Audit of the Overseas Private Investment Corporation's Fiscal Year 2013 Compliance with Provisions of the Federal Information Security Management Act of 2002

Recommendations

Recommendation
1

The Overseas Private Investment Corporation Chief Information Officer develop, document, and implement National Institute of Standards and Technology-approved configuration baselines for the following software platforms utilized by OPICNet: Windows Server (all versions, Microsoft SQL Server (all versions), Oracle 9, Microsoft Internet Information Server.

Questioned Cost
0
Close Date
Recommendation
2

The Overseas Private Investment Corporation Chief Information Officer conduct configuration baseline monitoring of the following software platforms in accordance with organizational policies and procedures and document the results: Windows Server (all versions), Microsoft SQL Server (all versions, Oracle 9, Microsoft Internet Information Server.

Questioned Cost
0
Close Date
Recommendation
3

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that: Guest accounts are used as specified in organizational policies and procedures. Accounts inactive for more than 30 days are disabled. Temporary accounts are disabled or removed after 48 hours unless otherwise noted. Terminated individuals' accounts are removed or disabled within a Corporation-specified time frame upon departure. User accounts are disabled properly or removed upon the account expiration date. Account recertifications are conducted at least annually.

Questioned Cost
0
Close Date
Recommendation
4

The Overseas Private Investment Corporation Chief Information Officer implement audit tools that effectively capture and report all auditable events as required by the Corporation's policies and procedures, and document the results, including: Successful and unsuccessful account logon events, Account management events, Object access, Policy change, Privilege functions, Process tracking, System events, Remote access sessions.

Questioned Cost
0
Close Date
Recommendation
5

The Overseas Private Investment Corporation Chief Information Officer create a written plan of action and milestones item to track the remediation and establishment of an alternate processing site.

Questioned Cost
0
Close Date
Recommendation
6

The Overseas Private Investment Corporation Chief Information Officer establish and approve an appropriate written agreement with an alternate processing site to permit the resumption of information system operations for critical mission/business functions when the primary processing capabilities are unavailable in accordance with National Institute of Standards and Technology requirements.

Questioned Cost
0
Close Date
Recommendation
7

The Overseas Private Investment Corporation Chief Information Officer complete planned corrective actions for OPIC Network to confirm that the plan of action and milestones items for the following are remediated in a timely manner, or perform an appropriate acceptance of risk, and document the results: External access permitted to internal hosts; Insecure Outlook Web access; Unenforced policy (firewalls, demilitarized zone, Internet access content filtering); Unpatchable systems (APPX); Several vulnerabilities and misconfigurations were identified on publicly facing devices.

Questioned Cost
0
Close Date
Recommendation
8

The Overseas Private Investment Corporation Chief Information Officer implement a written process to confirm that users complete initial security awareness training before they are granted access to the Corporation's network in accordance with OPIC Information System Security Policy, Version 1.0 (ISSP-2013-v1), section 7.3, Awareness and Training.

Questioned Cost
0
Close Date
Recommendation
9

The Overseas Private Investment Corporation Chief Information Officer revise its OPIC Information System Security Policy to require annual role-based security training in accordance with National Institute of Standards and Technology requirements.

Questioned Cost
0
Close Date
Recommendation
10

The Overseas Private Investment Corporation Chief Information Officer implement a written role-based security training course for users with significant security responsibilities.

Questioned Cost
0
Close Date
Recommendation
11

The Overseas Private Investment Corporation Chief Information Officer fully implement procedures to confirm that the System for Awards Management and E2 Solutions system interconnections have been reviewed for appropriate implementation of external agencies' security controls and document the results.

Questioned Cost
0
Close Date
Recommendation
12

Overseas Private Investment Corporation Chief Information Officer: Define and document information security risk tolerance consistent with the organizational risk tolerance. Implement written procedures to ensure future riskbased decisions are made taking into account the Corporation's defined information security risk tolerance.

Questioned Cost
0
Close Date
Recommendation
13

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that all users sign the Corporation's rules of behavior prior to being granted access to OPIC Network.

Questioned Cost
0
Close Date
Recommendation
14

The Overseas Private Investment Corporation Chief Information Officer include in the written plan of action and milestones an estimate of funding resources required to resolve weaknesses, as required by Office of Management and Budget Memorandum 02-01.

Questioned Cost
0
Close Date