Audit of the Millennium Challenge Corporation’s Fiscal Year 2015 Compliance with the Federal Information Security Management Act of 2002, As Amended
Recommendations
We recommend that the Millennium challenge Corporation's Chief Information Officer implement automated controls to disable inactive MCCNet accounts when they reach the Corporations inactivity threshold. If management determines that using such controls is not feasible, document that decision in writing and implement mitigating manual controls.
We recommend that the Millennium Challenge Corporation's Vice President of Administration and Finance document and implement a process to perform periodic, as defined by the Corporation, reviews of the exit clearance process to determine whether personnel are maintaining exit forms as required.
We recommend that the Millennium Challenge Corporation's Chief Information Office develop and implement a written process to validate whether the plans of action and milestones are completed and updated on time.
We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a process to verify whether mobile devices are encrypted prior to use for Corporation business.
We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a process to verify on a periodic basis, as defined by the corporation, the status of encryption on all mobile devices containing corporation data and take corrective action, if necessary.
We recommend that the Millennium Challenge Corporation's Chief Information Officer implement multifactor authentication for all network accounts and document the results.
We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a written process to confirm that system risk assessments are completed in compliance with the corporation's risk assessment policy and procedures.
We recommend that the Millennium Challenge Corporation's Chief Information Officer complete and implement automated system controls to support the detection and protection of information related to privacy.