oversight

Transmittal of FY 2012 Evaluation of EEOC's Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA)(OIG Report No. 2012-03-FISMA)

Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2012-11-14.

Below is a raw (and likely hideous) rendition of the original report.

Transmittal of FY 2012 Evaluation of EEOC’s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA)(OIG Report No. 2012-03-FISMA)
Skip top navigation
Skip to content
Español | Other Languages
U.S. Equal EmploymentOpportunity Commission
Home
About EEOC
Overview
The Commission
Meetings of the Commission
Open Government
Newsroom
Laws, Regulations, Guidance & MOUs
Budget & Performance
Enforcement & Litigation
Initiatives
Interagency Programs
Publications
Statistics
Outreach & Education
Legislative Affairs
FOIA & Privacy Act
Doing Business with EEOC
Jobs & Internships
EEOC History
Office of Inspector General
Employees & Applicants
Overview
Coverage
Timeliness
Filing A Charge
How to File
Charge Handling
Confidentiality
Mediation
Remedies
Existing Charges
Filing a Lawsuit
Discrimination by Type
Age
Disability
Equal Compensation
Genetic Information
Harassment
National Origin
Pregnancy
Race/Color
Religion
Retaliation
Sex
Sexual Harassment
Prohibited Practices
Employers
Overview
Coverage
Charge Handling
Resolving a Charge
Remedies
Discrimination by Type
Age
Disability
Equal Compensation
Genetic Information
Harassment
National Origin
Pregnancy
Race/Color
Religion
Retaliation
Sex
Sexual Harassment
Prohibited Practices
Recordkeeping
EEO Reports/Surveys
"EEO Is The Law" Poster
Training
Other Employment Issues
Federal Agencies
Overview
Federal Employees & Applicants
Federal Complaint Process
Discrimination by Type
Other Federal Protections
Prohibited Practices
Federal EEO Coordination
Federal Agency EEO Directors
Laws, Regulations, Guidance & MOUs
Management Directives & Federal Sector Guidance
Federal Sector Alternative Dispute Resolution
Federal Sector Reports
Appellate Decisions
Digest of EEO Law
Form 462 Reporting
Federal Training & Outreach
Contact Us
Contact EEOC
Find Your Nearest Office
Frequently Asked Questions
About EEOC
Overview
The Commission
Meetings of the Commission
Open Government
Newsroom
Laws, Regulations, Guidance & MOUs
Budget & Performance
Enforcement & Litigation
Initiatives
Interagency Programs
Publications
Statistics
Outreach & Education
Legislative Affairs
FOIA & Privacy Act
Doing Business with EEOC
Jobs & Internships
EEOC History
Office of Inspector General
Home > About EEOC > Office of Inspector General
November 14, 2012
MEMORANDUM
TO:
Kimberly Hancher, Director
Office of Information Technology
FROM:
Milton A. Mayo, Jr
Inspector General
SUBJECT:
Transmittal of FY 2012 Evaluation of EEOC's Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA)(OIG Report No. 2012-03-FISMA)
The Office of Inspector General contracted with the Certified Public Accounting firm Clifton Larson Allen LLP, formerly known as Clifton Gunderson LLP, to conduct an independent evaluation of EEOC's information security program and practices as
required by the FISMA, and to comply with the Office of Management and Budget's (OMB) reporting requirements for Inspectors General.
Attached is the FY 2012 Evaluation of EEOC's Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA) report prepared by Clifton Gunderson (CG).  CG notes in its report that the EEOC has made positive
strides over the last year in addressing information security weaknesses, however improvements are needed in the following areas: Maintaining Documentation for Network Access Requests/Approvals, Implementing Multi-Factor Authentication, Maintaining
Documentation of Acceptance and Understanding of information Security Responsibilities, and Maintaining Incidence Response Policy to Reflect All US-CERT Categorization Types. Management's comments are included in the report. Also, the status of
prior year FISMA findings is included as Appendix A of the report.
The Office of Management and Budget issued Circular Number A-50, Audit Follow Up, to ensure that corrective action on audit findings and recommendations proceed as rapidly as possible. EEOC Order 192.002, Audit Follow up Program, implements
Circular Number A-50 and requires that for resolved recommendations, a corrective action work plan should be submitted within 30 days of the final evaluation report date describing specific tasks and completion dates necessary to implement audit
recommendations. Circular Number A-50 requires prompt resolution and corrective action on audit recommendations. Resolutions should be made within six months of final report issuance.
