We recommend that EEOC's information security team should, in conjunction with other EEOC offices: a. Identify and document all applicable policies and procedures to cybersecurity and information security; b. Develop and use an accessible repository, such as SharePoint, for all identified documents, regardless of what office they reside in; c. Design a risk-based approach to review and update all identified documents in the repository, including who is responsible for reviewing and updating each document. d. Document the review/update in each document, as well as the responsible party within the information security team who ensures that each document has been updated per the documented procedure for review. e. Designate a responsible official within the OIT to review and update the process as necessary on an annual basis.