Evaluation of Department of State Information Security Program ...

More documents

Recommendations

Info

UNCLASSIFIED among the IT investments. Ultimately, inadequate oversight increases the risk of unapproved investments being funded. Although this report contains 19 recommendations to the Department, we believe the most significant security deficiencies are the findings related to risk management strategy and security authorizations (Finding A), security configuration management (Finding B), POA&Ms (Finding D), and the continuous monitoring program (Finding G). We reviewed the Department’s remedial actions taken to address the 2010 reported information security program control weaknesses identified in the FY 2010 FISMA report Review of the Information Security Program at the Department of State (AUD/IT-11-07, November 2010). (The statuses of the recommendations from the FY 2010 review of the information security program are in Appendix B.) Since FY 2010, the Department has taken actions to improve management controls to include the following: � Updated and verified the FISMA systems inventory list to the Information Technology Asset Baseline (ITAB) to ensure that all information technology (IT) systems are accurately accounted for. � Defined and identified personnel who have significant security responsibilities in its Information Assurance (IA) Training Plan. � Ensured that personally identifiable information (PII) data incidents are reported to the U.S. Computer Emergency Response Team within the required 1-hour timeframe. � Updated its contracts to include Department of State Acquisition Regulations information security language. Management Comments. In its November 2, 2011, response to the draft report (see Appendix J), the Department stated that it “disagrees” on whether continuous monitoring, as currently conducted, produces a lower risk than a traditional C&A program, and on the relative importance of completeness and compliance vs. timeliness and risk-based prioritization.” The Department further stated, “Having carefully considered these factors, the Department is convinced its continuous monitoring program, which is 300 times more timely than traditional three-year reauthorizations, produces significantly lower security risk [Department footnote states: “Neither produce zero risk, and achieving zero risk in not foreseeable.”] on its networks.” Although OIG agrees that the continuous monitoring concept, if properly implemented and documented, allows for more rapid identification of security weaknesses, OIG is unable to provide an opinion on the effectiveness of the continuous monitoring strategy because the Bureau of Information Resource Management (IRM) did not provide a strategy, but the concept of continuous monitoring is designed to provide results in a more timely fashion. The collective weaknesses in the information security program, including IRM’s lack of strategies for risk management and continuous monitoring, leave a weakness in the approach to assessing risk and taking actions to correct identified vulnerabilities. Furthermore, IRM’s approach cannot establish responsibility and accountability for information systems security controls and leaves a vacuum between the current state of information security controls and any planned 5 UNCLASSIFIED
UNCLASSIFIED improvements regarding the protection of the Department’s information and information systems, because the Department relies heavily on iPost results to determine the current security posture of information systems and to initiate corrective actions. However, IRM could not provide documentation to support the strategy used or present historical or trend analysis during the annual evaluation. OIG identified weaknesses that should have been addressed or corrected based on the approach IRM presented verbally during the course of the FISMA evaluation. The identification of account management weaknesses by OIG’s FISMA and financial statement auditors, the failure to install critical patches on servers, and the increasing trend of Common Vulnerabilities and Exposures (CVE) since 2007 indicates that the approach in place is not addressing information security risks in the Department’s information and information systems. In its response to the report’s 19 recommendations, the Department generally agreed or agreed with portions of 10 recommendations, did not agree with five recommendations, and did not indicate agreement or disagreement with four recommendations. Based on the response, OIG considers 10 recommendations resolved, pending further action, and nine recommendations unresolved. Management’s responses to the recommendations and OIG’s analyses of the responses are presented after each recommendation. Also, OIG has provided additional comments to the Department’s response in the section “Management Comments and OIG Analyses.” Background FISMA recognized the importance of information security to the economic and national security interests of the United States. FISMA requires each Federal agency to develop, document, and implement an agency-wide program to provide information security for the information systems that support the operations and assets of the agency, including information and information systems provided or managed by another agency, contractor, or source. FISMA provides a comprehensive framework for establishing and ensuring the effectiveness of management, operational, and technical controls over information technology (IT) that supports Federal operations and assets, and it provides a mechanism for improved oversight of Federal agency information security programs. FISMA assigns specific responsibilities to Federal agencies, NIST, OMB, and the Department of Homeland Security (DHS) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost effectively reduce IT security risks to an acceptable level. To ensure the adequacy and effectiveness of information system controls, FISMA requires agency program officials, chief information officers, chief information security officers, senior agency officials for privacy, and inspectors general to conduct annual reviews of the agency’s information security program and report the results to DHS. 6 UNCLASSIFIED
Page 1: Office of Inspector General UNCLASS
Page 5 and 6: UNCLASSIFIED IT information technol
Page 7 and 8: UNCLASSIFIED APPENDIX F. SYSTEMS WI
Page 9 and 10: UNCLASSIFIED patches within require
Page 11: UNCLASSIFIED We found that the Cont
Page 15 and 16: UNCLASSIFIED Diplomatic Security/Se
Page 17 and 18: UNCLASSIFIED Department’s risk ma
Page 19 and 20: UNCLASSIFIED performance. For examp
Page 21 and 22: UNCLASSIFIED � From a sample of 2
Page 23 and 24: UNCLASSIFIED 800-37 18 states that
Page 25 and 26: UNCLASSIFIED � Approximately 300
Page 27 and 28: UNCLASSIFIED � One of 25 OpenNet
Page 29 and 30: UNCLASSIFIED that an organization-d
Page 31 and 32: UNCLASSIFIED indicated that the foc
Page 33 and 34: UNCLASSIFIED Management Response: T
Page 35 and 36: UNCLASSIFIED � Document and maint
Page 37 and 38: UNCLASSIFIED The Department’s con
Page 39 and 40: UNCLASSIFIED For four 46 of 10 appr
Page 41 and 42: UNCLASSIFIED OIG Additional Analyse
Page 43 and 44: UNCLASSIFIED List of Current Year R
Page 45 and 46: UNCLASSIFIED � Develop operating
Page 47 and 48: UNCLASSIFIED required by the Office
Page 49 and 50: UNCLASSIFIED DRAFT We used the foll
Page 51 and 52: UNCLASSIFIED Appendix B. Followup o
Page 53 and 54: UNCLASSIFIED program managers and o
Page 55 and 56: UNCLASSIFIED Appendix D. Systems Wi
Page 57 and 58: UNCLASSIFIED Appendix E. Vulnerabil
Page 59 and 60: UNCLASSIFIED For the 16 systems tes
Page 61 and 62: UNCLASSIFIED SMART-SBU Windows File
Page 63 and 64:
(b) (5) UNCLASSIFIED Appendix G. Se
Page 65 and 66:
NIST SP 800-37 NIST SP 800-37 Confi
Page 67:
UNCLASSIFIED System Telegram Distri
Page 71 and 72:
UNCLASSIFIED UNCLASSIFIED 3 justifi
Page 74 and 75:
UNCLASSIFIED 6 Department Response
Page 76 and 77:
UNCLASSIFIED UNCLASSIFIED 8 The Dep
Page 78 and 79:
UNCLASSIFIED UNCLASSIFIED 10 • De
Page 80 and 81:
UNCLASSIFIED UNCLASSIFIED 12 The De
Page 82:
UNCLASSIFIED UNCLASSIFIED
show all

Evaluation of Department of State Information Security Program ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?