If you have any questions, please feel free to contact Mr. Willie Eggleston, Senior Auditor, at extension 4372.  We appreciate your assistance.
cc: Pierette McIntire
Evaluation of Equal Employment Opportunity Commission's (EEOC) Compliance with Provisions of the Federal Information Security Management Act of 2002
Fiscal Year 2012
Final Report
TABLE OF CONTENTS
Executive Summary
Background
Audit Objective
Scope
Testing Methodology
Findings and Recommendations
Appendix A: Status of Prior Year (FY2011) Findings
Executive Summary
The EEOC Office of Inspector General (OIG) contracted with CliftonLarsonAllen LLP (CLA) to conduct an audit of EEOC' compliance with the provisions of the Federal Information Security Management Act of 2002 for Fiscal Year (FY) 2012. The Federal
Information Security Management Act of 2002 (FISMA) requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the
operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
The audit meets the FISMA requirement for an annual evaluation of EEOC' information security program. The overall objective of this audit was to determine if EEOC' information security program met the requirements of the Federal Information
Security Management Act of 2002. Specifically, we performed audit work associated with the FISMA Office of Management and Budget (OMB) annual reporting requirements for OIGs and completed a review of six EEOC information systems: The EEOC Network,
EEO-1 Survey System, Document Management System (DMS), Integrated Mission System (IMS), Financial Cloud Solutions (FCS), and Federal Personnel and Payroll System (FPPS). In addition, four Notice of Finding and Recommendations (NFRs) were submitted
to EEOC management to include findings from both the system reviews and component level review.
The audit concluded that EEOC met most, but not all, of the key requirements of FISMA. The Agency has made positive strides over the last year in addressing information security weaknesses and continues to make progress in becoming fully
compliant with FISMA. However, EEOC still faces challenges to refine its information security program. These challenges involve:
Maintaining documentation for network access requests/approvals. (See page 6)
Implementing multi-factor authentication. (See page 7)
Maintaining documentation of acceptance and understanding of information security responsibilities. (See page 8)
Revising the incident response policy to reflect all US-CERT categorization types (See page 9)
Consequently, EEOC' operations and assets may be at risk of misuse and disruption. The report contains four recommendations to help EEOC improve its information security program and practices.
This report is intended solely for the information and use of the management of EEOC and OIG and is not intended to be and should not be used by anyone other than these specified parties.
Background
Organization
The U.S. Equal Employment Opportunity Commission (EEOC) is responsible for enforcing federal laws that make it illegal to discriminate against a job applicant or an employee because of the person's race, color, religion, sex (including
pregnancy), national origin, age (40 or older), disability or genetic information. It is also illegal to discriminate against a person because the person complained about discrimination, filed a charge of discrimination, or participated in an
employment discrimination investigation or lawsuit. The EEOC has the authority to investigate charges of discrimination against employers who are covered by the law.
The EEOC is composed of five Commissioners and a General Counsel appointed by the President and confirmed by the Senate. Commissioners are appointed for five-year staggered terms; the General Counsel's term is four years. The President designates
a Chair and a Vice Chair. The Chair is the Chief Executive Officer of the EEOC.
The EEOC has 53 field offices, and has its headquarters in Washington, D.C. Additional information about EEOC may be found at http://www.eeoc.gov.
Federal Information Security Management Act
The Federal Information Security Management Act of 2002 (FISMA) was enacted into law as Title III of the E-Government Act (E-Gov) of 2002 (P.L. 107-347, December 17, 2002). Key requirements of FISMA include:
The establishment of an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another
agency, contractor, or other source.
An annual independent evaluation of the agency's information security programs and practices; and
An assessment of compliance with the requirements of the Act.
FISMA requires agency heads to ensure that (1) employees are sufficiently trained in their security responsibilities, (2) security incident response capability is established, and (3) information security management is integrated with the agency
strategic and operation planning processes. All agencies must also report annually to the Office of Management and Budget (OMB) and Congressional committees on the effectiveness of their information security program. In addition, FISMA has
established that the standards and guidelines issued by the National Institute of Standards and Technology (NIST) are mandatory for Federal agencies.
Audit Objective
A key requirement of the Federal Information Security Management Act of 2002 is an annual independent evaluation of the Agency's information security program. As a result, CLA was contracted by EEOC OIG to review the Agency's information security
program and practices as set forth by the Federal Information Security Management Act of 2002 for FY 2012. The work performed under this engagement involved a review of the effectiveness of the Agency's Office of Information Technology (OIT)
oversight of the Agency's information security program and evaluation of six EEOC information systems: The EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System, Financial Cloud Solutions, and Federal Personnel and
Payroll System.
