Audit of the Inter-American Foundation's Fiscal Year 2015 Compliance with the Federal Information Security Management Act of 2002, as Amended
Recommendations
Inter-American Foundation's Chief Information Officer either remediate vulnerabilities in the network identified by the Office of Inspector General's contractor, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.
The Inter-American Foundation's Chief Information Officer implement a documented process to validate the completeness of the vulnerability scans to determine whether all applicable vulnerabilities are identified and either remediated or accepted in a timely manner.
The Inter-American Foundation's Chief Information Officer document and implement procedures to review active network accounts that have not logged in over a specified period of time, as defined by the foundation, to determine whether accounts are necessary.
The Inter-American Foundation's Chief Information Officer document and implement a process to review service and administrator accounts to determine whether passwords are changed within defined periods.
The Inter-American Foundation's Chief Information Officer update and implement the Information System Security Program Standard Operating Procedures to reflect NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
The Inter-American Foundation's Chief Information Officer implement a documented process to review and update the IAF Enterprise Network and Software Applications System Security Plan annually. At a minimum, this should include a determination whether the security requirements and controls for the system are documented adequately and reflect the current information system environment.
The Inter-American Foundation's Chief Information Officer implement multi-factor authentication with one factor separate from the system gaining access for the foundation's use of Google Mail.
The Inter-American Foundation's Chief Information Officer implement monitoring controls of humidity levels in the computer room and document the results.
The Inter-American Foundation's Chief Information Officer update the privacy notice on the foundation's public Web site to include: The choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII) and the consequences of exercising or not exercising those choices. The ability to access and have PII amended or corrected if necessary. PII the organization collects and the purpose(s) for which it collects that information; How the organization uses PII internally. Whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing. Whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent. How individuals may obtain access to PII and how the PII will be protected.