The United States African Development Foundation’s Information Security Program Needs Improvements To Comply With FISMA

The United States African Development Foundation's president appoint in writing a senior-level chief information security officer in accordance with the Federal Information Security Modernization Act and the National Institute of Standards and Technology.

The United States African Development Foundation's chief information security officer document and implement a process to review and update system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for
Federal Information Systems and Organizations." At a minimum, this process should include determining whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.

The United States African Development Foundation's chief information security officer document and implement a process to perform security assessments in accordance with National Institute of Standards and Technology standards. This process should include documenting assessment
procedures to be used to determine security control effectiveness and testing the operating effectiveness of security controls.

The United States African Development Foundation's chief information security officer document and implement a process for assessing risk in internal and cloud service provider's systems-taking into account all known vulnerabilities and threat sources, security controls planned or in place, and
residual risk-to make the authorizing official for each system aware of its security state.

The United States African Development Foundation's chief information security officer document and implement a process to update all known security weaknesses and associated corrective plans quarterly as required by the foundation's policy and include them in the plan of action and
milestones.

The United States African Development Foundation's chief information security officer document and implement a process to develop, communicate, and implement an organization-wide risk management strategy associated with the operation and use of the foundation's information systems in accordance with National Institute of Standards and Technology standards.

The United States African Development Foundation's chief information security officer document and implement a process to review and maintain an up-to-date information system inventory.

The United States African Development Foundation's chief information security officer document and implement a process to develop, document, and implement an enterprise architecture in accordance with National Institute of Standards and Technology standards.

The United States African Development Foundation's chief information security officer document and implement a process to perform quarterly scans of all Internet protocol ranges in the network.

The United States African Development Foundation's chief information security officer document and implement a process to track and remediate vulnerabilities timely in accordance with the foundation's policy. This process should include ascertaining that patches are tested before being put into production and applied promptly in accordance with policy.

The United States African Development Foundation's chief information security officer document and implement a process to migrate unsupported applications to platforms supported by vendors. For unsupported applications that cannot be migrated immediately, this process must include
documenting the risk of leaving them on their current platforms, acceptance of that risk, and compensating controls that will be used until migration is possible.

The United States African Development Foundation's chief information security officer document and implement a process to scan each workstation for compliance with the United States Government
Configuration Baseline settings, including remediating any noncompliant settings.

The United States African Development Foundation's chief information security officer document and implement a process to remove users' administrator access to foundation workstations and prevent
granting that access in the future. This process must include documenting the risk of such access and documenting the approval of any exceptions, along with adequate compensating controls.

The United States African Development Foundation's chief information security officer document and implement a process to document, approve, and disseminate approved deviations from the United States Government Configuration Baseline settings.

The United States African Development Foundation's chief information security officer document and implement a process to configure and regularly monitor password settings in accordance with the foundation's policy and encrypt passwords during authentication.

The United States African Development Foundation's chief information security officer document and implement a process to specify an organization-defined frequency for reviewing and updating the inventory of information system components.

The United States African Development Foundation's chief information security officer document and implement a process to maintain the inventory according to policy.

The United States African Development Foundation's chief information security officer document and implement a process to remove and decommission unused systems promptly.

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce multifactor authentication for network access to privileged accounts.

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce the use of personal identity verification credentials for access to the foundation's facilities, computers, and network.