Evaluation of Department of State Information Security Program ...

More documents

Recommendations

Info

UNCLASSIFIED � One system–State Messaging and Archive Retrieval Toolset (SMART) - Classified system–did not have a CP. The FAM 40 states that system owners and non-Department entities are required to develop and maintain contingency plans for the major applications and general support systems under their control that process, store, or transmit Federal information. � Two systems–eCountryClearance (eCC) and Secure Integrated Logistics Management System (S-ILMS)–CPs were not sufficiently detailed to enable the proper recovery and damage assessment. NIST SP 800-34, Revision 1, 41 requires the agency to address specific actions the organization should take following a system disruption or an emergency. Plans should be formatted to provide quick and clear directions in the event that personnel unfamiliar with the plan or the systems are called upon to perform recovery operations. � Fifteen systems did not document the annual backup test, as required by NIST 42 for moderate- and high-impact systems, to verify media reliability and information integrity. (Systems that did not have annual backup testing are described in Appendix F). � Three systems–OpenNet, WebPass, and TDS–had not documented backup procedures. The control deficiencies occurred within the contingency planning program because the Department relies extensively on the system owners and bureaus to execute the Department’s policies, establish and implement internal procedures, and ensure compliance with NIST SP 800- 34, Revision 1. Additionally, the Department had not developed reporting requirements for obtaining assurance of performance from the system owners and bureaus. By inadequately documenting the contingency plan, there is an increased risk that the Department will not be able to recover its mission-critical systems timely in the event of a significant disruption. Also, the Department increases the risks that it will not be able to meet its mission requirements and continue normal business activities. Recommendation 14. As required by National Institute of Standards and Technology (NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, and SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, we recommend that the Bureau of Information Resource Management, Office of Information Assurance, in coordination with the bureaus and system owners, take the following actions: 40 5 FAM 1064.2(a)(1). 41 NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems (May 2010) (last updated Nov. 11, 2010). 42 NIST SP 800-53, rev. 3, Recommended Security Controls for Federal Information Systems and Organizations (Aug 2009). 27 UNCLASSIFIED
UNCLASSIFIED � Document and maintain alternate site locations and procedures for accessing an alternate site. � Develop and maintain contingency plans for all major applications and general support systems. � Maintain and update recovery and restoration procedures for all applications and general support systems. Management Response: The Department stated it “will document compliance and/or non-compliance to the OIG findings and take the necessary corrective action.” OIG Analysis: OIG considers this recommendation resolved. This recommendation can be closed when OIG reviews and accepts documentation showing that the Department has documented and is maintaining and updating the contingency plan program documentation. Recommendation 15. As required by National Institute of Standards and Technology (NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems and SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, we recommend that the Chief Information Officer: � Revise the Information Resource Management/ Information Assurance Contingency Plan Test Review checklist to address the following items: o Recovery and damage assessment procedures o Alternate recovery site details o Back-up procedures o Back-up test results for moderate- and high-impact systems � Revise the Contingency Plan Policy to include an organization-defined frequency for backup testing. � Revise the Foreign Affairs Manual to require system owners to report to IRM/IA on the test results and updates to the contingency plans. Management Response: The Department stated it “will document compliance and/or non-compliance to the OIG findings and take the necessary corrective action.” OIG Analysis: OIG considers this recommendation resolved. This recommendation can be closed when OIG reviews and accepts documentation showing that the Department has updated the FAM policy regarding backup and updates to the contingency plans, has updated the Contingency Plan Test Review checklist, and has remediated deficiencies found within the individual information system contingency plans. 28 UNCLASSIFIED
Page 1: Office of Inspector General UNCLASS
Page 5 and 6: UNCLASSIFIED IT information technol
Page 7 and 8: UNCLASSIFIED APPENDIX F. SYSTEMS WI
Page 9 and 10: UNCLASSIFIED patches within require
Page 11 and 12: UNCLASSIFIED We found that the Cont
Page 13 and 14: UNCLASSIFIED improvements regarding
Page 15 and 16: UNCLASSIFIED Diplomatic Security/Se
Page 17 and 18: UNCLASSIFIED Department’s risk ma
Page 19 and 20: UNCLASSIFIED performance. For examp
Page 21 and 22: UNCLASSIFIED � From a sample of 2
Page 23 and 24: UNCLASSIFIED 800-37 18 states that
Page 25 and 26: UNCLASSIFIED � Approximately 300
Page 27 and 28: UNCLASSIFIED � One of 25 OpenNet
Page 29 and 30: UNCLASSIFIED that an organization-d
Page 31 and 32: UNCLASSIFIED indicated that the foc
Page 33: UNCLASSIFIED Management Response: T
Page 37 and 38: UNCLASSIFIED The Department’s con
Page 39 and 40: UNCLASSIFIED For four 46 of 10 appr
Page 41 and 42: UNCLASSIFIED OIG Additional Analyse
Page 43 and 44: UNCLASSIFIED List of Current Year R
Page 45 and 46: UNCLASSIFIED � Develop operating
Page 47 and 48: UNCLASSIFIED required by the Office
Page 49 and 50: UNCLASSIFIED DRAFT We used the foll
Page 51 and 52: UNCLASSIFIED Appendix B. Followup o
Page 53 and 54: UNCLASSIFIED program managers and o
Page 55 and 56: UNCLASSIFIED Appendix D. Systems Wi
Page 57 and 58: UNCLASSIFIED Appendix E. Vulnerabil
Page 59 and 60: UNCLASSIFIED For the 16 systems tes
Page 61 and 62: UNCLASSIFIED SMART-SBU Windows File
Page 63 and 64: (b) (5) UNCLASSIFIED Appendix G. Se
Page 65 and 66: NIST SP 800-37 NIST SP 800-37 Confi
Page 67: UNCLASSIFIED System Telegram Distri
Page 71 and 72: UNCLASSIFIED UNCLASSIFIED 3 justifi
Page 74 and 75: UNCLASSIFIED 6 Department Response
Page 76 and 77: UNCLASSIFIED UNCLASSIFIED 8 The Dep
Page 78 and 79: UNCLASSIFIED UNCLASSIFIED 10 • De
Page 80 and 81: UNCLASSIFIED UNCLASSIFIED 12 The De
Page 82: UNCLASSIFIED UNCLASSIFIED

Evaluation of Department of State Information Security Program ...

Create successful ePaper yourself

Delete template?

Save as template?