EAC OIG, through the independent public accounting firm of Clifton Gunderson LLP, conducted an evaluation of EAC's security programs and practices for fiscal year 2008.
United States Election Assistance Commission Federal Information Security Management Act 2008 Independent Evaluation Report
Report Information
Status of Recommendations
We recommend EAC management continue ongoing efforts and implement a formal agency-wide security program plan in line with OMS A-130 Appendix III, NIST Special Publication 800-18 and FISMA.
We recommend EAC management assign responsibility for the security management function to an individual with the oversight responsibility over the security management structure. The individual should have the expertise and independence to enforce...
We recommend EAC management continue with ongoing efforts and conduct certification and accreditation of its general support system.
We recommend EAC management implement a risk assessment policy to require risk assessments to be performed periodically or when there is a significant change in the IT operating environment.
We recommend EAC management designate a Chief Privacy Officer or formally appoint an individual with the responsibility of monitoring and enforcing privacy related policies and procedures. Privacy responsibilities should be added to the position...
We recommend EAC management develop an understanding of which EAC systems are covered by GSA's FISMA review rotation plan. Consequently, EAC should request from the service provider their systems review rotation schedule and note which systems are...
We recommend EAC management develop and implement formal policies that address the information protection needs associated with PII when it is either accessed remotely or physically removed from EAC controlled areas.
We recommend EAC management request from GSA their systems review rotation plan and note which EAC support systems are covered by each rotation [by FY]. For FYs where EAC systems are not covered, GSA should grant EAC access to review these systems to...
We recommend EAC management obtain from GSA its POA&M to address security weaknesses identified in: (1) the SAS 70 review of the Heartland Finance Center; (2) the GSA OIG's 2008 FISMA Report and (3) any other security-related reviews it may have...
We recommend EAC management develop and implement information security policies for EAC. Where GSA policies are used, distribute these policies so employees are aware of their responsibilities and obligations.
We recommend EAC management implement a formal incident response policy and procedures in line with NIST 800-61.
We recommend EAC management establish a formal incident response team with defined roles and responsibilities.
We recommend EAC management update the security awareness training documentation to include incident response training.
We recommend EAC management conduct and document a formal business impact analysis to identify and prioritize critical IT systems and components.
We recommend EAC management finalize and approve the draft contingency and continuity of operations plan and ensure that the plan is tested periodically.
We recommend EAC management obtain from their service provider, GSA, an inventory of systems that support EAC's operations. They should further obtain from GSA, a list of systems covered by the 2008 FISMA review and reconcile this with the list of...