In addition, we were required to complete the FY 2012 OMB FISMA Reporting Template included as an annual reporting requirement for OIGs.
Scope
CLA performed the audit in support of the EEOC OIG's FISMA reporting requirements. The period covered by this audit ended September 30, 2012. We conducted the audit in accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objective.
The purpose of the audit was to determine if EEOC' information security program met the requirements of FISMA. In assessing, EEOC' adherence to FISMA, we conducted component level and system level testing to support FISMA compliance. In
conducting our review of the Agency's Office of the CIO's oversight over EEOC' information security program and practices, the following areas were reviewed:
Organizational responsibilities and authority
Information security policies and procedures
System security plans
Risk Assessments
Continuity of operations plan
Security incident reporting
Security Awareness, Training, and Education
Certification and accreditation process
Remedial action process (plan of action and milestones)
System Configuration Management
Annual information security program reporting
In regards to the system level testing, CLA in conjunction with the EEOC OIG selected the EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System, Financial Cloud Solutions, and Federal Personnel and Payroll
System to evaluate as part of the scope of work. The audit included the testing of selected management, technical, and operational controls of the information systems outlined in National Institute of Standards and Technology (NIST) Special
Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems. The following NIST Special Publication 800-53 Controls were reviewed for the EEOC Network, EEO-1 Survey System, Document Management System,
Integrated Mission System, Financial Cloud Solutions, and Federal Personnel and Payroll System.
Access Controls
Audit and Accountability
Certification, Accreditation and Security Assessments
Configuration Management
Contingency Planning
Identification and Authentication
Maintenance
Security Planning
Risk Assessment
System and Service Acquisition
System and Communications Protection
System and Information Integrity
In addition, we completed a follow-up review of prior year FISMA findings and recommendations to determine if EEOC had made progress on implementing the recommended improvements in its information security program.
Four NFRs were submitted to EEOC management to include findings from both the system reviews and component level review.
At the time of the audit, EEOC operated the following information systems:
EEOC Network (General Support System)
Major Applications
EEO-1 Survey System
Document Management System (DMS)
Integrated Mission System (IMS)
Financial Cloud Solutions (owned by another Federal Agency)
This report is intended solely for the information and use of the management of EEOC and the EEOC OIG and is not intended to be and should not be used by anyone other than these specified parties.
Testing Methodology
To determine if EEOC' information security program met the requirements of FISMA, we conducted interviews with EEOC staff members and reviewed legal and regulatory requirements stipulated by FISMA. We also reviewed documentation related to EEOC'
information security program. These documents included, but were not limited to, EEOC' security policies and procedures, plan of action and milestones, system security plans, risk assessments, certification and accreditation documentation,
contingency plans, and incident reporting procedures. In addition, we performed tests of system processes to determine the adequacy and effectiveness of those controls.
We also evaluated available data supporting EEOC annual FISMA report to OMB on its information system security program.
Findings and Recommendations
EEOC has achieved progress towards FISMA compliance over the last year. Specifically, EEOC has implemented the following FISMA requirements:
The Agency has strengthened its vulnerability scanning and patch remediation program and procedures.
Updated their business impact analysis (BIA) so it accurately maps to disaster recover testing results.
Implemented a revalidation and review process to remove and disable unneeded virtual private network accounts.
Although, EEOC has made improvements in its information security program, the agency still faces challenges to refine its information security program. These challenges involve:
Maintaining documentation for network access requests/approvals. (See page 6)
Implementing multi-factor authentication (See page 7)
Maintaining documentation of acceptance and understanding of information security responsibilities (See page 8)
Maintaining the incident response policy to reflect all US-CERT categorization types (See page 9)
These findings are further discussed below.
Access Control/Identification and Authentication
Network access request forms were not adequately maintained. (NFR Reference # 2012 - 1)
Access request forms which document request and approval for network access were not provided for two out of twenty-five individuals sampled.
In addition, Integrated Mission System (IMS) access request forms were not provided for six of ten individuals sampled.
Without an appropriate access request form, excessive access to agency information may be provided and sensitive information could be compromised.
National Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control AC-2, states the following regarding account
management, "The organization manages information system accounts, including: Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); Establishing conditions for group membership;
Identifying authorized users of the information system and specifying access privileges; Requiring appropriate approvals for requests to establish accounts; Establishing, activating, modifying, disabling, and removing accounts; Specifically
authorizing and monitoring the use of guest/anonymous and temporary accounts; Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or
need-to know/ need-to-share changes; Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; Granting access to the system based on: (i) a valid access authorization; (ii) intended
system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and Reviewing accounts.
