Upload
doanque
View
222
Download
0
Embed Size (px)
Citation preview
OFFICE OF INSPECTOR GENERAL EXPORT-IMPORT BANK
of the UNITED STATES
Independent Audit of Export-Import Bank’s Information
Security Program Effectiveness for Fiscal Year 2016
March 15, 2017 OIG-AR-17-04
Information about specific vulnerabilities in IT systems has been redacted from the publicly released version of this report. The information withheld was compiled in connection with OIG law enforcement responsibilities and consists of information that, if released publicly, could lead to the circumvention of the law.
Office of Inspector General
811 Vermont Avenue, NW Washington, DC 20571 | Main: 202 565 3908 | Fax: 202 565 3988 exim.gov
To: Howard Spira, Chief Information Officer
From: Terry Settle, Assistant Inspector General for Audits
Subject: Independent Audit of Export-Import Bank’s Information Security Program Effectiveness for Fiscal Year 2016 (OIG-AR-17-04)
Date: March 15, 2017
This memorandum transmits Cotton & Company LLP’s (Cotton & Company) audit report on Export-Import Bank’s (EXIM Bank) Information Security Program for Fiscal Year 2016. Under a contract monitored by this office, we engaged the independent public accounting firm of Cotton & Company to perform the audit. The objective of the audit was to determine whether the EXIM Bank developed and implemented effective information security programs and practices as required by the Federal Information Security Modernization Act of 2014 (FISMA).
Cotton & Company determined that while EXIM Bank has addressed several of the challenges identified during previous FISMA audits, its information security program and practices are not effective overall when assessed against revised Department of Homeland Security (DHS) reporting metrics. EXIM Bank has not effectively implemented a mature information security program. The report contains nine new recommendations and two partially re-issued recommendations from prior years for corrective action. Management concurred with the recommendations and we consider management’s proposed actions to be responsive. The recommendations will be closed upon completion and verification of the proposed actions.
We appreciate the cooperation and courtesies provided to Cotton & Company and this office during the audit. If you have questions, please contact me at (202) 565-3498 or [email protected]. You can obtain additional information about the Export-Import Bank Office of Inspector General and the Inspector General Act of 1978 at www.exim.gov/about/oig.
TLS
cc: C.J. Hall, Acting President and Chairman, Executive Vice President and Chief Operating Officer
Angela Freyre, General Counsel Kenneth Tinsley, Senior Vice President and Chief Risk Officer David Sena, Senior Vice President and Chief Financial Officer Inci Tonguch‐Murray, Deputy Chief Financial Officer John Lowry, Director, Information Technology Security and Systems Assurance George Bills, Partner, Cotton & Company LLP
March 3, 2017
Terry Settle Assistant Inspector General for Audits Export‐Import Bank of the United States 811 Vermont Avenue, NW Washington, DC 20571
Subject: Independent Audit of the Export‐Import Bank’s Information Security Program Effectiveness for Fiscal Year 2016
Dear Ms. Settle:
We are pleased to submit this report in support of audit services provided pursuant to Federal Information Security Modernization Act of 2014 (FISMA) requirements. Cotton & Company LLP conducted an independent performance audit of the Export‐Import Bank of the United States’ (EXIM Bank’s) information security program and practices for the fiscal year ending September 30, 2016. Cotton & Company performed the work from May through December 2016.
We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards (GAGAS), as amended, promulgated by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence that provides a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence we obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
This report is intended solely for the information and use of the Export‐Import Bank of the United States, and is not intended to be and should not be used by anyone other than these specified parties.
Please feel free to contact me with any questions.
Sincerely,
COTTON & COMPANY LLP
George E. Bills, CPA, CISSP, CISA, CIPP Partner
i
AUDIT REPORT OIG-AR-17-04
The Export‐Import Bank of the United States (EXIM Bank) is the official export‐credit agency of the United States. EXIM Bank is an independent, self‐sustaining executive agency and a wholly‐owned U.S. government corporation. EXIM Bank’s mission is to support jobs in the United States by facilitating the export of U.S. goods and services. EXIM Bank provides competitive export financing and ensures a level playing field for U.S. exports in the global marketplace.
The Office of Inspector General, an independent office within EXIM Bank, was statutorily created in 2002 and organized in 2007. The mission of the EXIM Bank Office of Inspector General is to conduct and supervise audits, investigations, inspections, and evaluations related to agency programs and operations; provide leadership and coordination as well as recommend policies that will promote economy, efficiency, and effectiveness in such programs and operations; and prevent and detect fraud, waste, abuse, and mismanagement.
ACRONYMSCIO ChiefInformationOfficerCIGIE CouncilofInspectorsGeneralonIntegrityandEfficiencyCRO ChiefRiskOfficerDHS DepartmentofHomelandSecurityEOL EXIMOnlineFIPS FederalInformationProcessingStandardsFISMA FederalInformationSecurityModernizationActof2014FMS‐NG FinancialManagementSystem–NextGenerationFY FiscalYearGAGAS GenerallyAcceptedGovernmentAuditingStandardsGAO GovernmentAccountabilityOfficeGISRA GovernmentInformationSecurityReformActof2000GSS GeneralSupportSystemIG InspectorGeneralIR IncidentResponseIT InformationTechnologyISCM InformationSecurityContinuousMonitoringNIST NationalInstituteofStandardsandTechnologyOIG OfficeofInspectorGeneralOMB OfficeofManagementandBudgetPOA&M PlanofActionandMilestonesPIV PersonalIdentityVerificationROB RulesofBehaviorSP SpecialPublicationSSP SystemSecurityPlan
ii
AUDIT REPORT OIG-AR-17-04
Why We Did This Audit TheFederalInformationSecurityModernizationActof2014(FISMA)requiresagenciestodevelop,document,andimplementagency‐wideinformationsecurityprogramstoprotecttheirinformationandinformationsystems.FISMAalsorequiresagenciestoundergoanannualindependentevaluationoftheirinformationsecurityprogramsandpracticestodeterminetheireffectiveness.TofulfillitsFISMAresponsibilities,theOfficeoftheInspectorGeneralcontractedwithCotton&CompanyLLPforanannualindependentevaluationoftheExport‐ImportBank’s(EXIMBankortheBank’s)informationsecurityprogramandpractices.
What We Recommended WepartiallyreissuedtworecommendationsandmadeninenewrecommendationsfortheChiefInformationOfficerto(1)implementprocedurestoevaluateandimprovethematurityandeffectivenessoftheBank’sinformationsecurityprogram,(2)updateagreementswiththird‐partyserviceproviders,(3)improvevulnerabilitymanagement,(4)adequatelydocumentandimplementbaselineconfigurationsettingsforITproducts,(5)implementappropriateaccessmanagementpriortograntingusersaccesstosystems,(6)updateandimplementeffectiverole‐basedsecuritytraining,(7)improvecontrolsaroundsharedsystemaccounts,(8)implementappropriateaccountmanagementcontrolsfortheApplicationProcessingSystem(APS)application,and(9)improveproceduresformanagingsoftwarelicenses.
What Cotton & Company LLP Found EXIMBank’sinformationsecurityprogramandpracticesarenoteffectiveoverallwhenassessedagainstrevisedDepartmentofHomelandSecurity(DHS)reportingmetrics.EXIMBankhasaddressedseveralofthechallengesidentifiedduringpreviousFISMAaudits.Duringthepastyear,EXIMBankfullyimplementedPersonalIdentityVerification(PIV)cardusageforlogicalsystemaccess.Additionally,EXIMBankimprovedthecontrolsaroundtheaccountmanagementprocessfortheInfrastructureGeneralSupportSystem(GSS);improvedremoteaccesstimeoutconfigurations;andadequatelydocumentedandupdateditsconfigurationmanagementplansfortheInfrastructureGSSand .However,underDHSmetrics,EXIMBankhasnoteffectivelyimplementedamatureinformationsecurityprogram.Specifically,theBank’scurrentInformationSecurityContinuousMonitoring(ISCM)andIncidentResponse(IR)policies,plans,procedures,andstrategiesarenotconsistentlyimplementedorganization‐wide,impactingthematurityandeffectivenessofitsoverallinformationsecurityprogram.
TheDHSsignificantlyrevisedtheInspectorGeneral(IG)reportingmetricsforagenciesinfiscalyear(FY)2016,whichresultedinmorerigorousevaluationcriteriaandrequirementsthaninpreviousyears.WhenevaluatingEXIMBank’sinformationsecurityprogramagainsttheDHSFY2016IGFISMAmetrics,whichuseafive‐levelmaturitymodelscale,wefoundthatonlyoneofthefiveNationalInstituteofStandardsandTechnology(NIST)CybersecurityFrameworkareas,theRecoverdomain,waseffectivelyimplementedconsistentwithFISMArequirementsandapplicableDHSandNISTguidelines(i.e.,wasatLevel4orhigher).Theremainingframeworkareas–Identify,Protect,Detect,andRespond–werenoteffectivelyimplemented(i.e.,wereatLevel3orbelow).PerDHS’FY2016IGFISMAmetrics,onlyagencyprogramsthatscoredatorabovetheManagedandMeasureablelevel(Level4)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea.EXIMBank’soverallscoreforitsinformationsecurityprogramwasLevel2:Defined,whichdoesnotrepresentaneffectiveprogram.AsummaryoftheresultsfortheDHSFY2016IGFISMAMetricsisinAppendixD.
