Report Contents
Summary of Review
Information systems security officers (ISSO) are responsible for enforcing Department of State (Department) information systems security policies to ensure the protection of the Department’s computer infrastructure, networks, and data. However, OIG has found continued deficiencies in the performance of ISSO duties, which places the Department’s computer systems and data at risk. Deficiencies in the performance of ISSO duties relate to the ongoing challenge of information security, which OIG identified to be a major management challenge for the Department in the Inspector General Statement on the Department of State’s Major Management and Performance Challenges. 1
OIG reviewed 51 overseas inspection reports issued from October 1, 2016, to September 30, 2019, and identified findings on deficiencies in ISSO performance in 25 (49 percent) of reviewed reports. This reflects an increase from the 2017 Management Assistance Report (MAR), 2 where OIG found 33 percent of reviewed reports contained deficiencies in ISSO performance. This MAR identifies additional underlying factors not addressed in the 2017 MAR that contributed to or caused the non-performance of ISSO duties. OIG made five recommendations to address the reported causes for continued overseas ISSO deficiencies. In its comments on the draft report, the Department concurred with four recommendations and disagreed with one recommendation. OIG considers four recommendations resolved and one recommendation unresolved. The Department’s response to each recommendation and OIG’s reply can be found in the Recommendations section of this report. The Department’s formal written responses are reprinted in their entirety in Appendix B.
1 OIG, Inspector General Statement on the Department of State’s Major Management and Performance Challenges Fiscal Year 2019 13 (OIG-EX-20-02, January 2020).
2 OIG, Management Assistance Report: Non-Performance of Information Systems Security Officer Duties by Overseas Personnel (ISP-17-24, May 2017). The scope of the 2017 report included inspections conducted from fall FY 2014 to spring FY 2016.
Report Terms
Report Recommendations
The Bureau of Global Talent Management, in coordination with the Under Secretary for Management, the Bureaus of Diplomatic Security and Information Resource Management, and the regional bureaus, should conduct an organizational assessment of the information systems security officer program to determine the feasibility of creating full-time overseas positions and implement the results of the assessment with an appropriate reporting structure for those positions.
The Bureau of Information Resource Management, in coordination with the Bureau of the Comptroller and Global Financial Services, should incorporate an attestation relating to the completion of information systems security officer responsibilities in the annual Chief of Mission Management Control Statement of Assurance.
The Bureau of Information Resource Management, in coordination with the Bureau of Diplomatic Security and regional bureaus, should define the roles and responsibilities for regional information systems security officers and liaisons and clarify the level of interaction and support these positions are to give to overseas information systems security officers, and update applicable Department standards as needed.
The Bureau of Information Resource Management should review and update the information systems security officer checklist and clearly state for each task whether it should be performed by overseas information systems security officers, by other overseas post information management personnel, or by the Bureau of Information Resource Management.
The Bureau of Information Resource Management, in coordination with the Foreign Service Institute, should update the information systems security officer foundations training course to increase both hands-on exercises and discussion on how to perform specific tasks and use Department-provided tools.