Recommendation:
Recommendation No.1: We recommend that EEOC implement a centralized repository to maintain control of access request forms.
Management Response:
Management indicated concurrence with this finding.
Additionally stating "Network access forms - EEOC would like to note that we do have a centralized repository for maintaining network user access forms. We concur with the 92% compliance finding for retrieval of network access forms in FY 2012
and are encouraged that this area shows progress over the 77% compliance rate finding in FY 2011. OIT expects that this rate will remain at the >90% level until we can move away from manual processes and implement more automated
on-boarding/account creation practices. In the interim, EEOC accepts the >90% rate as an acceptable level of compliance risk.
IMS - OIT will conduct a recertification of all IMS users in the first quarter of FY 2013 and will review and update policies related to preservation of account authorization forms. Remediation dates will be determined and included in the system
POA&M."
Auditor's Evaluation of Management's Response:
Management agrees with the condition of the missing access request forms. CLA's recommendation on a centralized repository was based upon management's need to obtain and request access request forms for several individuals from various field
offices since not available at headquarters. We agree that a more automated on-boarding/account creation practices would assist in mitigating the risk of lost forms under current manual processes.
Effective implementation of actions noted in management's response for IMS users should resolve the reported condition and recommendation.
EEOC did not fully implement multi-factor authentication (NFR Reference # 2012 - 3)
Through inquiry with management and review of the Data Net System Security Plan, EEOC has not fully implemented multi-factor authentication for remote access through Virtual Private Network (VPN), as well as for network and local accounts.
Although an Acceptance of Risk was provided for new imaged laptops, legacy laptops use a common password as part of their two-factor authentication.
Without a fully implemented multi-factor authentication process, this increases the risk of unauthorized access attempts.
National Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control IA-2, states the following regarding identification and
authentication, "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). And applicable control enhancements: "(1) The information system uses
multifactor authentication for network access to privileged accounts. (2) The information system uses multifactor authentication for network access to non-privileged accounts. (3) The information system uses multifactor authentication for local
access to privileged accounts. (8) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts."
Recommendation:
Recommendation No.2: We recommend that EEOC implement multifactor authentication for network access to non-privileged and privileged accounts.
Management Response:
Management indicated concurrence with this finding.
Additionally stating "EEOC continues to acknowledge that we have not implemented multifactor authentication for network access. This project is dependent on full (>80%) implementation of HSPD-12 PIV cards to all EEOC users as well as funding
to deploy the logical access requirements. EEOC has a risk acceptance on file, signed by the CIO, for this vulnerability."
Auditor's Evaluation of Management's Response:
EEOC agrees that they have not implemented multifactor authentication for network access. Although the compensating controls described within the risk waiver rely upon data encryption and utilities to detect and mitigate malicious activity, versus
an additional strengthening of existing user authentication controls to mitigate for the lack of multifactor authentication.
Effective implementation of actions noted in management's response should resolve the reported condition and recommendation.
Planning
Documented acceptance and understanding of information security responsibilities were not adequately maintained (NFR Reference # 2012- 2)
Documented acceptance and understanding of information security responsibilities were not available for 12 (48%) out of 25 individuals hired during FY 2012.
If acknowledgment of security responsibilities is not documented, users may be unaware of potential risks and their responsibilities in the use of EEOC information systems.
EEOC Order 240.005 states the following, "The Chief Human Capital officer is responsible for: Assuring that all new employees, as part of their orientation package, receive and sign an acknowledgment of receipt of "Information
Security Responsibilities of EEOC System Users" (Appendix A)."
National Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control PL-4, states the following regarding rules of
behavior, "The organization establishes and makes readily available to all information system users, a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage.
The organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information."
Recommendation:
Recommendation No.3: We recommend that EEOC management ensure that all network users have read and signed acknowledgment of receipt of Information Security Responsibilities of EEOC System Users and that forms are managed in a centralized
location.
Management Response:
Management indicated concurrence with this finding.
Additionally stating "OIT would like to clarify that this finding specifically relates to interns/volunteers, not "New Hires" which implies a newly hired employee. EEOC "new hires" go through a formal on-boarding process in both Headquarters and
the Field which includes the review and signature of the Information Security Responsibilities document (which is then stored with their personnel file). All 12 individuals who were identified as not having evidence of acknowledgement were interns,
volunteers, or temps - some of which may not go through the formal new-hire process.