Wenoted,however,anumberofnewchallengesidentifiedinthisyear’sFISMAaudit.WhiletheBankeffectivelyimplemented11ofthe14NISTSP800‐53,Rev.4controlsthatwetestedfortheApplicationProcessingSystem(APS)andtheInfrastructureGSS,weidentifiedseveralsignificantareasforimprovement.Specifically,Bankmanagement:
Hasnotimplementedappropriatesecuritycontrolsover usedtoaccessEXIMBankdata.(2014prior‐yearfinding)
DidnoteffectivelyremediatePlanofActionandMilestones(POA&M)itemsinatimelymanner.(2015prior‐yearfinding)
Hasnoteffectivelydocumentedsecurityagreementswiththird‐partyserviceproviders.
Hasnoteffectivelyimplementedavulnerabilitymanagementprogram. Hasnoteffectivelyimplementedbaselineconfigurationsanddocumented
deviationsforinformationtechnology(IT)products. HasnoteffectivelyimplementedAccessManagementcontrols. Hasnoteffectivelyimplementedarole‐basedtrainingprogram. Hasnoteffectivelyimplementedcontrolsaroundtheuseofsharedsystem
accounts. HasnoteffectivelyimplementedAccountManagementcontrolsfortheAPS
application. Hasnoteffectivelyimplementedsoftwarelicensemanagementcontrols.
Foradditionalinformation,contacttheOfficeoftheInspectorGeneralat(202)565‐3908orvisitwww.exim.gov/oig.
Executive Summary OIG-AR-17-04Independent Audit of the EXIM Bank’s Information Security Program March 3, 2017 Effectiveness for Fiscal Year 2016
(b) (7)(E)
(b) (7)(E)
iii
AUDIT REPORT OIG-AR-17-04
Objective ....................................................................................................... 1
Scope and Methodology ................................................................................ 1
Background ................................................................................................... 2
Results: ......................................................................................................... 7
Finding: EXIM Bank Should Improve the Maturity of Its Information Security Program ...................................................................................... 8
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 12
Finding: EXIM Bank Should Improve Security Controls over .................................................................................................... 13
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 14
Finding: EXIM Bank Should Improve Controls over Its Plan of Action & Milestones Process ................................................................................. 15
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 16
Finding: EXIM Bank Should Improve Controls over Agreements with Third-Party Service Providers ................................................................. 17
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 18
Finding: EXIM Bank Should Improve Controls over Its Vulnerability Management Program ............................................................................ 19
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 21
Finding: EXIM Bank Should Improve Controls over Baseline Configuration Implementation ............................................................... 22
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 23
Finding: EXIM Bank Should Improve Controls over Access Management........................................................................................... 23
TABLE OF CONTENTS
(b) (7)(E)
iv
AUDIT REPORT OIG-AR-17-04
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 25
Finding: EXIM Bank Should Improve Controls over Role-Based Training .................................................................................................. 25
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 27
Finding: EXIM Bank Should Improve Controls over the Use of Shared Accounts ................................................................................................. 27
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 28
Finding: EXIM Bank Should Improve Controls over APS Account Management........................................................................................... 29
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 30
Finding: EXIM Bank Should Improve Controls over Software License Management........................................................................................... 30
Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 32
Appendix A
Federal Laws, Regulations, Policies, and Guidance ................................ 33
Prior Coverage ........................................................................................ 34
Appendix B
Management Comments ......................................................................... 39
Appendix C
Selected Security Controls and Testing Results ..................................... 44
Appendix D
DHS FY 2016 IG FISMA Metrics Results ................................................. 45
1
AUDIT REPORT OIG-AR-17-04
ThisreportisintendedsolelyfortheinformationanduseoftheExport‐ImportBankoftheUnitedStates,andisnotintendedtobeandshouldnotbeusedbyanyoneotherthanthesespecifiedparties.
Objective
ThisreportpresentstheresultsoftheindependentperformanceauditoftheinformationsecurityprogramoftheExport‐ImportBank(EXIMBankortheBank)forfiscalyear(FY)2016,conductedbyCotton&CompanyLLP.TheobjectivewastodeterminewhetherEXIMBankdevelopedandimplementedeffectiveinformationsecurityprogramsandpracticesasrequiredbytheFederalInformationSecurityModernizationActof2014(FISMA).
Scope and Methodology
TodeterminewhetherEXIMBankdevelopedandimplementedeffectiveinformationsecurityprogramsandpracticesasrequiredbyFISMA,weevaluateditssecurityprogram,plans,policies,andproceduresinplacethroughoutFY2016foreffectivenessasrequiredbyapplicablefederallawsandregulationsandguidanceissuedbytheOfficeofManagementandBudget(OMB)andtheNationalInstituteofStandardsandTechnology(NIST).WeperformedareviewofeachoftheBank’sfourmajorsystems(FinancialManagementSystem–NextGeneration[FMS‐NG],InfrastructureGeneralSupportSystem[GSS],EXIMOnline,and )andperformeddetailedsteps,asoutlinedintheDepartmentofHomelandSecurity(DHS)FY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetricsV1.1.3,toevaluateEXIMBank’spolicies,procedures,andpracticesforkeyareassuchas(i)riskmanagement,(ii)contractorsystem,(iii)configurationmanagement,(iv)identityandaccessmanagement,(v)securityandprivacytraining,(vi)informationsecuritycontinuousmonitoring,(vii)incidentresponse,and(viii)contingencyplanning.
Inaddition,weassessedwhetherEXIMBankhadimplementedselectminimumsecuritycontrolsfromNISTSpecialPublication(SP)800‐53,Revision4,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,foritsApplicationProcessingSystem(APS)andInfrastructureGSS,asrequiredbyFISMA.NISTSP800‐53,Rev.4organizessecuritycontrolsinto18securitycontrolfamilies(e.g.,accesscontrols,contingencyplanningcontrols).TheminimumsecuritycontrolstestedforAPSandtheInfrastructureGSSwerejudgmentallychosenfromselectedsecuritycontrolfamiliesthroughacollaborativeeffortbetweentheEXIMBankOIGandCotton&Company.SeeAppendixCforacompletelistofNISTcontrolsevaluated.
WeconductedinterviewswiththeChiefRiskOfficer(CRO),aswellaswithOfficeoftheChiefInformationOfficer(CIO)personnel.Wealsoreviewedpolicies,procedures,andpracticesforeffectivenessasprescribedbyNISTandOMBguidance,reviewedsystemdocumentationandevidence,andconductedtestingonEXIMBank’scontrols.Forboth
INTRODUCTION
(b) (7)(E)
2
AUDIT REPORT OIG-AR-17-04
tasks,wefullydocumentedourtestingmethodologythroughthecreationofaplanningmemorandumandauditworkprograms.
WeconductedtheauditonsiteatEXIMBankinWashington,DC,aswellasremotelyattheCotton&CompanyofficeinAlexandria,VA,withfieldworkfromMaytoDecember2016.Cotton&CompanyconductedthisperformanceauditinaccordancewithGenerallyAcceptedGovernmentAuditingStandards(GAGAS),asestablishedintheGovernmentAccountabilityOffice’s(GAO’s)GovernmentAuditingStandards,December2011Revision.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.Webelievethattheevidenceobtainedprovidesareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.WediscussedourobservationsandconclusionswithmanagementofficialsonJanuary11,2017,andincludedtheircommentswhereappropriate.
SeeAppendixAfordetailsoffederallaws,regulations,policies,andguidance,andforadiscussionofpriorauditcoverage.
Background
TheExport‐ImportBankoftheUnitedStatesisanindependent,self‐sustainingexecutiveagencyandawholly‐ownedUnitedStatesgovernmentcorporation.EXIMBank’scharter,TheExportImportBankActof1945,asamendedthroughPublicLaw114‐94,December4,2015,states:
It is the policy of the United States to foster expansion of exports ofmanufactured goods, agricultural products, and other goods andservices, thereby contributing to the promotion and maintenance ofhigh levels of employment and real income, a commitment toreinvestment and job creation, and the increased development of theproductiveresourcesoftheUnitedStates.
Tofulfillitscharter,EXIMBankassumesthecreditandcountryrisksthattheprivatesectorisunableorunwillingtoaccept.TheBankauthorizesworkingcapitalguarantees,export‐creditinsurance,loanguarantees,anddirectloanstocountertheexportfinancingprovidedbyforeigngovernmentsonbehalfofforeigncompaniesandhelpU.S.exportersremaincompetitive.Themajormission‐criticalsystemssupportingtheseprogramsandtheBank’smissionare:
1. FinancialManagementSystem–NextGeneration(FMS‐NG)
2. InfrastructureGeneralSupportSystem(GSS)
3. EXIMOnline(EOL)
4. (b) (7)(E)
3
AUDIT REPORT OIG-AR-17-04
EXIMBank’snetworkinfrastructureconsistslargelyofnetworkingdeviceswithvariousserversrunningdifferentoperatingsystemplatforms.Standarddesktoppersonalcomputersandlaptopsrun Thenetworksareprotectedfromexternalthreatsbyarangeofinformationtechnologysecuritydevices,includingdatalosspreventiontoolssuchasfirewalls,intrusiondetectionandpreventionsystems,antivirus,andspam‐filteringsystems.
FederalLaws,Roles,andResponsibilities.OnDecember17,2002,thePresidentsignedintolawtheE‐GovernmentAct(PublicLaw107‐347),whichincludedtheFederalInformationSecurityManagementActof2002.FISMA,asamended,1permanentlyreauthorizedtheframeworkestablishedintheGovernmentInformationSecurityReformActof2000(GISRA),whichexpiredinNovember2002.FISMAcontinuestheannualreviewandreportingrequirementsintroducedinGISRA.Inaddition,FISMAincludesnewprovisionsaimedatfurtherstrengtheningthesecurityofthefederalgovernment’sinformationandinformationsystems,suchasthedevelopmentofminimumstandardsforagencysystems.NISThasbeentaskedtoworkwithfederalagenciesinthedevelopmentofthosestandards.ThestandardsandguidelinesareissuedbyNISTasFederalInformationProcessingStandards(FIPS)andSPs.FIPSprovidetheminimuminformationsecurityrequirementsthatarenecessarytoimprovethesecurityoffederalinformationandinformationsystems,andtheSP800andselected500seriesprovidecomputersecurityguidelinesandrecommendations.Forinstance,FIPSPublication200,MinimumSecurityRequirementsforFederalInformationandInformationSystems,requiresagenciestoadoptandimplementtheminimumsecuritycontrolsdocumentedinNISTSP800‐53.
