IAF Generally Implemented an Effective Information Security Program for Fiscal Year 2021 in Support of FISMA

Audit Report
Report Number
A-IAF-22-002-C

We contracted with the independent certified public accounting firm of RMA Associates LLC (RMA) to conduct an audit of the Inter-American Foundation’s (IAF’s) information security program for fiscal year 2021 as required by the Federal Information Security Modernization Act of 2014 (FISMA). The audit firm concluded that IAF generally implemented an effective information security program, which was defined as having an overall mature program based on the fiscal year 2021 inspector general FISMA reporting metrics. Nevertheless, RMA identified weaknesses in all nine FISMA reporting metric domains. We made nine recommendations to address these weaknesses and further strengthen IAF’s information security program.

Recommendations

Recommendation
1

We recommend that IAF's chief information officer fully document and implement a process to include in the risk acceptance forms a clear business reason for risk acceptance and the compensating controls implemented to reduce the risk that vulnerabilities can be exploited.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
2

Develop and implement supply chain risk management policies, procedures, and strategies.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
3

We recommend that IAF's chief information officer develop and implement a procedure to document risk acceptance when vulnerabilities cannot be remediated within the timeframes specified in IAF's operating procedures.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
4

We recommend that IAF's chief information officer approve and implement IAF's Information Resource Management Strategic Plan.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
5

We recommend that IAF's chief information officer document and implement a procedure to approve IAF's table-top exercise plans before conducting the exercises.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
6

We recommend that IAF's chief information officer document and implement a written process for obtaining and evaluating feedback on IAF's privacy and security training content, including role-based training.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
7

We recommend that IAF's chief information officer develop and implement a process to document lessons learned related to risk management, configuration management, identity and access management, data protection and privacy, and information security continuous monitoring to improve IAF's security posture.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
8

We recommend that IAF's chief information officer develop and implement an information security continuous monitoring strategy.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
9

We recommend that IAF's chief information officer develop and implement a written process to document participants in IAF's contingency plan training.

Questioned Cost
0
Funds for Better Use
0
Close Date