Report 2015-003-EOIG - FY-2015 Federal Information Security Modernization Act Independent Evaluation

Fiscal Year
2015
Executive Summary

For Fiscal Year (FY) 2015, the U.S. Equal Employment Opportunity Commission (EEOC), Office of Inspector General (OIG) contracted with Brown & Company CPAs and Management
Consultants, PLLC (Brown & Company) to conduct an independent evaluation of EEOC’s compliance with the provisions of the Federal Information Security Modernization Act of 2014
(FISMA). FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and
information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Based on the results of our evaluation, Brown & Company concluded that the EEOC continues to make positive strides in addressing information security weaknesses; however, the agency still
faces challenges to fully implement information security requirements as stipulated in various federal guidelines and mandates. This report contains seven FISMA findings and seven
corresponding recommendations. The FY 2015 findings are as follows:
1. EEOC has no organization-wide Information Security Program Plan that documents and enforces implementation of common and hybrid controls amongst all EEOC IT assets.
2. EEOC has not developed an organization-wide risk management strategy and processes.
3. EEOC should strengthen its worksharing agreement with Fair Employment Practices Agencies (FEPAs) to include a statement that requires FEPAs to implement information
security controls that ensure data and access to data are secured.
4. EEOC should prepare special security controls for its District, Field and Area Offices to ensure that information systems and information located at these offices are protected.
5. The EEOC did not fully implement multifactor authentication to allow remote access to EEOC systems.
6. The EEOC enterprise-wide Information Technology continuity/disaster recovery program that is established and operational at EEOC HQ is not implemented and enforced at the
EEOC Field Offices.
7. EEOC configuration management policy and procedures are not currently supported by automated tools and procedures to accurately and completely detect, identify, and
account for changes to the information system component inventory.