Federalagenciesarerequiredtodevelop,document,andimplementanagency‐wideinformationsecurityprogramtoprotecttheirinformationandinformationsystems,includingthoseprovidedormanagedbyanotheragency,contractor,orsource.FISMAprovidesacomprehensiveframeworkforestablishingandensuringtheeffectivenessofmanagement,operational,andtechnicalcontrolsoverinformationtechnologythatsupportoperationsandassets.FISMAalsoprovidesamechanismforimprovedoversightoffederalagencyinformationsecurityprograms,asitrequiresagencyheads,incoordinationwiththeirCIOsandSeniorAgencyInformationSecurityOfficers,toreportthesecuritystatusoftheirinformationsystemstoDHSandOMBthroughCyberScope.CyberScope,operatedbyDHSonbehalfofOMB,replacesthelegacypaper‐basedsubmissionprocessandautomatesagencyreporting.Inaddition,OfficesofInspectorsGeneral(OIGs)provideanindependentassessmentofwhethertheagencyisapplyingarisk‐basedapproachtoitsinformationsecurityprogramsandinformationsystems.OIGsmustalsoreporttheirresultstoOMBannuallythroughCyberScope.
1TheFederalInformationSecurityModernizationActof2014amendsFISMA2002to:(1)reestablishtheoversightauthorityoftheDirectorofOMBwithrespecttoagencyinformationsecuritypoliciesandpractices,and(2)setforthauthorityfortheSecretaryofHomelandSecurity(DHS)toadministertheimplementationofsuchpoliciesandpracticesforinformationsystems.
(b) (7)(E)
4
AUDIT REPORT OIG-AR-17-04
FY2016OIGFISMAMetrics.OnJuly29,2016,DHSissuedFY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetricsV1.1(themetrics).2DHScreatedthemetricsforInspectorsGeneral(IGs)touseinconductingtheirannualindependentevaluationstodeterminetheeffectivenessoftheinformationsecurityprogramandpracticesoftheirrespectiveagency.ThemetricsareorganizedaroundthefiveinformationsecurityfunctionsoutlinedintheNISTCybersecurityFrameworkandareintendedtoprovideagencieswithacommonstructureforidentifyingandmanagingcybersecurityrisksacrosstheenterpriseandprovideIGswithguidanceforassessingthematurityofcontrolstoaddressthoserisks.SeeTable1belowforadescriptionoftheNISTCybersecurityFrameworkSecurityFunctionsandtheassociatedFY2016IGFISMAMetricDomains.
Table1.AligningtheCybersecurityFrameworkSecurityFunctionstotheFY2016IGFISMAMetricDomains
CybersecurityFrameworkSecurityFunctionsFY2016
IGFISMAMetricDomainsIdentify–Theorganization’sabilitytomanageandunderstandcybersecurityrisktosystems,assets,data,andcapabilities.
RiskManagementandContractorSystems
Protect–Theabilitytodevelopandimplementtheappropriatesafeguardstoensuredeliveryofcriticalinfrastructureservices.
ConfigurationManagement,IdentityandAccessManagement,andSecurityandPrivacyTraining
Detect–Theabilitytodevelopandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.
InformationSecurityContinuousMonitoring
Respond–Theabilitytodevelopandimplementtheappropriateactivitiestotakeactionregardingadetectedcybersecurityevent.
IncidentResponse
Recover–Theabilitytodevelopandimplementtheappropriateactivitiestomaintainplansforresilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.
ContingencyPlanning
IntheFY2015InspectorGeneralFederalInformationSecurityModernizationActReportingMetrics,theCounciloftheInspectorsGeneralonIntegrityandEfficiency(CIGIE)developedamaturitymodelforevaluatingagencies’InformationSecurityContinuousMonitoringprogram.Thepurposeofthismaturitymodelwasto(1)summarizethestatusofagencies’informationsecurityprogramsandtheirmaturityonafive‐levelscale;(2)providetransparencytoagencyCIOs,seniormanagementofficials,andotherinterestedreadersofIGFISMAreportsregardingwhathasbeenaccomplishedandwhatstillneedstobe
2DHSreleasedthefinalversionoftheFY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetrics,version1.1.3,onSeptember26,2016.
5
AUDIT REPORT OIG-AR-17-04
implementedtoimprovetheinformationsecurityprogram;and(3)helpensureconsistencyintheannualIGFISMAevaluations.
InadditiontoupdatingthemetricstobetteralignwiththeCybersecurityFrameworkin2016,DHScontinuedtheeffortbeguninFY2015bydevelopingamaturitymodelfortheIncidentResponsedomain,undertheRespondfunctionoftheCybersecurityFramework.ThismaturitymodelsupplementstheInformationSecurityContinuousMonitoringmaturitymodelintroducedin2015,whichmapstotheDetectfunctionoftheCybersecurityFramework.DHShasnotyetdevelopedmaturitymodelsfortheremainingthreefunctionsoftheCybersecurityFramework(i.e.,Identify,Protect,andRecover);however,ithasdevelopedMaturityModelIndicators(Level1‐5assessments)forthosedomains.Theseindicatorsactasasteppingstone,allowingIGstoreachpreliminaryconclusionssimilartothoseachievablewithafullydevelopedmodel.
Thematuritymodelconceptpresentsacontinuumforagenciestomeasuretheirprogressinbuildinganeffectiveinformationsecurityprogram.Thematuritymodelincludesfivelevels,asdescribedinTable2below.AgencieswithprogramsthatscoreatorabovetheManagedandMeasureablelevel(Level4)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea,inaccordancewiththedefinitionofeffectivenessincludedinNISTSP800‐53,Rev.4.
Table2.CapabilityMaturityModelContinuumMaturityLevel Description
Level1:Ad‐hoc Thefunctionalprogram(identify,protect,detect,respond,orrecover)isnotformalizedandtheorganizationperformsfunctionactivitiesinareactivemanner,resultinginanadhocprogramthatdoesnotmeetLevel2requirementsforadefinedprogram.
Level2:Defined Theorganizationhasformalizeditsfunctionalprogramthroughthedevelopmentofcomprehensivefunctionpolicies,procedures,andstrategiesconsistentwithNISTguidanceandotherregulatoryguidance;however,ithasnotconsistentlyimplementedthefunctionpolicies,procedures,andstrategiesorganization‐wide.
Level3:ConsistentlyImplemented
Inadditiontoformalizinganddefiningitsfunctionalprogram(Level2),theorganizationconsistentlyimplementsthefunctionalprogramacrosstheagency;however,itdoesnotcapturequalitativeandquantitativemeasuresanddataontheeffectivenessofthefunctionalprogramacrosstheorganization,orusethesemeasuresanddatatomakerisk‐baseddecisions.
Level4:ManagedandMeasurable
Inadditiontobeingconsistentlyimplemented(Level3),functionalactivitiesarerepeatable,andtheorganizationusesmetricstomeasureandmanagetheimplementationofthefunctionalprogram,achievesituationalawareness,controlongoingrisk,andperformongoingsystemauthorizations.
6
AUDIT REPORT OIG-AR-17-04
MaturityLevel DescriptionLevel5:Optimized Inadditiontobeingmanagedandmeasurable(Level4),the
organization’sfunctionalprogramisinstitutionalized,repeatable,self‐regenerating,andupdatedinanearreal‐timebasisbasedonchangesinbusiness/missionrequirementsandachangingthreatandtechnologylandscape.
7
AUDIT REPORT OIG-AR-17-04
TheobjectiveofthisauditwastodeterminewhetherEXIMBankdevelopedandimplementedeffectiveinformationsecurityprogramsandpracticesasrequiredbyFISMA.WenotedthatEXIMBankaddressedseveralofthechallengesidentifiedduringpreviousFISMAaudits.Specifically,EXIMmanagement:
Fullyimplementedtheuseofpersonalidentityverification(PIV)cardsforlogicalsystemaccess.
ImprovedcontrolsaroundtheaccountmanagementprocessesfortheInfrastructureGSSbyensuringthataccountsdonotremainactiveforindividualswhohavenotloggedinwithin90days;accountsforseparatedindividualsdonotremainactive;andEXIMBankperiodicallyreviewsaccountsforappropriateness.
ImprovedremoteaccesscontrolstoensurethatremoteusersaretimedoutordisconnectedfromtheEXIMBanknetworkafteraperiodofinactivity,inaccordancewithEXIMBankpolicy.
AdequatelydocumentedandupdateditsconfigurationmanagementplansforitsInfrastructureGSSand systems.
Nevertheless,wefoundthatEXIMBank’sinformationsecurityprogramandpracticesarenoteffectiveoverall.
EXIMBankhasnoteffectivelyimplementedamatureinformationsecurityprogram.Specifically,theBank’scurrentInformationSecurityContinuousMonitoring(ISCM)andIncidentResponse(IR)policies,plans,procedures,andstrategiesarenotconsistentlyimplementedorganization‐wide,impactingthematurityandeffectivenessofitsoverallinformationsecurityprogram.
