Audit of USAID/West Bank and Gaza's Partner Vetting and Geo-Management Information Systems

Recommendation
1

USAID/West Bank and Gaza implement written risk assessment procedures documenting roles and responsibilities of mission staff, and periodic review for the Geo-Management Information System in accordance with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
2

USAID/West Banks and Gaza document a risk assessment of the Geo-Management Information System in accordance with federal information processing standard 199 and National Institute for Standards and Technology Special Publication 800-30, and categorize the system as low-, moderate-, or high-risk.

Questioned Cost
0
Close Date
Recommendation
3

USAID/Office of Security implement procedures to conduct and document periodic risk assessments for the Partner Vetting System Nongovernmental Organization Portal to comply with the guidance of National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
4

USAID/West Bank and Gaza prepare a written security assessment of the Geo-Management Information System in accordance with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
5

Based on the results of the security assessment, we recommend that USAID/West Bank and Gaza document its plan of action and milestones for the Geo-Management Information System in accordance with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
6

USAID/Office of Security update the Partner
Vetting System Nongovernmental Portal plan of action and milestones to include estimated completion dates for its established milestones.

Questioned Cost
0
Close Date
Recommendation
7

Once the estimated completion dates are in the Partner Vetting System Nongovernmental Portal's plan of action and milestones, we recommend that
USAID/Office of Security conduct periodic reviews and document updates of actions taken to address any security control weaknesses by the completion dates.

Questioned Cost
0
Close Date
Recommendation
8

USAID/West Bank and Gaza obtain a certified authorization to operate the Geo-Management Information System from the Agency's Chief Information Security Officer in accordance with Automated Directives System 545.

Questioned Cost
0
Close Date
Recommendation
9

USAID/West Bank and Gaza implement a security plan in accordance with National Institute for Standards and Technology Special Publications 800-53 and 800-18 for the Geo-Management Information System.

Questioned Cost
0
Close Date
Recommendation
10

USAID/West Bank and Gaza implement comprehensive contingency plan procedures in accordance with National Institute for Standards and Technology Special Publications 800-53 and 800-34 for its information systems including the Geo-Management Information System.

Questioned Cost
0
Close Date
Recommendation
11

Upon completion of the Geo-Management Information System contingency plan, we recommend that USAID/West Bank and Gaza implement procedures to test its plan annually and update the contingency plan as needed based on the results.

Questioned Cost
0
Close Date
Recommendation
12

USAID/Office of Security review the Partner
Vetting System Nongovernmental Organization Portal contingency plan and make corrections as necessary in accordance with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
13

USAID/Office of Security complete its annual testing of the Partner Vetting System and the Partner Vetting System Nongovernmental Organization Portal, and update the contingency plans based on the results.

Questioned Cost
0
Close Date
Recommendation
14

USAID/West Bank and Gaza coordinate with USAID/Office of Security to identify an alternate processing site for the Partner Vetting System Nongovernmental Organization Portal and incorporate the site into its contingency plan.

Questioned Cost
0
Close Date
Recommendation
15

USAID/West Bank and Gaza include recovery of the information systems once normal operations return in its Geo-Management Information System contingency plan.

Questioned Cost
0
Close Date
Recommendation
16

USAID/West Bank and Gaza modify the Geo-Management Information System to include a transaction recovery system, such as transaction rollback or transaction journaling, to assist in the recovery of the database in the event of a failure, as required by National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
17

USAID/West Bank and Gaza modify its Geo-Management Information System access control procedures and include the topics required by National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
18

USAID/West Bank and Gaza implement procedures defining and requiring periodic review of user accounts and roles, and deactivating invalid user accounts within the Geo-Management Information System, Partner Vetting System, and Partner Vetting System Nongovernmental Organization
Portal as required by National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
19

USAID/Office of Security incorporate audit trails for creation of user accounts, last user log-ons, role modifications, and disabling of user accounts to the Partner Vetting System as required by National Institute for Standards and Technology Special Publication 800-53, and give USAID/West Bank and Gaza access to the audit trails.

