Open Recommendations

We recommend that the Office of the Chief Financial Officer of the U.S. Equal Employment Opportunity Commission enhance the documentation, monitoring, and enforcement of its controls over the closure of charge card accounts.

We recommend the OIT employed an automated mechanism that ensures sensitive PII is encrypted on removable mobile media.

We recommend the OCHCO and OIT conduct a baseline assessment of the EEOC’s cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel.

We recommend the OIT review and remediate critical-risk, high-risk and moderate-risk vulnerabilities. These vulnerabilities should be resolved to avoid compromise to EEOC’s systems; or the Agency should document acceptance of the risk or reclassification of the risk

EEOC should implement an automated solution that provides a centralized, enterprise-wide view of risk across the agency.

EEOC should develop a Trusted Internet Connection (TIC) program that meets OMB requirements to improve the agency’s security posture.

EEOC should conduct an e-authentication risk assessment for its digital systems and has not fully implemented multifactor authentication for logical and remote access for privileged and non-privileged users. (Repeat finding since FY 2008)

Consider new approaches, such as web-enabled and cloud-based solutions, to support expanding IT infrastructure needs of both the analytics team as well as analytical product users.

Establish a data warehouse to address data retention, versioning, and reporting needs.

Invest in the generation of new metrics that quantify opportunity costs and corresponding benefits of data collection and data assurance.

EEOC OIT should review and analyze critical, high, and medium vulnerabilities. These vulnerabilities should be resolved to avoid compromise of EEOC’s systems; or the agency should document acceptance of the risk or reclassification of the risk.

Development of policies and procedures to properly manage physical security access cards.

EEOC update its personnel policy and procedures requiring screening and background checks for all individuals having access to information systems and information as defined by NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, PS-3 Personnel Screening. The agency should ensure all individuals are processed through the E-Verify program, and no exception exists for those who have previously been verified by a third-party.

Develop and implement policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. The policy should include the requirements for Memorandums of Understanding between agencies.

Implement a formalized training program for individuals who use classified information as a part of their duties. If an external agency is to assume the responsibility of training these individuals, this agreement should be documented in an MOU.

Immediately correct any known weaknesses. If EEOC determines not to correct a noted weakness, EEOC should document this analysis and their acceptance of the associated risk.