DHSsignificantlyrevisedtheIGreportingmetricsforagenciesinFY2016,whichresultedinmorerigorousevaluationcriteriaandassessmentsthaninpreviousyears.WhenevaluatingEXIMBank’sinformationsecuritymeasurementprogramagainsttheDHSFY2016IGFISMAmetrics,afive‐levelmaturitymodelscale,wefoundthatonlyoneofthefiveNISTCybersecurityFrameworkareas,theRecoverdomain,waseffectivelyimplementedconsistentwithFISMArequirementsandapplicableDHSandNISTguidelines(i.e.,wasatLevel4orhigher).Theremainingframeworkareas–Identify,Protect,Detect,andRespond–werenoteffectivelyimplemented(i.e.,wereatLevel3orbelow).PerDHS’FY2016IGFISMAmetricsguidelines,onlyagencyprogramsthatscoredatorabovetheManagedandMeasureablelevel(Level4)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea.EXIMBank’soverallscoreforitsinformationsecurityprogram
RESULTS
Information about specific vulnerabilities in IT systems has been redacted from the publicly released version of this report. The redacted information is sensitive and its disclosure in a widely distributed report might cause loss to Export-Import Bank of the United States. We have provided that information in a separate report intended solely for the information and use of the Export-Import Bank of the United States.
(b) (7)(E)
8
AUDIT REPORT OIG-AR-17-04
wasLevel2:Defined,whichdoesnotrepresentaneffectiveprogram.AsummaryoftheresultsfortheDHSFY2016IGFISMAMetricsisinAppendixD.
TheseweaknessesexistbecausemanagementhasnotdevelopedandimplementedmanageableandmeasurablemetricstoconsistentlyevaluateandimprovetheeffectivenessoftheBank’sinformationsecurityprogram.Additionally,managementhasnotperformedanassessmentofthematurityofitsinformationsecurityprogramtodeterminewhatimprovementsarenecessarytoachieveafullymeasurableprogram.Bynothavingamatureandeffectiveinformationsecurityprogram,EXIMBankmanagementisatincreasedriskofoperatingwithoutafullunderstandingofitsriskposture,includingpotentialvulnerabilitiestowhichitsinformationsystemsmaybesusceptible.
Wenotedanumberofnewchallengesidentifiedinthisyear’sFISMAaudit.WhiletheBankeffectivelyimplemented11ofthe14NISTSP800‐53,Rev.4controlsthatwetestedfortheAPSandtheInfrastructureGSS,weidentifiedseveralsignificantareasforimprovement.Specifically,Bankmanagement:
Hasnotimplementedappropriatesecuritycontrolsover usedtoaccessEXIMBankdata.(2014prior‐yearfinding)
DidnoteffectivelyremediatePlanofActionandMilestones(POA&M)itemsinatimelymanner.(2015prior‐yearfinding)
Hasnoteffectivelydocumentedsecurityagreementswiththird‐partyserviceproviders.
Hasnoteffectivelyimplementedavulnerabilitymanagementprogram. Hasnoteffectivelyimplementedbaselineconfigurationsanddocumenteddeviations
forinformationtechnology(IT)products. Hasnoteffectivelyimplementedaccessmanagementcontrols. Hasnoteffectivelyimplementedarole‐basedtrainingprogram. Hasnoteffectivelyimplementedcontrolsaroundtheuseofsharedsystemaccounts. HasnoteffectivelyimplementedaccountmanagementcontrolsfortheAPS
application. Hasnoteffectivelyimplementedsoftwarelicensemanagementcontrols.
Wepartiallyreissuedtwoprior‐yearrecommendationsandmadeninenewrecommendationstoaddresstheaboveissues.Theserecommendations,ifimplemented,shouldstrengthenEXIMBank’sinformationsecurityprogramandpractices.EXIMBankmanagement’sresponsestothefindingsidentifiedinourauditareincludedwithinthereportandinAppendixB.
Finding: EXIM Bank Should Improve the Maturity of Its Information Security Program
EXIMBankhasnoteffectivelyimplementedamatureinformationsecurityprogram.Specifically,theBank’scurrentISCMandIRpolicies,plans,procedures,andstrategiesare
(b) (7)(E)
9
AUDIT REPORT OIG-AR-17-04
notconsistentlyimplementedorganization‐wide,impactingthematurityandeffectivenessofitsoverallinformationsecurityprogram.
DHSsignificantlyrevisedtheIGreportingmetricsforagenciesinFY2016,whichresultedinmorerigorousevaluationcriteriaandrequirementsthanpreviousyears.WhenevaluatingEXIMBank’sinformationsecurityprogramagainsttheDHSFY2016IGFISMAmetrics,afive‐levelmaturitymodelscale,wefoundthatonlyoneofthefiveNISTCybersecurityFrameworkareas,theRecoverdomain,waseffectivelyimplementedconsistentwithFISMArequirementsandapplicableDHSandNISTguidelines(i.e.,wasatLevel4:ManagedandMeasureableorhigher).Theremainingframeworkareas–Identify,Protect,Detect,andRespond–werenoteffectivelyimplemented(i.e.,wereatLevel3orbelow).
EXIMBank’soverallmaturitylevelforitsinformationsecurityprogramscoredatLevel2:Defined.WenotedseveralareasforimprovementinthematurityoftheDetect(ISCM)andRespond(IR)domains,asdescribedbelow.Additionally,whileweidentifiedweaknesseswithsecuritycontrolswithintheIdentify(RiskManagementandContractorSystems)andProtect(ConfigurationManagement,IdentityandAccessManagement,andSecurityandPrivacyTraining)domains,theseweresecurityweaknessesthatindividuallyimpactedtheeffectivenessoftheBank’sinformationsecurityprogramandrequiredspecificrecommendations.Asaresult,thoseweaknessesareaddressedintheremainingfindingsandrecommendationsofthisreport,andnotaspartofthisfinding.
AreasforimprovementintheDetectdomainincludethefollowing:
o TheBankiscurrentlyintheprocessoffillingtwoITSecuritypositionstoimprovethemanagementandeffectivenessoftheISCMprogram.Thesepositionshaveyettobefilled,limitingtheresources(people,processes,andtechnology)toeffectivelyimplementISCMactivities.ThisalsoappliestotheIRprocessdiscussedbelowintheResponddomainareasforimprovement.
o TheorganizationhasnotdefinedhowitwillintegrateISCMactivitieswithorganizationalrisktolerance,thethreatenvironment,andbusiness/missionrequirements.
o ISCMprocessesarenotconsistentlyperformedacrosstheorganization.
o EXIMBank’squalitativeandquantitativeperformancemeasuresusedtoevaluatetheeffectivenessofitsISCMprogramarenotconsistentlycaptured,analyzed,andusedacrosstheorganizationinaccordancewithestablishedrequirementsfordatacollection,storage,analysis,retrieval,andreporting.
o EXIMBankdoesnothaveformalizedordefinedprocessesforcollectingandconsideringlessonslearnedtoimproveISCMprocesses.
10
AUDIT REPORT OIG-AR-17-04
o EXIMBankhasnotfullyimplementedtechnologyinautomationareasandcontinuestorelyonmanual/proceduralmethodsininstanceswhereautomationwouldbemoreeffective.Inaddition,whileautomatedtoolsareimplementedtosupportsomeISCMactivities,thetoolsarenotinteroperable.
AreasforimprovementintheResponddomainincludethefollowing:
o TheBankhasnotdefinedhowitwillintegrateIRactivitieswithorganizationalriskmanagement,continuousmonitoring,continuityofoperations,andothermission/businessareas,asappropriate.
o TheBankhasnotdefinedhowitwillcollaboratewithDHSandotherparties,asappropriate,toprovideon‐site,technicalassistance/surgeresources/specialcapabilitiesforquicklyrespondingtoincidents.
o TheBankhasnotidentifiedordefinedthequalitativeandquantitativeperformancemeasuresthatwillbeusedtoassesstheeffectivenessoftheIRprogram,performtrendanalysis,achievesituationalawareness,andcontrolongoingrisk.
o TheBankhasnotdefineditsprocessesforcollectingandconsideringlessonslearnedandincidentdatatoimprovesecuritycontrolsandIRprocesses.
o TheBankhasnotfullyimplementedautomationtechnologiestosupportitsIRprocessesandcontinuestorelyonmanual/proceduralmethodsininstanceswhereautomationwouldbemoreeffective.Inaddition,whileautomatedtoolsareimplementedtosupportsomeIRactivities,thetoolsarenotinteroperabletotheextentpracticable,donotcoverallcomponentsoftheorganization’snetwork,and/orhavenotbeenconfiguredtocollectandretainrelevantandmeaningfuldataconsistentwiththeorganization’sincidentresponsepolicy,plans,andprocedures.
o
o TheBankhasnotestablished,anddoesnotconsistentlymaintain,acomprehensivebaselineofnetworkoperationsandexpecteddataflowsforusersandsystems.
TheseweaknessesexistbecausemanagementhasnotdevelopedandimplementedmanageableandmeasurablemetricstoconsistentlyevaluateandimprovetheeffectivenessoftheBank’sinformationsecurityprogram.Additionally,managementhasnotperformedanassessmentofthematurityofitsinformationsecurityprogramtodeterminewhatimprovementsarenecessarytoachieveafullymeasurableprogram.
(b) (7)(E)
11
AUDIT REPORT OIG-AR-17-04
Bynothavingamatureandeffectiveinformationsecurityprogram,EXIMBankmanagementisatincreasedriskofoperatingwithoutafullunderstandingofitsriskposture,includingpotentialvulnerabilitiestowhichitsinformationsystemsmaybesusceptible.
