The Overseas Private Investment Corporation Has Implemented Many Controls In Support of FISMA For Fiscal Year 2016, But Improvements Are Needed

Recommendations

Recommendation 1

The Overseas Private Investment Corporation's chief information officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

Questioned Cost:
$0
Close Date:
Recommendation 2

(SBU) The Overseas Private Investment Corporation's chief information officer document a separation-of-duties matrix for Oracle E-Business Suite user roles and responsibilities.

Questioned Cost:
$0
Close Date:
Recommendation 3

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to recertify Oracle EBusiness Suite accounts annually, including evaluating the separation of duties.

Questioned Cost:
$0
Close Date:
Recommendation 4

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to disable inactive Oracle E=Business Suite accounts.

Questioned Cost:
$0
Close Date:
Recommendation 5

(SBU) The Overseas Private Investment Corporation's chief information officer implement Homeland Security Presidential Directive 12 personal identity verification for authentication of network user accounts as required by Office of Management and Budget M-16-04, "Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government," (October 30, 2015)
and document the results.

Questioned Cost:
$0
Close Date:
Recommendation 6

(SBU) The Overseas Private Investment Corporation's chief information officer either disable Citrix local drive mapping where non-Corporation equipment is used, and document the results, or document acceptance of the risk of allowing Citrix local drive mapping where non-Corporation equipment is used.

Questioned Cost:
$0
Close Date:
Recommendation 7

The Overseas Private Investment Corporation's chief information officer document and implement asset management procedures, including inventorying information system assets on an organization-defined frequency.

Questioned Cost:
$0
Close Date:
Recommendation 8

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement a separation-of-duties matrix for OPIC Insight user roles and responsibilities.

Questioned Cost:
$0
Close Date:
Recommendation 9

The Overseas Private Investment Corporation's chief information security officer, in coordination with the security officer, document and implement physical and environmental security policies and procedures including reviews of physical access as defined by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

Questioned Cost:
$0
Close Date:
Recommendation 10

The Overseas Private Investment Corporation's chief information officer document and implement an enterprise architecture methodology in line with the Federal enterprise architecture and risk
management framework.

Questioned Cost:
$0
Close Date:
Recommendation 11

The Overseas Private Investment Corporation's chief information officer update the Corporation's incident response plan to include the time frames for reporting incidents as specified in the "United States Computer Emergency Readiness Team Federal Incident Notification Guidelines."

Questioned Cost:
$0
Close Date:
Recommendation 12

The Overseas Private Investment Corporation's chief information officer complete the implementation of the Training Management System and verify in writing that records are retained for the Corporation-specified period.

Questioned Cost:
$0
Close Date:
Recommendation 13

(SBU) The Overseas Private Investment Corporation's chief information officer implement a documented process to validate whether the annual testing of the Corporation's information system contingency plan is completed.

Questioned Cost:
$0
Close Date:
Recommendation 14

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement processes to achieve acceptable compliance with configuration baseline settings for Windows 2003, Windows 2008, and CentOS servers.

Questioned Cost:
$0
Close Date:
Recommendation 15

The Overseas Private Investment Corporation's chief information officer implement the process to validate whether plans of action and milestones are completed and updated on time and document the results.

Questioned Cost:
$0
Close Date:
Recommendation 16

(SBU) The Overseas Private Investment Corporation's chief information security officer review the accreditation boundaries of the OPIC External Services system, align external services with related mission functions, and document the results.

Questioned Cost:
$0
Close Date:
Recommendation 17

(SBU) The Overseas Private Investment Corporation's chief information security officer implement a written process to assess external services before their authorizations to operate expire.

Questioned Cost:
$0
Close Date: