We found that EEOC generally had sound information security controls for its Information Security Program and has implemented security controls in all seven DHS Inspector General (IG) FISMA Reporting Metrics. Based on our audit work, we concluded that the EEOC’s Information Security Program is generally compliant with the FISMA legislation and applicable Office of Management and Budget (OMB) guidance and the security controls tested demonstrated operating effectiveness.
Our report identifies the following four control weaknesses where the EEOC’s Information Security Program can better protect the confidentiality, integrity, and availability of its information and information systems:
1. The EEOC has not implemented automated solution that provides a centralized, enterprise-wide view of risk across the agency.
2. The EEOC has not developed a Trusted Internet Connection (TIC) program that meets OMB requirements to improve the agency’s security posture.
3. The EEOC has not conducted an e-authentication risk assessment for its digital systems and has did not fully implement multifactor authentication for logical and remote access for privileged and non-privileged users.
4. Separation of duties between the Chief Information Security Officer (CISO) and Deputy Chief Information Officer (DCIO) positions.