Thefollowingguidanceisrelevanttothiscontrolactivity:
OMBM‐17‐05,FiscalYear2016‐2017GuidanceonFederalInformationSecurityandPrivacyManagementRequirements,datedNovember4,2016,states:
InFY2016,theFISMAmetricswerealignedtothefivefunctionsoutlinedintheNationalInstituteofStandardsandTechnology's(NIST)FrameworkforImprovingCriticalInfrastructureCybersecurity:Identify,Protect,Detect,Respond,andRecover.TheNISTCybersecurityFrameworkisarisk‐basedapproachtomanagingcybersecurity,whichisrecognizedbybothgovernmentandindustryandprovidesagencieswithacommonstructureforidentifyingandmanagingcybersecurityrisksacrosstheenterprise.Additionally,OMBworkedwithDHS,theFederalChiefInformationOfficer(CIO)Council,andtheCouncilofInspectorsGeneralonIntegrityandEfficiencytoensureboththeCIOmetricsandInspectorsGeneralmetricsalignwiththeCybersecurityFrameworkandprovidecomplementaryassessmentsoftheeffectivenessofagencies'informationsecurityprograms.
FederalagenciesaretoreportalloftheircybersecurityperformanceinformationthroughDHS'sCyberScopereportingsystem.
NISTSP800‐55,Rev.1,PerformanceMeasurementGuideforInformationSecurity,datedJuly2008,states:
Anumberofexistinglaws,rules,andregulations—includingtheClinger‐CohenAct,theGovernmentPerformanceandResultsAct(GPRA),theGovernmentPaperworkEliminationAct(GPEA),andtheFederalInformationSecurityManagementAct(FISMA)–citeinformationperformancemeasurementingeneral,andinformationsecurityperformancemeasurementinparticular,asarequirement.Inadditiontolegislativecompliance,agenciescanuseperformancemeasuresasmanagementtoolsintheirinternalimprovementeffortsandlinkimplementationoftheirinformationsecurityprogramstoagency‐levelstrategicplanningefforts.
Thefollowingfactorsmustbeconsideredduringdevelopmentandimplementationofaninformationsecuritymeasurementprogram: Measuresmustyieldquantifiableinformation(percentages,averages,and
numbers); Datathatsupportsthemeasuresneedstobereadilyobtainable; Onlyrepeatableinformationsecurityprocessesshouldbeconsideredfor
measurement;and Measuresmustbeusefulfortrackingperformanceanddirectingresources.
12
AUDIT REPORT OIG-AR-17-04
… Thetypesofmeasuresthatcanrealisticallybeobtained,andthatcanalsobeusefulforperformanceimprovement,dependonthematurityoftheagency’sinformationsecurityprogramandtheinformationsystem’ssecuritycontrolimplementation.Althoughdifferenttypesofmeasurescanbeusedsimultaneously,theprimaryfocusofinformationsecuritymeasuresshiftsastheimplementationofsecuritycontrolsmatures.
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation1:
WerecommendthattheEXIMBankCIO:
a. PerformanassessmentofEXIMBank’scurrentinformationsecurityprogramtoidentifythecost‐effectivesecuritymeasuresrequiredtoachieveafullymatureprogram.
b. ImplementappropriateprocessesandprocedurestoimprovetheinformationsecurityprogramandalignitwithLevel4:ManagedandMeasurableIGmetrics.
Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBank’sOfficeofChiefInformationOfficer(OCIO)willperformanassessmentofEXIMBank’scurrentinformationsecurityprogramtoidentifythecost‐effectivesecuritymeasuresrequiredtoachieveafullymatureprogram.
OCIOwillconductagapanalysisandoncethesegapsareidentified,theywillbetriagedonthosegapsthatareatahigherlevelofprioritythanothersandwillthenestimatethecostandlevelofeffortrequiredtoclosethesegaps.Theimplementationwillbeamulti‐yeareffort.TheBank’sOCIOanticipateshavingapreparedassessmentandinitialplanbySeptember1,2017.
Regardingthesecondpartoftherecommendation,OCIOwilldevelopprocessesandproceduresrequiredtoenhancetheBank’sITsecurityprograminordertoachievelevel4intheMaturityModelacrosstheboard.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankperformsanassessmentofitscurrentinformationsecurityprogramtoidentifysecuritymeasurestoachieveafullymaturesecurityprogram,aswellastoimprovethesecurityprogramtoalignitwithLevel4:ManagedandMeasurableIGmetrics.
13
AUDIT REPORT OIG-AR-17-04
Finding: EXIM Bank Should Improve Security Controls over
TheFY2014FISMAauditidentifiedthefollowingweaknessesrelatedtothesecurityof:
EXIMBankemployeeswereabletouse toaccesstheirEXIMBankemail,
While weregenerallyprohibitedfromaccessingtheBank’sinternalresources,therewerespecialinstancesinwhich hadbeenconfiguredtodoso.WenotedthatEXIMBankdidnothaveinplacepolicy,procedures,orconfigurationguidancetoensurethatthesespecialinstanceswereapprovedandthat securedbeforeconnecting.
TheBankdidnothavecontrolsinplacetoenforce
FY2016testingnotedthattheBankacquired managementsoftwaretoallowtheCIOtomonitorandenforcesecuritycontrolson
Additionally,EXIMimplementedsecuritycontrolstoprevent fromaccessingtheBank’sinternalresources.Thetestingthereforeconfirmedthatthefirsttwoweaknessesidentifiedin2014weresuccessfullyremediated.
However,the2016auditfoundthattheweaknessoriginallyidentifiedinFY2014relatedtohasnotyet
beencompletelyremediated.FY2016testingfoundthatthe managementsoftwaredeployedbytheBankisable
3
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
14
AUDIT REPORT OIG-AR-17-04
Withoutpropersecuritycontrolsoverall ,thereisincreasedriskthatdatastored couldbecompromisedoraccessedbyunauthorizedindividuals.
Thefollowingguidanceisrelevanttothiscontrolactivity:
NISTSP ,states:
NISTSP :
NISTSP states:
FIPS states:
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation:
InourFY2014FISMAauditreport,werecommendedthattheEXIMBankCIOdeploycontrolsthat:
a.
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
15
AUDIT REPORT OIG-AR-17-04
b. Restricttheinstallationofunapprovedormalicioussoftware.
c. Preventunauthorized fromconnectingtointernalEXIMBankresources.
AsofFY2016,RecommendationAremainsopen;wearethereforenotissuinganynewrecommendationsrelatedtothisfinding.SeeAppendixAforacompletelistingofthestatusofprior‐yearFISMAauditfindings.Management’sResponse:
TheBankconcurswiththisrecommendation.OCIOwilladdress#1oftheremainingopenrecommendationto
heBankexpectstohavethiseffortcompletedbyApril1,2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequately
Finding: EXIM Bank Should Improve Controls over Its Plan of Action & Milestones Process
AsinitiallyidentifiedinourFY2015FISMAauditreport,wefoundduringourFY2016testingthatcontrolsremainedinadequatetoensurethatappropriatePOA&Mmanagementcontrolsareinplace.Specifically,wenotedthefollowing:
Forthe theBankhadnotresolved andthescheduledcompletiondatespassedwithnomilestoneupdates.
For ,theBankhadnotstartedaddressing ,andthescheduledcompletiondatepassedwithnomilestoneupdates.
ManagementstatedthattheywereawarethatthePOA&MshadpassedtheirscheduledcompletiondatesbutdidnotwanttochangetheoriginalscheduledcompletiondatesuntiltheBankhaddeterminednewremediationplans.PerEXIMpolicy,notationsforanymodificationstotheoriginalPOA&Mentryormilestonesaretobemadeseparatelyandidentifiedas“changestomilestones”;however,testingnotedthatthesemodificationswerenotbeingdocumentedasrequired.WithoutadequatePOA&Mmanagement,theBankmayremainexposedtoknownvulnerabilitiesthatcouldbeexploitedbyinternalandexternalthreats.
(b) (7)(E)
(b) (7)(E) (b) (7)(E)
(b) (7)(E) (b) (7)(E)
(b) (7)(E)
(b) (7)(E)
16
AUDIT REPORT OIG-AR-17-04
Thefollowingguidanceisrelevanttothiscontrolactivity:
EXIMPOA&MPolicy,version04,effectiveMarch10,2016states:
6.11Reportingonremediationprogressmustbeaccomplishednotlessfrequentlythanquarterly.
6.12OncethePOA&Mhasbeenreported,changesarenottobemadetotheoriginaldescriptionoftheweakness,keymilestonesandscheduledcompletiondates,orsource.Notationsforanymodificationstotheoriginalentryaretobemadeseparatelyandidentifiedas“ChangestoMilestones.”
NISTSP800‐53,Rev.4,CA‐5,PlanofAction&Milestones,states:
Control:Theorganization:a.Developsaplanofactionandmilestonesfortheinformationsystemtodocumenttheorganization’splannedremedialactionstocorrectweaknessesordeficienciesnotedduringtheassessmentofthesecuritycontrolsandtoreduceoreliminateknownvulnerabilitiesinthesystem;andb.Updatesexistingplanofactionandmilestones[Assignment:organization‐definedfrequency]basedonthefindingsfromsecuritycontrolsassessments,securityimpactanalyses,andcontinuousmonitoringactivities.
NISTSP800‐53,Rev.4,PM‐4,PlanofAction&MilestonesProcess,states:
Control:Theorganization:a.Implementsaprocessforensuringthatplansofactionandmilestonesforthesecurityprogramandassociatedorganizationalinformationsystems:
1.Aredevelopedandmaintained;2.Documenttheremedialinformationsecurityactionstoadequatelyrespondtorisktoorganizationaloperationsandassets,individuals,otherorganizations,andtheNation;and3.ArereportedinaccordancewithOMBFISMAreportingrequirements.
b.Reviewsplansofactionandmilestonesforconsistencywiththeorganizationalriskmanagementstrategyandorganization‐wideprioritiesforriskresponseactions.
