Audit of USAID's Fiscal Year 2013 Compliance with the Federal Information Security Management Act of 2002
Recommendations
The Chief Information Officer review the controls documented within the USAID common controls system security plan and update the descriptions to specifically describe the control that is planned or in place.
The Chief Information Officer review agency
system security plans to determine whether they point to the USAID common control system security plan. If so, determine whether that plan adequately addresses the referenced control.
The Chief Information Officer implement documented procedures to be sure that scheduled completion dates identified in the plan of action and milestones are reasonable.
The Chief Information Officer implement documented procedures to be sure that scheduled completion dates are met when applicable.
USAID's Director, Office of Human Resources; Director, Management Policy, Budget, and Performance; Director, Office of Security; and Director, Office of Acquisition and Assistance, coordinate with each other to implement documented procedures to notify USAID system administrators when an employee or contractor leaves the agency or is transferred.
The Chief Information Officer implement a documented process to test the AIDNet contingency plan annually in compliance with USAID policy.
The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7260 and 7687 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7691, 7692, 7693, 7694, 7695, 7696, 7697, and 7698 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7657, 7658, 7659, 7660, 7661, 7662, 7330, and 7679 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7689 and 7690 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer implement documented procedures to make sure that Agency Secure Image and Storage Tracking system accounts are removed or disabled in a timely manner.
The Chief Information Officer review inactive Agency Secure Image and Storage Tracking system accounts, and disable or delete them in accordance with USAID policy.
The Chief Information Officer review all security controls identified as inherited in the Agency Secure Image and Storage Tracking system security plan to make sure each control is categorized appropriately. When a portion of a control is handled within the system, the control should be identified as hybrid or specific to the system.
The Chief Information Officer complete planned corrective actions for the Agency Secure Image and Storage Tracking system to be sure that plan of action and milestone item 7447 is remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Director, Office of Foreign Disaster Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone item 2013-7790 is remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are disabled or deleted immediately when an individual with OFDANet access leaves the agency or no longer needs such access.
The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are reviewed when inactive for 90 days and disabled or deleted if no longer required.
The Director, Office of Foreign Disaster
Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone items 2013-7782, 2013-7783, and 2013-7784 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Financial Officer comply with National Institute of Standards and Technology, Office of Management and Budget, and USAID risk management requirements by carrying out formal security assessment and authorization procedures over the Electronic Cash Reconciliation Tool.
The Chief Financial Officer update Electronic
Cash Reconciliation Tool account management procedures to be sure they are addressing all National Institute of Standards and Technology Special Publication 800-53 revision 3 AC-2 controls, including reviewing accounts for inactivity, disabling accounts in a timely manner, recertifying accounts, and logging the activities of the system administrator's account management activities.