Audit of USAID's Fiscal Year 2015 Compliance with the Federal Information Security Management Act of 2002, as Amended
Recommendations
The Chief Information Officer document and implement procedures to review active network accounts that have not logged in over a specified period of time, as defined by Automated Directives System Chapter 545, "Systems Security Policy," or that have never logged into the system to determine whether accounts are necessary and disable or delete accounts that are unnecessary.
The Director of the Office of Management Policy, Budget, and Performance, in coordination with the Chief Information Officer, the Chief Human Capital Officer, and the Director of the Office of Acquisition and Assistance, document and implement procedures to promptly remove system accounts associated with people no longer at USAID.
The Chief Information Officer implement improved procedures to make sure approved access request forms are maintained for anyone with access to the network.
The Chief Information Officer work with the AIDtracker system owner to update AIDtracker security settings for user inactivity to comply with policy, or issue a written authorization for deviations.
The Chief Information Officer work with the AIDtracker system owner to document and implement procedures to make sure approved access request forms are maintained for anyone with access to the system.
The Director for the Office of Security document and implement procedures to review Partner Vetting System accounts that have not logged in over a specified period of time, as defined by USAID, or that have never logged into the system to determine whether accounts are necessary.
The Chief Information Officer work with the State Department's Director for the Office of U.S. Foreign Assistance Resources to implement procedures to complete, approve, and maintain approved access request forms for privileged users with access to the Foreign Assistance Coordination and Tracking System Info as required in accordance with policies.
The Chief Information Officer work with the State Department's Director for the Office of U.S. Foreign Assistance Resources to document and implement procedures to review active Foreign Assistance Coordination and Tracking System Info accounts that have not logged in over a specified period of time or that have never logged into the system to determine whether accounts are necessary.
The Chief Information Officer work with the State Department's Director for the Office of U.S. Foreign Assistance Resources to document and implement procedures to review Foreign Assistance Coordination and Tracking System Info accounts periodically for appropriateness.
The Chief Information Officer conduct a full system reauthorization for the AIDtracker system in accordance with USAID's policy.
The Chief Information Officer conduct a full system reauthorization for the Partner Vetting System in accordance with USAID's policy.
The Chief Information Officer implement a documented validation process to confirm that continuous monitoring activities-such as updating system security plans, risk assessments, security assessments, and plans of action and milestones-are occurring for all USAID systems on a periodic basis, as defined by USAID, and as significant system changes occur.
The Chief Information Officer document and implement a process to confirm that the role-based training program is implemented as applicable for all employees and contractors requiring role-based training, and be sure the training is tracked and documented.
The Chief Information Officer update the AIDNet system security plan to fully document the system's security controls.
The Director for the Office of Security implement a documented validation process to confirm that the Partner Vetting System contingency plan is reviewed, updated, and tested annually.
The Chief Information Officer document a formal memorandum of understanding with the alternate processing vendor.
The Director for the Office of Security document, implement, test, and maintain a current, accurate baseline configuration for the Partner Vetting System.