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation:
InourFY2015FISMAauditreport,werecommendedthattheEXIMBankCIOimplementaprocesstoensurethattheBankreviewsallsystemPOA&Msatanorganization‐definedfrequency,andthatitupdatesmilestonestoreflectactionstakentoremediatePOA&Mitems.
17
AUDIT REPORT OIG-AR-17-04
AsofFY2016,therecommendationnotedremainsopen;wearethereforenotissuinganynewrecommendationsrelatedtothisfinding.SeeAppendixAforacompletelistingofthestatusofprior‐yearFISMAauditfindings.
Management’sResponse:
TheBankconcurswiththisrecommendation.TheBank’sOCIOwillimplementaprocesstoreviewandupdatesystemPOA&MsbyaddinganewcolumntoourPOA&Mtrackingspreadsheettoprovideup‐to‐dateinformationregardingopenPOA&Mswhichareatriskofnotmeetingtheirscheduledcompletiondatesandforwhichanapprovedremediationplandoesnotyetexist.ThiswillpermitmanagementtomakethePOA&Mprocessconsistent,whilemakingittransparentwhenaremediationisnotcompletedwhenplanned.ThenewinformationcolumninthePOA&MspreadsheetwillbeaddedandinusebyMarch15,2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankreviewsallsystemPOA&Msatanorganization‐definedfrequency,andthatitupdatesmilestonestoreflectactionstakentoremediatePOA&Mitems.
Finding: EXIM Bank Should Improve Controls over Agreements with Third-Party Service Providers
ControlsarenotadequatetoensurethatEXIMBank’sagreementsspecifyhowinformationsecurityperformanceismeasured,reported,andmonitoredoncontractororotherentity‐operatedsystems,asappropriate.Specifically,wenotedthatEXIMBankcurrentlyhasaMemorandumofUnderstandingwiththeGeneralServicesAdministration(GSA)forseveralHumanResources(HR)andpayroll‐relatedservices.However,theexistingagreementsdonotidentifyhowinformationsecurityperformanceshouldbemeasured,reported,andmonitored.EXIMmanagementstatedthatGSAisoneofalimitednumberofagenciesthatprovidetheseservices,whichEXIMBankisrequiredtouse,andthattheBankhaslimitedleverageregardingtheinformationdocumentedintheagreement.EXIMmanagementalsostatedthatitperiodicallyreviewstheGSAsystemsecurityplanforthesystemtogainassurancethatGSAisappropriatelyimplementingasecurityprogramconsistentwithFISMArequirements;however,theBankdoesnotperformthisreviewinaccordancewithadefinedfrequency.Withoutdocumentingrequirementsrelatedtosecurityperformancemeasurement,reporting,andmonitoringwithintheestablishedagreement,thereisanincreasedriskthatEXIMBankmaybeunawareofthesecurityrisksoveritsdata.Thefollowingguidanceisrelevanttothiscontrolactivity:
18
AUDIT REPORT OIG-AR-17-04
EXIMInfrastructureGSSSSP,SA‐9,ExternalInformationSystemServices,states:
TheBank:a. Requiresthatprovidersofexternalinformationsystemservices(ExchangeOnline)
complywithorganizationalinformationsecurityrequirementsandemploysapplicableFedRAMPand800‐53rev4ModeratelevelcontrolsinaccordancewithapplicableFISMA,OMBExecutiveOrders,directives,Ex‐ImBankpolicies,regulations,CISandUSGCBstandards,andNISTguidance;
b. incorporatessecurityrequirementsintocontracts,interagencyserviceagreements(ISA),andmemorandumsofunderstanding(MOU),anddocumentsintheserviceagreement,thegovernmentoversightanduserrolesandresponsibilitieswithregardtoexternalinformationsystemservices;
c. Employsorganization‐definedContinuousMonitoringprocessesmethods,andtechniquesdefinedintheCMPolicytomonitorsecuritycontrolcompliancebyexternalserviceprovidersonanongoingbasis.3rdPartyServiceProvidersarerequiredtopermitEx‐ImBanktheabilitytomonitorthecontractor’ssecuritycompliance,includingaccessrequiredtoauditandperformvulnerabilitytestingwithincontractorfacilitiesemployedunderthecontractandanysubcontracts.Ex‐ImBankmonitorssecuritycontrolsinaccordancewithrequirementdefinedinthisSSP.SecuritycontrolcomplianceismonitoredaspartoftheBank’scontinuousmonitoringactivities.
NISTSP800‐35,GuidetoInformationTechnologySecurityServices,section4.5.1,MonitorServiceProviderPerformance,states:
Thetargetssetforthintheserviceagreementshouldbecomparedwiththemetricsgathered.Althoughmetricswillprovideservice‐leveltargets,theorganizationmayalsowanttouseenduserevaluationsorcustomersatisfactionlevelsurveystoevaluateperformance.TheITsecuritymanagerswillhavetoworkwithotheroperationalmanagers(suchascustomerservicemanagers)toensurethattheserviceproviderismeetingservicetargets.TheITsecuritymanagersalsoneedtoensureserviceprovidersarecomplyingwithITsecuritypolicyandprocesses,aswellasapplicablelawsandregulations.ITsecuritymanagersmustensureduringtheoperationsphasethattheserviceproviderdoesnotcompromiseprivate,confidential,personal,ormission‐sensitivedata.Compliancereportswillhelpwiththiseffort.Theserviceagreementshouldhaveincludedclausesthatspecifypenaltiesand/orremediesfornoncomplianceandmanagementshouldemploythesewhentheserviceproviderdoesnotperformasthecontractdictates.
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation2:
19
AUDIT REPORT OIG-AR-17-04
WerecommendthattheEXIMBankCIOreviewandupdateallagreementswiththird‐partyserviceproviderstoensurethattheagreementsspecifyhowinformationsecurityperformanceismeasured,reported,andmonitored.
Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBank’sOCIOhasreviewedtheagreementswithallthird‐partyserviceprovidersandhasfoundtheHumanResourcesandPayrollProcessingagreementwiththeGeneralServicesAdministrationistheonlysuchagreementmissingthelanguagerequestedwithintheOIG’srecommendation.Further,theBankisintheprocessofreviewingthedocumentationanddraftagreementswiththeInteriorBusinessCenterwhichwillreplacetheagreementwiththeGSA.TheBank’sOCIOwillensurethatthenewagreementwillspecifyhowinformationsecurityperformancewillbemeasured,reported,andmonitored.ThiseffortwillbecompletedbythedateofchangeovertotheIBCHRandpayrollprocessingsystem,anticipatedtobeJune2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankupdatesallagreementswiththird‐partyserviceproviderstoensurethattheyspecifyhowinformationsecurityperformanceismeasured,reported,andmonitored.
Finding: EXIM Bank Should Improve Controls over Its Vulnerability Management Program
ControlsarenotadequatetoensurethatEXIMBankremediatesknownconfiguration‐relatedvulnerabilitiesinatimelymanner.
.Asaresult,EXIMBank’soperationofthe
EXIMBankmanagementstatedthattheBankintendstodecommissionall
bytheendof2016,butwererequiredtocontinueoperatingthemuntilthenduetocurrentbusinessneeds.Bankmanagementalsoinformedusthatitwasnotprioritizingremediationof duetoanupcomingFY2017migrationto asthe wouldberemediatedbytheupcomingupgrade.
Operatinganenvironmentinwhich Inparticular,running
presentsriskfrombothasecurityandanoperationalperspective.(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E) (b) (7)(E)
(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E) (b) (7)(E)
(b) (7)(E)
20
AUDIT REPORT OIG-AR-17-04
Thefollowingguidanceisrelevanttothiscontrolactivity:
EXIMBankVulnerabilityManagementProgram,datedJuly8,2016,states:
I.VulnerabilityScanningWecurrentlyuse forvulnerabilityscanning.
II.IdentificationandprioritizationofVulnerabilitiesIdentificationandprioritizationofpotentialvulnerabilitiesidentifiedinthescanningreportsisatimeandlaborintensivemanualprocess.ITsecurityspecialistsrevieweachreportforcritical,highandmoderatevulnerabilities;verifythattheyarenotfalsepositives;andselectconfirmedvulnerabilitiesforremediationand/orriskacceptance.Wehaverefinedthisprocesssothatwecanatleastavoidanalyzingrecurringvulnerabilitiesfoundbysubsequentscansbyrecordingrecurrentfindingsaseither“FalsePositive”or“authorizedexceptions”(whichappliestopotentialvulnerabilitiesforwhicharemediationdoesnotexistorforwhichtherecommendedremediationcannotbedeployedforsomebusinessorperformancereason).Authorizedexceptionsareauthorizedforaperiodoftime(uptooneyear),sothattheycannotbecomepermanentlyauthorized.III.Remediation
NISTSP800‐53,Rev.4,RA‐5,VulnerabilityScanning,states:
Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization‐definedfrequencyand/orrandomlyinaccordancewithorganization‐definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported;b.Employsvulnerabilityscanningtoolsandtechniquesthatfacilitateinteroperabilityamongtoolsandautomatepartsofthevulnerabilitymanagementprocessbyusingstandardsfor:1.Enumeratingplatforms,softwareflaws,andimproperconfigurations;2.Formattingchecklistsandtestprocedures;and
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
21
AUDIT REPORT OIG-AR-17-04
3.Measuringvulnerabilityimpact;c.Analyzesvulnerabilityscanreportsandresultsfromsecuritycontrolassessments;d.Remediateslegitimatevulnerabilities[Assignment:organization‐definedresponsetimes]inaccordancewithanorganizationalassessmentofrisk;ande.Sharesinformationobtainedfromthevulnerabilityscanningprocessandsecuritycontrolassessmentswith[Assignment:organization‐definedpersonnelorroles]tohelpeliminatesimilarvulnerabilitiesinotherinformationsystems(i.e.,systemicweaknessesordeficiencies).
