Audit of the Millennium Challenge Corporation’s Fiscal Year 2015 Compliance with the Federal Information Security Management Act of 2002, As Amended

Recommendations

Recommendation 1

We recommend that the Millennium challenge Corporation's Chief Information Officer implement automated controls to disable inactive MCCNet accounts when they reach the Corporations inactivity threshold. If management determines that using such controls is not feasible, document that decision in writing and implement mitigating manual controls.

Questioned Cost:
$0
Close Date:
Recommendation 2

We recommend that the Millennium Challenge Corporation's Vice President of Administration and Finance document and implement a process to perform periodic, as defined by the Corporation, reviews of the exit clearance process to determine whether personnel are maintaining exit forms as required.

Questioned Cost:
$0
Close Date:
Recommendation 3

We recommend that the Millennium Challenge Corporation's Chief Information Office develop and implement a written process to validate whether the plans of action and milestones are completed and updated on time.

Questioned Cost:
$0
Close Date:
Recommendation 4

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a process to verify whether mobile devices are encrypted prior to use for Corporation business.

Questioned Cost:
$0
Close Date:
Recommendation 5

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a process to verify on a periodic basis, as defined by the corporation, the status of encryption on all mobile devices containing corporation data and take corrective action, if necessary.

Questioned Cost:
$0
Close Date:
Recommendation 6

We recommend that the Millennium Challenge Corporation's Chief Information Officer implement multifactor authentication for all network accounts and document the results.

Questioned Cost:
$0
Close Date:
Recommendation 7

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a written process to confirm that system risk assessments are completed in compliance with the corporation's risk assessment policy and procedures.

Questioned Cost:
$0
Close Date:
Recommendation 8

We recommend that the Millennium Challenge Corporation's Chief Information Officer complete and implement automated system controls to support the detection and protection of information related to privacy.

Questioned Cost:
$0
Close Date: