPIC) process. IRM needs to strengthen its oversight process of information technology (IT) investments. For four of 10 appropriated IT security investments reviewed, the Department did not provide evidence of documentation showing obligations and expenditures. The Department does not provide OMB with all investments that have significant dependency for the IT Infrastructure major investment. For a sample of 10 non-major investments that make up the IT Infrastructure major investment, we found that none of the 10 were identified as required by OMB in Exhibit 300. Also, IT security costs from the Department’s POA&Ms are not captured in the capital planning process. Specifically, Department implementation of the POA&M process does not reflect the unique project identifiers (UPI), which tie security correction action plans into the CPIC process. The lack of integration between the POA&M process and capital planning process negatively affects the funding prioritization 4 UNCLASSIFIED
Page 1: Office of Inspector General UNCLASS
Page 5 and 6: UNCLASSIFIED IT information technol
Page 7 and 8: UNCLASSIFIED APPENDIX F. SYSTEMS WI
Page 9: UNCLASSIFIED patches within require
Page 13 and 14: UNCLASSIFIED improvements regarding
Page 15 and 16: UNCLASSIFIED Diplomatic Security/Se
Page 17 and 18: UNCLASSIFIED Department’s risk ma
Page 19 and 20: UNCLASSIFIED performance. For examp
Page 21 and 22: UNCLASSIFIED � From a sample of 2
Page 23 and 24: UNCLASSIFIED 800-37 18 states that
Page 25 and 26: UNCLASSIFIED � Approximately 300
Page 27 and 28: UNCLASSIFIED � One of 25 OpenNet
Page 29 and 30: UNCLASSIFIED that an organization-d
Page 31 and 32: UNCLASSIFIED indicated that the foc
Page 33 and 34: UNCLASSIFIED Management Response: T
Page 35 and 36: UNCLASSIFIED � Document and maint
Page 37 and 38: UNCLASSIFIED The Department’s con
Page 39 and 40: UNCLASSIFIED For four 46 of 10 appr
Page 41 and 42: UNCLASSIFIED OIG Additional Analyse
Page 43 and 44: UNCLASSIFIED List of Current Year R
Page 45 and 46: UNCLASSIFIED � Develop operating
Page 47 and 48: UNCLASSIFIED required by the Office
Page 49 and 50: UNCLASSIFIED DRAFT We used the foll
Page 51 and 52: UNCLASSIFIED Appendix B. Followup o
Page 53 and 54: UNCLASSIFIED program managers and o
Page 55 and 56: UNCLASSIFIED Appendix D. Systems Wi
Page 57 and 58: UNCLASSIFIED Appendix E. Vulnerabil
Page 59 and 60: UNCLASSIFIED For the 16 systems tes
Page 61 and 62:
UNCLASSIFIED SMART-SBU Windows File
Page 63 and 64:
(b) (5) UNCLASSIFIED Appendix G. Se
Page 65 and 66:
NIST SP 800-37 NIST SP 800-37 Confi
Page 67:
UNCLASSIFIED System Telegram Distri
Page 71 and 72:
UNCLASSIFIED UNCLASSIFIED 3 justifi
Page 74 and 75:
UNCLASSIFIED 6 Department Response
Page 76 and 77:
UNCLASSIFIED UNCLASSIFIED 8 The Dep
Page 78 and 79:
UNCLASSIFIED UNCLASSIFIED 10 • De
Page 80 and 81:
UNCLASSIFIED UNCLASSIFIED 12 The De
Page 82:
UNCLASSIFIED UNCLASSIFIED
show all

Evaluation of Department of State Information Security Program ...

Create successful ePaper yourself

Delete template?

Save as template?