EAC OIG, through the independent public accounting firm of Leon Snead & Co., conducted an evaluation of EAC's compliance with the requirements of the Federal Information Security Management Act for fiscal year 2009.
Evaluation of Compliance with the Requirements of the Federal Information Security Management Act: Fiscal Year 2009
Report Information
Status of Recommendations
Establish an overall comprehensive plan of action and milestone (POA&M) document, with target dates for completion of corrective actions, to address the problems noted in this report. Assure that the plan is monitored on a monthly basis and updates...
Provide sufficient specialized training to EAC personnel to enable EAC to develop and maintain a risk-based IT security program that meets FISMA requirements, or hire an official that has experience managing an agency-wide IT security program.
Establish a continuous monitoring program to address the NIST 800-53 requirements.
Finalize the EAC IT security handbook, and establish a process to identify and document necessary operational processes to enable personnel to meet the control requirements contained in the handbook, and applicable NIST control requirements.
Assign a high priority to the completion of required contingency plans and coop documents.
Implement the minimum password settings for the network. Ensure that other FDCC mandatory configuration settings are established as soon as possible.
Implement access controls required by FISMA, including controls over all remote access methods, and OMB guidance on securing PII data.
Finalize the risk assessment, and ensure it is used to develop risk-based controls, and as a starting point for development of contingency plans and COOP documents.
Establish controls over the audit logs maintained to ensure that the system is capable of providing required alerts. Ensure that periodic reviews are made of the logs to identify any unusual activity, other concerns or problems.
Ensure that access controls are implemented for all EAC network devices.