The United States African Development Foundation’s Information Security Program Needs Improvements To Comply With FISMA

Recommendations

Recommendation
1

The United States African Development Foundation's president appoint in writing a senior-level chief information security officer in accordance with the Federal Information Security Modernization Act and the National Institute of Standards and Technology.

Questioned Cost
0
Close Date
Recommendation
2

The United States African Development Foundation's chief information security officer document and implement a process to review and update system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for
Federal Information Systems and Organizations." At a minimum, this process should include determining whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.

Questioned Cost
0
Close Date
Recommendation
3

The United States African Development Foundation's chief information security officer document and implement a process to perform security assessments in accordance with National Institute of Standards and Technology standards. This process should include documenting assessment
procedures to be used to determine security control effectiveness and testing the operating effectiveness of security controls.

Questioned Cost
0
Close Date
Recommendation
4

The United States African Development Foundation's chief information security officer document and implement a process for assessing risk in internal and cloud service provider's systems-taking into account all known vulnerabilities and threat sources, security controls planned or in place, and
residual risk-to make the authorizing official for each system aware of its security state.

Questioned Cost
0
Close Date
Recommendation
5

The United States African Development Foundation's chief information security officer document and implement a process to update all known security weaknesses and associated corrective plans quarterly as required by the foundation's policy and include them in the plan of action and
milestones.

Questioned Cost
0
Close Date
Recommendation
6

The United States African Development Foundation's chief information security officer document and implement a process to develop, communicate, and implement an organization-wide risk management strategy associated with the operation and use of the foundation's information systems in accordance with National Institute of Standards and Technology standards.

Questioned Cost
0
Close Date
Recommendation
7

The United States African Development Foundation's chief information security officer document and implement a process to review and maintain an up-to-date information system inventory.

Questioned Cost
0
Close Date
Recommendation
8

The United States African Development Foundation's chief information security officer document and implement a process to develop, document, and implement an enterprise architecture in accordance with National Institute of Standards and Technology standards.

Questioned Cost
0
Close Date
Recommendation
9

The United States African Development Foundation's chief information security officer document and implement a process to perform quarterly scans of all Internet protocol ranges in the network.

Questioned Cost
0
Close Date
Recommendation
10

The United States African Development Foundation's chief information security officer document and implement a process to track and remediate vulnerabilities timely in accordance with the foundation's policy. This process should include ascertaining that patches are tested before being put into production and applied promptly in accordance with policy.

Questioned Cost
0
Close Date
Recommendation
11

The United States African Development Foundation's chief information security officer document and implement a process to migrate unsupported applications to platforms supported by vendors. For unsupported applications that cannot be migrated immediately, this process must include
documenting the risk of leaving them on their current platforms, acceptance of that risk, and compensating controls that will be used until migration is possible.

Questioned Cost
0
Close Date
Recommendation
12

The United States African Development Foundation's chief information security officer document and implement a process to scan each workstation for compliance with the United States Government
Configuration Baseline settings, including remediating any noncompliant settings.

Questioned Cost
0
Close Date
Recommendation
13

The United States African Development Foundation's chief information security officer document and implement a process to remove users' administrator access to foundation workstations and prevent
granting that access in the future. This process must include documenting the risk of such access and documenting the approval of any exceptions, along with adequate compensating controls.

Questioned Cost
0
Close Date
Recommendation
14

The United States African Development Foundation's chief information security officer document and implement a process to document, approve, and disseminate approved deviations from the United States Government Configuration Baseline settings.

Questioned Cost
0
Close Date
Recommendation
15

The United States African Development Foundation's chief information security officer document and implement a process to configure and regularly monitor password settings in accordance with the foundation's policy and encrypt passwords during authentication.

Questioned Cost
0
Close Date
Recommendation
16

The United States African Development Foundation's chief information security officer document and implement a process to specify an organization-defined frequency for reviewing and updating the inventory of information system components.

Questioned Cost
0
Close Date
Recommendation
17

The United States African Development Foundation's chief information security officer document and implement a process to maintain the inventory according to policy.

Questioned Cost
0
Close Date
Recommendation
18

The United States African Development Foundation's chief information security officer document and implement a process to remove and decommission unused systems promptly.

Questioned Cost
0
Close Date
Recommendation
19

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce multifactor authentication for network access to privileged accounts.

Questioned Cost
0
Close Date
Recommendation
20

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce the use of personal identity verification credentials for access to the foundation's facilities, computers, and network.

Questioned Cost
0
Close Date