Report Contents
Report Terms
Report Recommendations
OIG recommends that the System Owners, Information Owners, and the Chief Information Officer/Chief Technology Officer assess the data categorization for information systems, in accordance with Federal Information Processing Standard 199, and implement the corresponding National Institute of Standards and Technology Special Publication 800-53, Revision (Rev.) 3, controls, if necessary.
OIG recommends that the System Owners and Chief Information Officer/Chief Technology Officer prioritize resources to perform security impact analyses to assess the differences in National Institute of Standards and Technology Special Publication 800-53, Revision 3, control families and their impact to the state of security on the systems and reauthorize the systems.
OIG recommends that the Broadcasting Board of Governors prioritize resources to perform a privacy impact assessment for the Privacy Information Enclave in accordance with Office of Management and Budget Memorandum M-12-20.
OIG recommends that the Chief Information Officer/Chief Technology Officer, in coordination with the Information Security Management Division, finalize and implement an enterprise-wide continuous monitoring strategy that includes a continuous monitoring policy and assesses the security state of information systems in a manner consistent with Federal Information Security Management Act requirements, Office of Management and Budget policy, and applicable National Institute of Standards and Technology guidelines.
OIG recommends that the Chief Information Officer/Chief Technology Officer prioritize resources to complete entity-wide and system specific contingency planning documents for all information systems and conduct necessary testing in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, Revision 1, and NIST SP 800-53, Revision 3.
OIG recommends that the Information Security Management Division update and implement its incident response policy in accordance with National Institute of Standards and Technology Special Publication 800-61, Revision 2.
OIG recommends the Chief Information Officer/Chief Technology Officer ensure that Broadcasting Board of Governors Plans of Action and Milestones (POAM) include all required elements in accordance with its Information Security POAM Policy, to include severity of the weakness, responsible organization, estimated funding resources, completion date, key milestones and changes, source of the weakness, and the status.
OIG recommends that the Enterprise Networks and Storage Division, under the Office of the Chief Information Officer/Chief Technology Officer, implement procedures to assess the adequacy of the security configurations of mobile computers that request access to the Broadcasting Board of Governors network and grant access only to properly configured and patched devices in accordance with National Institute of Standards and Technology Special Publication 800-53, Revision 3.
OIG recommends that the Chief Information Officer/Chief Technology Officer verify that U.S. Government Configuration Baseline configuration standards are implemented and compliance with the implemented standards is periodically assessed in accordance with National Institute of Standards and Technology Special Publication 800-53, Revision 3.
OIG recommends that the Chief Information Officer/Chief Technology Officer follow the Broadcasting Board of Governors Change Management Policy, to “test and disseminate Microsoft operating system and application patches released on the second Tuesday of each month in a way that ensures complete coverage of workstations and laptops while avoiding operational downtime by rigorously testing the patches prior to general release to ensure application compatibility and seamless functionality.”
OIG recommends that the Chief Information Officer/Chief Technology Officer and System Owners ensure that user accounts are properly maintained in accordance with Broadcasting Board of Governors (BBG) Identification and Authentication Policy and the BBG/IBB/VOA Password Policy.
OIG recommends that the Office of Security, in coordination with the Chief Information Officer/Chief Technology Officer, complete the issuance of Personal Identity Verification cards as required by Homeland Security Presidential Directive 12.
OIG recommends that the Information Security Management Division, in coordination with the Chief Information Officer/Chief Technology Officer, prioritize resources to develop and implement a role-based security training program in accordance with National Institute of Standards and Technology Special Publication 80053, Revision 3.