For Fiscal Year (FY) 2019, the U.S. Equal Employment Opportunity Commission (EEOC), Office of Inspector General (OIG) contracted with Brown & Company CPAs and Management Consultants, PLLC (Brown & Company) to conduct a performance audit of EEOC’s compliance with the provisions of the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Based on the results of our performance audit, Brown & Company concluded that EEOC’s information security program is substantially compliant with the FISMA legislation and applicable Office of Management and Budget (OMB) guidance. We determined EEOC’s information security programs are effective and provide reasonable assurance of adequate security. In conducting our audit work, we identified the following four findings related to EEOC’s security practices that can be improved.
1. EEOC OIT needs to monitor security controls over SharePoint.
2. EEOC OIT needs to remediate internal vulnerabilities on its network.
3. EEOC OIT needs to enforce its mobile device management compliance policies.
4. EEOC OIT needs to develop an action plan to address the SECURE Technology Act requirements.