Questioned Cost
0
Close Date
Recommendation
20

USAID/West Bank and Gaza incorporate audit trails for creation of user accounts, last user log-ons, role modifications, and disabling of user accounts to the Geo-Management Information System as required by National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
21

USAID/West Bank and Gaza implement procedures requiring written access requests for all authorized Partner Vetting System and Geo-Management Information System users.

Questioned Cost
0
Close Date
Recommendation
22

USAID/West Bank and Gaza review and document the review results on roles assigned to Geo-Management Information System and Partner Vetting System administrators, and correct any separation of duties weaknesses noted, or document reasons for not correcting noted weaknesses.

Questioned Cost
0
Close Date
Recommendation
23

USAID/West Bank and Gaza review and document the results of the review on users with system administrator rights and other privileged roles in the Partner Vetting System, and remove these roles as needed to enforce least privilege.

Questioned Cost
0
Close Date
Recommendation
24

USAID/West Bank and Gaza document the acceptable number of user log-on attempts before a Geo-Management Information System user account is locked and incorporate this control into the Geo-Management Information System application.

Questioned Cost
0
Close Date
Recommendation
25

USAID/West Bank and Gaza modify its Geo-Management Information System user notification to comply with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
26

USAID/West Bank and Gaza define and document its session lock criteria for the Geo-Management Information System in management-approved procedures.

Questioned Cost
0
Close Date
Recommendation
27

USAID/West Bank and Gaza modify the Geo-Management Information System to prevent the display of data once the system locks the session.

Questioned Cost
0
Close Date
Recommendation
28

USAID/West Bank and Gaza provide training to the system administrators of the Partner Vetting System, Partner Vetting System Nongovernmental Organization Portal and Geo-Management Information
System on information system security and security requirements for federal information
systems.

Questioned Cost
0
Close Date
Recommendation
29

USAID/West Bank and Gaza implement a comprehensive identification and authentication policy and procedures for the Geo-Management Information System to comply with the guidance of National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
30

Following the implementation of the identification and authentication policy and procedures for the Geo-Management Information
System, we recommend that USAID/West Bank and Gaza implement procedures to conduct periodic reviews and document the review results to comply with the guidance of National Institute for Standards and Technology Special Publication
800-53.

Questioned Cost
0
Close Date
Recommendation
31

USAID/West Bank and Gaza incorporate authenticator management controls in the Geo-Management Information System to enforce minimum password complexity, minimum number of changed characters when new passwords are created, encrypted representations of passwords for storage and transmission, password minimum and maximum lifetime restrictions, rules governing recycling of passwords, and the use of a temporary password for system log-ons with an
immediate change to a permanent password, in compliance with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
32

USAID/Office of Security incorporate authenticator management control in the Partner Vetting System Nongovernmental Organization Portal to enforce minimum password lifetime
parameters for user accounts to comply with National Institute for Standards and Technology Special Publication 800-53.

Questioned Cost
0
Close Date
Recommendation
33

USAID/West Bank and Gaza implement controls in the Geo-Management Information System so the system does not retain user log-ons after it terminates a communication session.

Questioned Cost
0
Close Date
Recommendation
34

USAID/West Bank and Gaza use a secure session for transmitting data from its implementing partners.

Questioned Cost
0
Close Date
Recommendation
35

USAID/West Bank and Gaza, in coordination with USAID/Office of Security, implement necessary changes to the Partner Vetting System Nongovernmental Organization Portal to eliminate
restrictions on age limits in the birth date fields in the Partner Information Form and allowing changes made to be reflected in the form.

Questioned Cost
0
Close Date
Recommendation
36

USAID/West Bank and Gaza review and document the frequency and level of certification required by the contracting officer's representatives and agreement officer's representatives in the Geo-
Management Information System.

Questioned Cost
0
Close Date
Recommendation
37

USAID/West Bank and Gaza implement a policy to periodically validate contracting officer's representatives and agreement officer's representatives compliance with Geo-Management
Information System certification requirements.

Questioned Cost
0
Close Date