To mitigate risk of users not remembering or not previously acknowledging the Security Responsibilities document, in July 2012, EEOC conducted an on-line review and acceptance of the "EEOC Network/Desktop Rules of Behavior" and the "Information
Security Responsibilities of EEOC System Users" for all system users - with the user's acknowledgement stored in a centralized location. Therefore, all system users on-board during this timeframe acknowledged their responsibilities. In addition, in
August 2012, we conducted the annual Security Awareness Training which is mandatory for all system users.
OIT acknowledges that these annual certification measures may miss some of the interns, volunteers, and temporary staff that are only on-board for a few weeks or months. Therefore, we will develop plans and procedures to better ensure that the
Rules are acknowledged within a specified period of time of network account creation. Timelines related to this remediation will be documented in the system POA&M. "
Auditor's Evaluation of Management's Response:
Effective implementation of actions noted in management's response (last paragraph) should resolve the reported condition and recommendation.
Incident Response
The Incident Response Policy is incomplete. (NFR Reference # 2012 - 4)
EEOC's incident response policy (V1.4) only reflects 4 of 6 current incident categorization types, prescribed by the United States Computer Emergency Response Team (US-CERT).
Without the inclusion of all 6 severity ratings, EEOC increases the risk of not notifying proper officials about the incident in a timely manner so that action can be taken to avoid and minimize the compromised information system and data.
NIST SP800-61, Rev. 2 Incident Response to Computer Security Events Section 2.3.1 "Policy Elements" states:
Policy governing incident response is highly individualized to the organization. However, most policies include the same key elements:
Statement of management commitment
Purpose and objectives of the policy
Scope of the policy (to whom and what it applies and under what circumstances)
Definition of computer security incidents and related terms
Organizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements
for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident
management process
Prioritization or severity ratings of incidents
Performance measures (as discussed in Section 3.4.2)
Reporting and contact forms.
Recommendation:
Recommendation No. 4: We recommend that EEOC management revise the agency's policy to correctly reflect the entire severity rating list published by US-CERT.
Management Response:
Management indicated concurrence with this finding.
Additionally stating "OIT had purposefully documented four categories in our Incident Response Policy, as Category 6 is not applicable to reporting and Category 5 was incorporated into our Category 3. However, we have updated the policy and
related log sheets to reflect the full six categories, based on the auditor's recommendation. These updated documents were provided to the auditor on 10/19/12."
Auditor's Evaluation of Management's Response:
Effective implementation of actions noted in management's response should resolve the reported condition and recommendation.
Appendix A: Status of Prior Year (FY2011) Findings
Item #
Finding
Description
Control Family
Current Year Status
Comments
1
EEOC has not fully implemented multifactor authentication for remote access.
Through inquiry with management and review of the Data Net System Security Plan, EEOC has not fully implemented multi-factor authentication for remote access through Virtual Private
Network (VPN), as well as for network and local accounts. Although an Acceptance of Risk was provided for new imaged laptops, legacy laptops use a common password as part of their twofactor authentication.
Access Control
Open
Multifactor authentication for remote access is still not fully implemented.
NFR # 2012 - 03
2
The agency-wide Business Impact Analysis (BIA) has not been updated.
Through inquiry with the EEOC Chief Security Officer, the EEOC agency-wide Business Impact
Analysis (BIA) has not been updated since 2002 to reflect the current system environment and to address the weaknesses identified during subsequent disaster recovery tests.
Contingency Planning
Closed
The Business Impact Analysis (BIA) was updated.
3
Vulnerability scanning conrol weaknesses were identified.
Through inquiry with management and performance of an external network vulnerability assessment, we noted the following control weaknesses:
EEOC Management did not apply version releases promptly (1 critical and 5 high vulnerabilities were found) to critical network devices.
Credentialed network vulnerability scanning is not being performed.
Configuration Management
Closed
Version releases were applied promptly and credentialed network vulnerability scanning has occurred.
4
Excessive Virtual Private network (VPN) accounts were discovered.
Through testing of active VPN accounts, CLA discovered 1 employee as separated but still remained on the enabled VPN list.
Account and Identity Management
Closed.
Through FY2012 testing of active VPN accounts, there were no active separated individuals.
5
Access request forms could not be provided for all employees sampled.
Access request forms which document request and approval for network access could not be provided for seven out of thirty employees sampled.
Identity and Access Management
Open
Access request forms which document request and approval for network access were not provided for two out of twenty-five individuals sampled.
(See NFR # 2012 - 01)
Privacy Policy | Disclaimer | USA.Gov