Audit of the Inter-American Foundation's Fiscal Year 2013 Compliance with the Federal Information Security Management Act of 2002
Recommendations
The Inter-American Foundation Chief Information Officer remediate vulnerabilities in the network identified by the Office of Inspector General's contractor, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.
The Inter-American Foundation Chief Information Officer establish in writing patch time frame requirements to make sure known vulnerabilities are remediated.
The Inter-American Foundation Chief Information Officer implement a written process to review the virtual private network device configuration and to either disable nonessential and insecure services or document acceptance of the risks.
The Inter-American Foundation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs on a schedule defined by the organization for indications of inappropriate or unusual activity.
The Inter-American Foundation Chief Information Officer document and implement a baseline configuration for the Enterprise Network.
The Inter-American Foundation Chief Information Officer either update the foundation's policies, procedures, and network password settings to ensure compliance with the U. S. Government Configuration Baseline standards or document deviations from those standards in the foundation's Information System Security Program and System Security Plan and document acceptance of the risk.
The Inter-American Foundation Chief Information Officer document and implement a process to maintain an up-to-date plan of action and milestones and to implement corrective actions in a timely manner.
The Inter-American Foundation Chief Information Officer implement a documented process to review and update the Enterprise Network System Security Plan annually or as significant system changes
occur to make sure the security requirements and controls for the system are documented adequately and reflect the current operating environment of the information system.