For Fiscal Year (FY) 2014, the U. S. Equal Employment Opportunity Commission (EEOC), Office of Inspector General (OIG) contracted with Brown & Company CPAs, PLLC (Brown & Company) to conduct an independent valuation of EEOC's compliance with the provisions of the Federal Information Security Management Act of 2002 (FISMA). FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Based on the results of the evaluation, Brown & Company concluded that the agency has made positive strides in addressing information security weaknesses, however, the agency still faces challenges to fully implement information security requirements as stipulated in various federal guidelines and mandates. This report contains nineteen (19) FISMA findings with nineteen (19) recommendations concerning issues such as:
- Development of a risk assessment at the organization and mission-business level to include field offices.
- Update to system level risk assessment report.
- Improvement to Bring Your Own Device (BYOD) program.
- Improvement to privacy notifications on the EEOC official website and alerts when visitor are directed to non-government websites.
- Improvement to virtual private network configuration settings for password length.
- Implementation of encryption to protect digital backup media during transport.
- Update policies and procedures to include EEOC's response time for security alerts.
- Updated policies and procedures to include file integrity process for detecting unauthorized changes to software, firmware, and information.
- Improvement to monitoring laptops issued to employees for disaster recovery and ensuring that patches and updates are installed for operating systems, antivirus software and other security applications.
- Implementation of background checks for student interns to ensure international visas are current.
- Improvement to the security awareness training program to ensure all personnel in field offices that use information systems receive annual training.
- Development of policies and procedures to properly manage physical security access cards.
- Implementation of full device encryption or container-based encryption for mobile laptops.
- Development of Continuity of Operations Plan for field offices.
- Development of a telecommuting policy that meets FISMA requirements.
- Development of policies and procedures for managing shared group accounts.
- Improvement to account management procedures that include disabling inactive accounts as required.
- Improvement to physical access control to the data center and technology storage room.
- Resolution of high and medium vulnerabilities identified from the internal vulnerability assessment.