Audit of the U.S. African Development Foundation's Fiscal Year 2013 Compliance with the Federal Information Security Management Act of 2002

Recommendations

Recommendation 1

USADF Chief Information Officer update and implement USADF vulnerability management procedures to address how management reviews the results of scans, and documents and tracks all vulnerabilities identified in scans in a timely manner. If management determines any of the identified vulnerabilities are not applicable to their environment or cannot be fixed for a valid business reason, management should formally document this and retain documentation for future reference.

Questioned Cost:
$0
Close Date:
Recommendation 2

The USADF Chief Information Officer take appropriate action to address all vulnerabilities identified in our internal vulnerability scan
conducted on July 30, 2013, and properly document the results.

Questioned Cost:
$0
Close Date:
Recommendation 3

USADF Chief Information Officer update and implement patch management procedures to ensure all available patches are installed in a timely manner. For patch installations that fail, timely analysis should be conducted to determine the cause and take corrective action.

Questioned Cost:
$0
Close Date:
Recommendation 4

The USADF Chief Information Officer develop, document, and implement procedures to conduct testing over all software updates and patches before installation.

Questioned Cost:
$0
Close Date:
Recommendation 5

The USADF Chief Information Officer assign responsibility for reviewing Wide Area Network and Program Support System security logs to someone other than the system administrator. If management determines this is not feasible, they should document this risk and put compensating controls in place where possible.

Questioned Cost:
$0
Close Date:
Recommendation 6

USADF Chief Information Officer update the Wide Area Network separation of duties matrix to ensure all potential conflicting roles are identified. If no conflicting roles exist for end users, management should specifically note that in the matrix.

Questioned Cost:
$0
Close Date:
Recommendation 7

USADF Chief Information Officer update the Program Support System separation of duties matrix to ensure all potential conflicting roles are identified. If no conflicting roles exist for end users, management should specifically note that in the matrix.

Questioned Cost:
$0
Close Date:
Recommendation 8

The USADF Chief Information Officer implement documented procedures to review Program Support System and Wide Area Network security logs and document evidence of these reviews.

Questioned Cost:
$0
Close Date:
Recommendation 9

The USADF Chief Information Officer implement documented procedures to ensure that network changes are documented, tested, and approved in accordance with USADF policies and procedures.

Questioned Cost:
$0
Close Date:
Recommendation 10

The USADF Chief Information Officer develop, document, and implement policy and procedures for conducting periodic reviews of configuration settings for all IT components. Configuration reviews should determine whether actual configuration settings in place agree with settings documented in approved baselines.

Questioned Cost:
$0
Close Date:
Recommendation 11

The USADF Chief Information Officer implement documented account management policies and procedures to formally document and approve all accounts on the Wide Area Network before creation.

Questioned Cost:
$0
Close Date:
Recommendation 12

The USADF Chief Information Officer implement documented policy and procedures to perform a periodic recertification of Wide Area Network accounts to ensure they remain appropriate.

Questioned Cost:
$0
Close Date:
Recommendation 13

The USADF Chief Information Officer develop, document and put in place account management procedures for the Program Support System. At a minimum, documented procedures should address:
Approved methods for requesting and approving access to the system; Disabling and removing accounts for terminated employees/contractors; Reviewing accounts for inactivity; Recertifying accounts on a continuous basis to ensure active accounts and permissions remain appropriate.

Questioned Cost:
$0
Close Date:
Recommendation 14

The USADF Chief Information Officer rename all default and administrator account identifiers to ensure appropriate accountability is tracked for administrative activities in accordance with policy.

Questioned Cost:
$0
Close Date:
Recommendation 15

The USADF Chief Information Officer implement documented procedures to change all default authenticators on initial creation in accordance with policy.

Questioned Cost:
$0
Close Date:
Recommendation 16

The USADF Chief Information Officer complete planned corrective actions for the Wide Area Network to confirm that plan of action and milestone item 5 is remediated in a timely manner, or perform an appropriate acceptance of risk, and document the results.

Questioned Cost:
$0
Close Date:
Recommendation 17

The USADF Chief Information Officer update the plan of action and milestones template for the Wide Area Network and Program Support System to include required resources, milestones with completion dates, and changes to milestones in accordance with Office of Management and Budget
Memorandum M-02-01 and National Institute of Standards and Technology Special Publication 800-53 Revision 3.

Questioned Cost:
$0
Close Date: