Audit of the Cost and Security Policies and Procedures for USAID's Mobile Devices

Recommendations

Recommendation
1

USAID's Chief Information Officer implement formal written procedures for reviewing excessive mobile device charges, including the frequency of those reviews and a determination of whether users should be changed to another mobile device plan with features that accommodated the mobile
needs and/or use alternate solutions to meet Agency mobile needs.

Questioned Cost
0
Close Date
Recommendation
2

USAID's Chief Information Officer implement formal written procedures for reviewing unused mobile devices with responsible Agency officials. At a minimum, the procedures should include an acceptable level for the number and cost of unused devices and the frequency of the reviews (no less than quarterly).

Questioned Cost
0
Close Date
Recommendation
3

USAID's Chief Information Officer implement documented procedures for mobile devices that define policy violations and describe monitoring for and reporting on those violations (other than when the device is on the network and violates those policies).

Questioned Cost
0
Close Date
Recommendation
4

USAID's Chief Information Officer implement documented policies that define the conditions for remotely wiping mobile devices if the device is lost or stolen and is at risk of having its data recovered by an unauthorized individual or entity and for failed password attempts.

Questioned Cost
0
Close Date
Recommendation
5

USAID's Chief Information Officer implement documented policies that define the conditions for remotely locking devices suspected of being left unlocked in an unsecured location.

Questioned Cost
0
Close Date
Recommendation
6

USAID's Chief Information Officer implement documented procedures for digitally signing USAID-developed applications.

Questioned Cost
0
Close Date
Recommendation
7

USAID's Chief Information Officer implement documented procedures that describe how policies will be managed on BlackBerry Enterprise Servers.

Questioned Cost
0
Close Date
Recommendation
8

USAID's Chief Information Officer implement
documented policies that define which types of mobile devices are permitted to access the Agency's resources.

Questioned Cost
0
Close Date
Recommendation
9

USAID's Chief Information Officer implement
documented policies that define the degree of access that various classes of mobile devices (e.g., organization-issued devices versus those that are personally owned) can have to Agency resources.

Questioned Cost
0
Close Date
Recommendation
10

USAID's Chief Information Officer revise Mobile Computing Standards: A Mandatory Reference for ADS Chapter 545 to be consistent with the requirements regarding encryption of information stored on mobile devices in Automated Directives System 545.3.6.6, "Mobile Computing Devices,"
(November 9, 2012).

Questioned Cost
0
Close Date
Recommendation
11

USAID's Chief Information Officer revise Automated Directives System 549.3.4.3, "Electronic Mail (E-Mail)," to reflect the Agency's current policy regarding e-mail usage for sensitive but unclassified information.

Questioned Cost
0
Close Date
Recommendation
12

USAID's Chief Information Officer revise the
following documents, as appropriate, to make clear policy statements regarding requirements for antivirus software and firewalls on mobile devices: Automated Directives System 545.3.6.6 "Mobile Computing Devices;" Mobile Computing Standards: A Mandatory Reference for ADS Chapter 545.

Questioned Cost
0
Close Date
Recommendation
13

USAID's Chief Information Security Officer document a risk assessment for the 'Agency for International Development Network.'

Questioned Cost
0
Close Date
Recommendation
14

After implementing Recommendation 13, we recommend that USAID's Chief Information Security Officer incorporate necessary updates to the risk assessments for iPads, iPad2s, iPad3s, and iOS 6.

Questioned Cost
0
Close Date
Recommendation
15

USAID's Chief Information Security Officer include the following plans in the Agency's written plan of action and milestones, as required by National Institute of Standards and Technology's Recommended Security Controls for Federal Information Systems and Organizations:
Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies. Create tools and applications for mobile devices. Develop, test, and document sanitization procedures for mobile devices.

Questioned Cost
0
Close Date
Recommendation
16

USAID's Chief Information Security Officer either finalize the risk assessment for the Agency's BlackBerry mobile devices or, if the devices will be phased out in the next year, formally document and accept the risk of not completing the risk assessment for them.

Questioned Cost
0
Close Date
Recommendation
17

USAID's Chief Information Security Officer update the security policy for Agency BlackBerrys if USAID finalizes the risk assessment for Agency BlackBerrys detailed in Recommendation 16.

Questioned Cost
0
Close Date
Recommendation
18

USAID's Chief Information Security Officer implement and require two-factor authentication for access to Agency e-mail with one factor separate from the device, as required, and document the results.

Questioned Cost
0
Close Date
Recommendation
19

USAID's Chief Information Officer implement the Agency's strong password policy to unlock iPhones and BlackBerry mobile devices, as required, and document the results.
USAID Did Not Configure Its BlackBerry Mobile

Questioned Cost
0
Close Date
Recommendation
20

After implementing Recommendation 15, USAID's Chief Information Officer configure the servers for mobile devices to restrict the ability to download applications to the devices, as appropriate.

Questioned Cost
0
Close Date