Report Contents
What OIG Audited
Protecting sensitive information is one of the Department of State’s (Department) greatest responsibilities and challenges. Portable devices, such as miniature or external hard drives and thumb drives, provide users the capability to easily transport business and personal information, as well as other data. As their use increases, however, so do the associated risks because the properties that make these devices portable and enable their convenient connections also increase the risk of data loss and the introduction of malware. The Office of Inspector General (OIG) conducted this audit to determine whether the Department has implemented a process to detect the use of unapproved portable devices, as required by Federal and Department requirements, and has taken action to address instances in which unapproved portable devices have been used.
What OIG Recommends
OIG made seven recommendations to the Bureau of Information Resource Management (IRM), one of which is in coordination with the Bureau of Diplomatic Security (DS), to enhance controls over the identification of unapproved portable devices and to prompt action when unapproved devices are detected. On the basis of IRM’s response to a draft of this report, OIG considers five recommendations resolved, pending further action, and two recommendations unresolved. A synopsis of IRM’s comments regarding the recommendations offered and OIG’s reply follow each recommendation in the Results section of this report. IRM’s response to a draft of this report is reprinted in its entirety in Appendix B.
What OIG Found
Department policy prohibits the use of non-Department owned portable devices on the Department’s systems. OIG found that the Department has implemented methods to detect the use of unapproved portable devices. For example, IRM’s Office of Operations, Information Technology Infrastructure Office, Systems Integrity Division uses software to detect when unapproved portable devices are connected to Department systems based on the Enterprise Master List, which is a list that contains both authorized and excluded devices. DS also identifies the use of unapproved devices through its requirement that employees report cybersecurity incidents. These approaches can nonetheless be improved. Specifically, the Systems Integrity Division should keep current its list of approved and excluded portable devices to further protect the network from unapproved portable devices. Moreover, the Systems Integrity Division has not implemented an effective method to verify the approval of authorized portable devices that have been added to the Enterprise Master List. Inadequate controls with respect to these issues increases the risk of data loss and the introduction of malware.
OIG also found that the Department has taken action to address instances in which unapproved portable devices have been used. In addition to automatically blocking unapproved portable devices from connecting, the Systems Integrity Division informally follows up on some reported incidents. DS also follows up on unauthorized portable devices reported by Department employees. Again, these processes can be enhanced. For example, the Systems Integrity Division needs to formalize its processes for following up on incidents and documenting the remediation of the incident. In addition, the Systems Integrity Division and DS should collaborate to clarify their respective roles and responsibilities to maximize effectiveness.
Report Terms
Report Recommendations
OIG recommends that the Bureau of Information Resource Management develop and implement a process to periodically verify that the Enterprise Master List is kept current and complete.
OIG recommends that the Bureau of Information Resource Management (IRM) develop and implement a process to verify that a Local Configuration Control Board has authorized the type of portable device requested each time a bureau or post requests that IRM add a type of portable device to the Enterprise Master List.
OIG recommends that the Bureau of Information Resource Management enforce its authority to administer the use of portable devices in the Department of State, as well as the policies, standards, and procedures related to portable devices.
OIG recommends that the Bureau of Information Resource Management (IRM) perform and document an analysis of the advantages and disadvantages to limiting the brands of portable devices that are allowed to be connected to OpenNet, including connection though local networks. From the completed analysis, IRM should determine whether to limit or not limit the brands of portable devices.
If the Bureau of Information Resource Management (IRM) determines that it should limit the brands of portable devices that are allowed to be connected to OpenNet (Recommendation 4), OIG recommends that IRM develop and issue a policy that implements this determination.
OIG recommends that the Bureau of Information Resource Management develop and implement formal, standardized procedures for regularly performing an analysis of the Symantec Endpoint Protection Application and Device Control reports. At a minimum, the procedures should provide guidance for analysts on how to review the Symantec reports, how to identify high risk exceptions for follow-up, what actions should be taken during follow-up, and how to document the follow-up and the remediation taken.
OIG recommends that the Bureau of Information Resource Management, in coordination with the Bureau of Diplomatic Security, develop and implement formal procedures to identify and remediate cybersecurity policy violations created when employees connect unapproved portable devices to OpenNet. The formal procedures should include a description of each bureau’s roles and responsibilities in the process.