NISTSP800‐53,Rev.4,SI‐2,FlawRemediation,states:
Theorganization:a.Identifies,reports,andcorrectsinformationsystemflaws;b.Testssoftwareandfirmwareupdatesrelatedtoflawremediationforeffectivenessandpotentialsideeffectsbeforeinstallation;c.Installssecurity‐relevantsoftwareandfirmwareupdateswithin[Assignment:organization‐definedtimeperiod]ofthereleaseoftheupdates;andd.Incorporatesflawremediationintotheorganizationalconfigurationmanagementprocess.
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation3:
WerecommendthattheEXIMBankCIO:
a. Continuewiththeireffortsto toreducetheirexposuretovulnerabilitiesthatcannotberemediated.
b. thatexistacrossalloperatingplatformsintheBank’snetworkenvironment.
Management’sResponse:
TheBankconcurswiththisrecommendation.
InOctober2016,theBank’sOCIOcompletedtheir byremovingthe
.Additionally,theBank’sOCIOwill
ontheBank'snetwork.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeableto
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
22
AUDIT REPORT OIG-AR-17-04
adequatelyensurethattheBank
Finding: EXIM Bank Should Improve Controls over Baseline Configuration Implementation
ControlsarenotadequatetoensurethatEXIMBankimplementsbaselineconfigurationsforITsystemsinaccordancewithdocumentedprocedures,oridentifiesanddocumentsdeviationsfromconfigurationsettings.Specifically,weidentified thateachhad deviationsfromthedocumentedconfigurationsettings.EXIMmanagementwasunabletojustifythesedeviations.Inaddition,EXIMBankstilluses
EXIMmanagementstatedthatitisintheprocessofupgradingall andall andthatitwill
BankmanagementstatedthattheBankhadabusinessneedforeachbaselinedeviation;however,ithadnotcompletelydocumentedthesedeviationsforthe becausetheBankwasintheprocessofmigratingto inFY2017,whichwillfullyre‐baselinethesystems.
Withoutimplementingappropriatebaselineconfigurationsettingsorappropriatemanagementapprovalwheredeviationsarenecessary,EXIMisatincreasedriskofhavinginsecuresettings,whichcouldleadtoexploitsofknownvulnerabilities.
Thefollowingguidanceisrelevanttothiscontrolactivity:
NISTSP800‐53,Rev.4,CM‐6,ConfigurationSettings,states:
Control:Theorganization:a. Establishesanddocumentsconfigurationsettingsforinformationtechnology
productsemployedwithintheinformationsystemusing[Assignment:organization‐definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;
b. Implementstheconfigurationsettings;c. Identifies,documents,andapprovesanydeviationsfromestablishedconfiguration
settingsfor[Assignment:organization‐definedinformationsystemcomponents]basedon[Assignment:organization‐definedoperationalrequirements];and
d. Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.
(b) (7)(E)(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E) (b) (7)(E)
(b) (7)(E)
(b) (7)(E) (b) (7)(E)
(b) (7)(E)
(b) (7)(E)
23
AUDIT REPORT OIG-AR-17-04
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation4:
WerecommendthattheEXIMBankCIO:
a. DocumentandimplementbaselineconfigurationsettingsforallinformationtechnologyproductsdeployedwithintheBank.
b. DocumentjustificationsorcompensatingcontrolsforanydeviationsfromestablishedbaselineconfigurationsettingsforeachoftheinformationtechnologyproductsdeployedwithintheBank.
Management’sResponse:
TheBankconcurswiththisrecommendation.
InFY2016,theBank’sOCIOdevelopedandimplementedpolicyandproceduresforchangeandconfigurationmanagementforallITsystems.InFY2017,theBank’sOCIOwilldevelopandimplementanindependentverificationprocesstoensurethatbaselineconfigurationswithapproveddeviationsarecompliedwith.Anynewdeviationswillproceedthroughareviewandapprovalprocess.TheBankexpectstohavethiseffortcompletedbyAugust1,2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankdocumentsandimplementsbaselineconfigurationsettingsforallinformationtechnologyproductsdeployedanddocumentsdeviationsfromestablishedbaselines.
Finding: EXIM Bank Should Improve Controls over Access Management
ControlsarenotadequatetoensurethatindividualsrequiringaccesstoEXIMinformationandinformationsystemssignappropriateaccessagreementspriortoobtainingaccess.Specifically,wenotedthroughtheauditon‐boardingprocessthatEXIMBankdidnotrequiretheauditorstosigntheEXIMRulesofBehavior(RoB)documentpriortoobtainingnetworkaccess.
ThisweaknessexistsbecauseEXIMBankincorporatessigningtheRoBintotheirsecurityawarenesstraining,andtheBank’spolicystatesthatemployeeshavea10‐daygraceperiodtocompletethistraining.ThispolicyisnotincompliancewithFISMAandDHSrequirements,whichstatethatindividualsmustprovideasignedacknowledgementoftheirunderstandingandagreementtoabidebytheRoBpriortogainingaccesstofederal
24
AUDIT REPORT OIG-AR-17-04
information.Inaddition,EXIMBankdoesnotfollowuponorenforceitsinternal10‐daygraceperiod,anduserscancontinuetoaccessthenetworkafterthisperiodwithoutcompletingthetrainingorsigningtheRoB.
WithoutappropriatecontrolsinplaceforensuringthatemployeessignaRoBpriortoobtainingaccesstotheBank’snetworks,thereisanincreasedriskofindividualsperforminginappropriateorunauthorizedactivities,whichcouldleadtounintentionaluse,access,andexposureofsensitivedata.
Thefollowingguidanceisrelevantforthiscontrolactivity:
NISTSP800‐53,Rev.4,PL‐4,RulesofBehavior,states:
Control:Theorganization:a.Establishesandmakesreadilyavailabletoindividualsrequiringaccesstotheinformationsystem,therulesthatdescribetheirresponsibilitiesandexpectedbehaviorwithregardtoinformationandinformationsystemusage;b.Receivesasignedacknowledgmentfromsuchindividuals,indicatingthattheyhaveread,understand,andagreetoabidebytherulesofbehavior,beforeauthorizingaccesstoinformationandtheinformationsystem;
NISTSP800‐53,Rev.4,PS‐6,AccessAgreements,states:
Control:Theorganization:a.Developsanddocumentsaccessagreementsfororganizationalinformationsystems;b.Reviewsandupdatestheaccessagreements[Assignment:organization‐definedfrequency];andc.Ensuresthatindividualsrequiringaccesstoorganizationalinformationandinformationsystems:
1.Signappropriateaccessagreementspriortobeinggrantedaccess;and2.Re‐signaccessagreementstomaintainaccesstoorganizationalinformationsystemswhenaccessagreementshavebeenupdatedor[Assignment:organization‐definedfrequency].
25
AUDIT REPORT OIG-AR-17-04
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation5:
WerecommendthattheEXIMBankCIO:
a. Updatetheiron‐boardingprocesstoseparatetheacknowledgementoftheRoBfromthesecurityawarenesstrainingandrequireuserstoacknowledgeandsigntheRoBpriortoobtainingnetworkaccess,orimprovetheirexistingsecuritytrainingprocedurestoensurethatallpersonnelreceivesecuritytrainingandsigntheBank’sRoBagreementpriortoobtainingaccesstotheBank’sdata.
b. Implementprocedurestoformallytrackcompliancewiththeupdatedprocess.Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBank’sOCIOwilldevelopandimplementanon‐boardingprocesswhichrequiresallusers(employees,contractors,temps,andinterns)toexecuteasignedRulesofBehaviorAgreementwiththeBankpriortobeinggrantedanynetworkorsystemaccess.TheBankexpectstohavethiseffortcompletedbyApri12017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankrequiresallpersonneltosigntheBank’sRoBagreementbeforeobtainingaccesstotheBank’sdata.
Finding: EXIM Bank Should Improve Controls over Role-Based Training
ControlsarenotadequatetoensurethatEXIMBankidentifiesandtracksthestatusofspecializedsecurityandprivacytrainingforallpersonnel(toincludeemployees,contractors,andotherorganizationusers)thathavesignificantinformationsecurityandprivacyresponsibilitiesrequiringsuchtraining.Specifically,wenotedthattheBankhasidentifiedonlyfourrolesthathavespecializedsecurityresponsibilitiesandarerequiredtotakerole‐basedsecuritytraining,including:
• CIO• Director,ITSecurityandSystemAssurance• Director,InfrastructureOperations• InformationSystemSecurityOfficer
26
AUDIT REPORT OIG-AR-17-04
NISTSP800‐53,Rev.4states,“Organizationsprovideenterprisearchitects,informationsystemdevelopers,softwaredevelopers,acquisition/procurementofficials,informationsystemmanagers,system/networkadministrators,personnelconductingconfigurationmanagementandauditingactivities,personnelperformingindependentverificationandvalidationactivities,securitycontrolassessors,andotherpersonnelhavingaccesstosystem‐levelsoftware,adequatesecurity‐relatedtechnicaltrainingspecificallytailoredfortheirassignedduties.”WenotedthatEXIMBankhasnotidentifiedthemajorityoftherecommendedrolesasrequiringspecializedsecuritytrainingandhasnotrequiredemployeesintheserolestotakesuchtraining.
Thisweaknessexistsbecausemanagementhasfocusedonmanagement‐levelroles,giventhetimeandcostassociatedwithtrackingtrainingforasignificantlylargercohortofpersonnel.Withoutappropriatesecurity‐relatedtrainingforthoseinvolvedinsecurityactivities,thelikelihoodthatemployeeswillincorrectlyconfigureormanagesystemsisincreased,whichinturnincreasestheoverallvulnerabilityrisktotheBank’ssystemsanddata.
