Report Contents
Report Terms
Report Recommendations
OIG recommends that the Broadcasting Board of Governors perform a privacy impact assessment for its Office of Cuba Broadcasting Headquarters Network system, as required by National Institute of Standards and Technology Special Publication 800-37, Revision 1.
OIG recommends that the Broadcasting Board of Governors perform a privacy impact assessment for its Privacy Information Enclave system, as required by National Institute of Standards and Technology Special Publication 800-37, Revision 1.
OIG recommends that the Broadcasting Board of Governors update the Certification and Accreditation Policy and Procedures to identify the responsible organizations for conducting annual security control assessments.
OIG recommends that the Broadcasting Board of Governors perform annual security control assessments on its Identity Management System.
OIG recommends that the Director of Global Operations approve and implement a continuous monitoring policy that assesses the security state of information systems and is consistent with National Institute of Standards and Technology Special Publication 800-53, Revision 4.
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends that the Director of Global Operations update server and workstation baseline procedures to include all of the U.S. Government Configuration Baseline configuration settings as required by the National Institute of Standards and Technology Special Publication 800-53, Revision 4.
OIG recommends that the Director of Global Operations remediate all critical vulnerabilities as they are identified through periodic scanning.
OIG recommends that the Director of Global Operations enforce the Broadcasting Board of Governors (BBG) Change Management Policy for all changes within the BBG environment.
OIG recommends that the Information Security Management Division update and implement the incident response policy and procedures to include preparation, detection and analysis, containment, eradication, recovery, and post-incident activity components as required by National Institute of Standards and Technology Special Publication 800-61, Revision 2.
OIG recommends that the Information Security Management Division adhere to the Computer Security Incident Management Policy, when finalized, to include the appropriate category level for every documented incident.
OIG recommends that the Chief Information Security Officer, in coordination with the system owners and the Office of the Chief Information Officer, ensure that Broadcasting Board of Governors' Plans of Action and Milestones (POAM) include all required elements in accordance with the Information Security POAM Policy, to include severity of the weakness, responsible organization, estimated funding resources, completion date, key milestones and changes, source of the weakness, and the latest status.
OIG recommends that the Enterprise Networks and Storage Division implement procedures to assess the adequacy of the security configurations of remote computers that request access to the Broadcasting Board of Governors’ (BBG) network and grant access only to properly configured and patched devices, as required by BBG’s Virtual Private Network (VPN) policy and VPN Access Acceptance Form.
OIG recommends that the Enterprise Networks and Storage Division ensure that multiple personnel are trained, and utilize that training, to disable Virtual Private Network tokens after they are reported lost or stolen in accordance with National Institute of Standards and Technology, Special Publication 800-53, Revision 4.
OIG recommends that the Director of Global Operations and system owners ensure that user accounts are properly maintained in accordance with Broadcasting Board of Governors' Identification and Authentication Policy.
OIG recommends that the Director of Global Operations, in coordination with the Office of Security, complete the issuance of Personal Identity Verification cards as required by Homeland Security Presidential Directive 12 and Office of Management and Budget guidelines.
OIG recommends that the Director of Global Operations finalize and implement a role-based security training policy, as required by the National Institute of Standards and Technology Special Publication 800-53, Revision 4.