The Overseas Private Investment Corporation Has Implemented Many Controls In Support of FISMA For Fiscal Year 2016, But Improvements Are Needed

The Overseas Private Investment Corporation's chief information officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

(SBU) The Overseas Private Investment Corporation's chief information officer document a separation-of-duties matrix for Oracle E-Business Suite user roles and responsibilities.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to recertify Oracle EBusiness Suite accounts annually, including evaluating the separation of duties.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to disable inactive Oracle E=Business Suite accounts.

(SBU) The Overseas Private Investment Corporation's chief information officer implement Homeland Security Presidential Directive 12 personal identity verification for authentication of network user accounts as required by Office of Management and Budget M-16-04, "Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government," (October 30, 2015)
and document the results.

(SBU) The Overseas Private Investment Corporation's chief information officer either disable Citrix local drive mapping where non-Corporation equipment is used, and document the results, or document acceptance of the risk of allowing Citrix local drive mapping where non-Corporation equipment is used.

The Overseas Private Investment Corporation's chief information officer document and implement asset management procedures, including inventorying information system assets on an organization-defined frequency.

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement a separation-of-duties matrix for OPIC Insight user roles and responsibilities.

The Overseas Private Investment Corporation's chief information security officer, in coordination with the security officer, document and implement physical and environmental security policies and procedures including reviews of physical access as defined by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

The Overseas Private Investment Corporation's chief information officer document and implement an enterprise architecture methodology in line with the Federal enterprise architecture and risk
management framework.

The Overseas Private Investment Corporation's chief information officer update the Corporation's incident response plan to include the time frames for reporting incidents as specified in the "United States Computer Emergency Readiness Team Federal Incident Notification Guidelines."

The Overseas Private Investment Corporation's chief information officer complete the implementation of the Training Management System and verify in writing that records are retained for the Corporation-specified period.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a documented process to validate whether the annual testing of the Corporation's information system contingency plan is completed.

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement processes to achieve acceptable compliance with configuration baseline settings for Windows 2003, Windows 2008, and CentOS servers.

The Overseas Private Investment Corporation's chief information officer implement the process to validate whether plans of action and milestones are completed and updated on time and document the results.

(SBU) The Overseas Private Investment Corporation's chief information security officer review the accreditation boundaries of the OPIC External Services system, align external services with related mission functions, and document the results.

(SBU) The Overseas Private Investment Corporation's chief information security officer implement a written process to assess external services before their authorizations to operate expire.