Thefollowingguidanceisrelevanttothiscontrolactivity:
NISTSP800‐53,Rev.4,AT‐3,Role‐BasedSecurityTraining,states:
Control:Theorganizationprovidesrole‐basedsecuritytrainingtopersonnelwithassignedsecurityrolesandresponsibilities:a.Beforeauthorizingaccesstotheinformationsystemorperformingassignedduties;b.Whenrequiredbyinformationsystemchanges;andc.[Assignment:organization‐definedfrequency]thereafter.SupplementalGuidance:Organizationsdeterminetheappropriatecontentofsecuritytrainingbasedontheassignedrolesandresponsibilitiesofindividualsandthespecificsecurityrequirementsoforganizationsandtheinformationsystemstowhichpersonnelhaveauthorizedaccess.Inaddition,organizationsprovideenterprisearchitects,informationsystemdevelopers,softwaredevelopers,acquisition/procurementofficials,informationsystemmanagers,system/networkadministrators,personnelconductingconfigurationmanagementandauditingactivities,personnelperformingindependentverificationandvalidationactivities,securitycontrolassessors,andotherpersonnelhavingaccesstosystem‐levelsoftware,adequatesecurity‐relatedtechnicaltrainingspecificallytailoredfortheirassignedduties.Comprehensiverole‐basedtrainingaddressesmanagement,operational,andtechnicalrolesandresponsibilitiescoveringphysical,personnel,andtechnicalsafeguardsandcountermeasures.Suchtrainingcanincludeforexample,policies,procedures,tools,andartifactsfortheorganizationalsecurityrolesdefined.Organizationsalsoprovidethetrainingnecessaryforindividualstocarryouttheirresponsibilitiesrelatedtooperationsandsupplychainsecuritywithinthecontextoforganizationalinformationsecurityprograms.Role‐ basedsecuritytrainingalsoappliestocontractorsprovidingservicestofederalagencies.
27
AUDIT REPORT OIG-AR-17-04
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation6:
WerecommendthattheEXIMBankCIO:
a. Identifyanddocumentacomprehensivelistofallroleswithinformationsecurityresponsibilities.
b. Documentandimplementprocedurestoensurethatalloftheidentifiedroles
receiveannualrole‐basedsecuritytraining.Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBank’sOCIOwilldefinethoseroleswhichpossessspecializedsecurityresponsibilitiesandidentifyallstaffthatfittotheseroles.TheOCIOwilldevelopprocedurestoensurethatallpersonnelwithspecializedsecurityresponsibilitiesrevisedrolebasedtrainingannually.Implementationoftheseprocedureswillbedocumentedwithtrainingmaterials,attendancerosters,andcompletiondates.TheBankexpectstohavethiseffortcompletedbyJuly1,2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankidentifiesacomprehensivelistofallrolesrequiringspecializedsecuritytraining,andthattheseindividualsreceiverole‐basedtrainingannually.
Finding: EXIM Bank Should Improve Controls over the Use of
EXIMBankhasnotimplementedappropriatecontrolsoverthefrequencyofreviewsandupdatesto .Specifically,wenotedthatEXIMusesa
Thisfrequencydoesnotcomplywiththedocumentedpolicyandincreasestheriskthatindividualsnolongerwiththeagencycouldstillhaveknowledgeanduseof .Additionally,whileBank
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E) (b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E) (b) (7)(E)(b) (7)(E)
(b) (7)(E)
28
AUDIT REPORT OIG-AR-17-04
Uponreceivingnotificationofthisfinding,EXIMmanagementacknowledgedtheerrorandstatedthattheBankwouldconsiderestablishinganewpolicytochangethepasswordmorefrequently.
Thefollowingguidanceisrelevanttothiscontrolactivity:
NISTSP800‐53,Rev.4,AC‐2,AccountManagement,states:
Control:Theorganization:… f.Creates,enables,modifies,disables,andremovesinformationsystemaccountsinaccordancewith[Assignment:organization‐definedproceduresorconditions];g.Monitorstheuseof,informationsystemaccounts;…k.Establishesaprocessforreissuingshared/groupaccountcredentials(ifdeployed)whenindividualsareremovedfromthegroup.
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation7:
WerecommendthattheEXIMBankCIOimplementareviewandupdateof onafrequencythatiscompliantwithEXIMBank’sdocumentedpolicies
andprocedures.
(b) (7)(E) (b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
29
AUDIT REPORT OIG-AR-17-04
Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBank’sOCIOwillreviewtheirproceduresfor forall andreviseourpolicyorproceduresasneededtoensurethat
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankreviewsand inaccordancewithestablishedBankpolicy.
Finding: EXIM Bank Should Improve Controls over APS Account Management
ControlsarenotadequatetoensurethatEXIMBankdisablesAPSaccountsforindividualsthathavenotloggedintotheapplicationformorethan90days.Specifically,weidentified129activeAPSaccountsforindividualsthathavenotloggedinformorethan90days,whichviolatesEXIMBankpolicy.
EXIMBankmanagementstatedthattheAPSapplicationreliesontheInfrastructureGSSforsinglesign‐onauthenticationandthereforereliesonthedisablingofnetworkaccountstosatisfythiscontrolrequirement.However,byrelyingontheGSSratherthanimplementingapplication‐levelcontrols,thereisincreasedriskthatindividualsthathaveanactivenetworkaccountbutthatnolongerrequireaccesstotheAPSapplicationcouldhaveunnecessaryorexcessiveprivilegeswithinAPS.
Thefollowingguidanceisrelevanttothiscontrolactivity:
APSSSP,AC‐2,AccountManagement,states:
ControlisPartiallyInheritedasaCommonControl.SeeInfrastructureSSP/SCMforcontrolimplementationdescriptions.
TheInfrastructureGSSSSP/SCM,AC‐2(1),AccountManagement,states:
ForNetworkaccess,theBank,employsautomatedmechanismstosupportthemanagementofnetworkaccountsbydeactivatingdormantaccountsafter90daysofinactivity.
(b) (7)(E) (b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
30
AUDIT REPORT OIG-AR-17-04
NISTSP800‐53,Rev.4,AC‐2,AccountManagement,states:
Control:Theorganization:… f.Creates,enables,modifies,disables,andremovesinformationsystemaccountsinaccordancewith[Assignment:organization‐definedproceduresorconditions];g.Monitorstheuseof,informationsystemaccounts;…h.Notifiesaccountmanagers:1.Whenaccountsarenolongerrequired;2.Whenusersareterminatedortransferred;and3.Whenindividualinformationsystemusageorneed‐to‐knowchanges;
…j.Reviewsaccountsforcompliancewithaccountmanagementrequirements[Assignment:organization‐definedfrequency];
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation8:
WerecommendthattheEXIMBankCIOdocumentandimplementprocedurestoperiodicallyreviewanddisableAPSaccountsthathavenotbeenusedformorethan90days.Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBank’sOCIOcurrentlyconductsmonthlyapplicationaccountreviewsandwillamendtheirAPSuseraccountmanagementprocedurestodisableallAPSuseraccountsafter90daysofnotbeingaccessed.TheBankexpectstohavethiseffortcompletedbyJune1,2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankdisablesallAPSaccountsafter90daysofinactivity.
Finding: EXIM Bank Should Improve Controls over Software License Management
ControlsarenotadequatetoensurethatEXIMBankappropriatelyusessoftwareinaccordancewithcontractagreementsandcopyrightlaws.Specifically,wenotedthatasof
31
AUDIT REPORT OIG-AR-17-04
October30,2016,theBankwasusing33 and licensesinexcessofitspurchasedlicenseamounts.
BankmanagementstatedtheBank’ssoftwareneedsfluctuate,andtheBankroutinelyexceedsitspurchasedlicenseamountsinordertomeetstakeholderneeds.
agreementallowstheBanktoexceedthepurchasedlicenseamounts.Accordingtothisagreement,attheendofthefiscalyear,theBankisrequiredto“true‐up”itslicensesbyreconcilingtheactivelicensesandeitherpurchasinganyexcesslicensesrequired,orremovingthem.WhileBankmanagementreconcileditssoftwarelicensesattheendofFY2016,itdidnotfollowthroughwithpurchasingorremovingtheexcesslicensesthatexistedasofSeptember30,2016.Asaresult,theBankenteredFY2017withexcesslicenses.
Bynotpurchasingorremovingtheexcesslicenses,theBankisatincreasedriskofnon‐compliancewithestablishedvendoragreements.
Thefollowingguidanceisrelevanttothiscontrolactivity:
OMBM‐16‐12,CategoryManagementPolicy16‐1:ImprovingtheAcquisitionandManagementofCommonInformationTechnology:SoftwareLicensing,datedJune2,2016,states:
FITARAprovidesnewauthoritiesandresponsibilitiesthatChiefInformationOfficers(CIOs)canusetoimprovetheiragencies’ITmanagementpoliciesandpractices.Toimprovecoveredagencies’softwaremanagementpractices,CIOs,incoordinationwithChiefAcquisitionOfficers(CAOs)andChiefFinancialOfficers(CFOs),musttakethefollowingsteps:…
2)Maintainacontinualagency‐wideinventoryofsoftwarelicenses,includingalllicensespurchased,deployed,andinuse,aswellasspendingonsubscriptionservices(toincludeprovisional(i.e.cloud)softwareasaserviceagreement(SaaS)).Agenciesmustbetterunderstandthetrueusageofcertaintypesofsoftware.
3)Analyzeinventorydatatoensurecompliancewithsoftwarelicenseagreements,consolidateredundantapplications,andidentifyothercost‐savingopportunities.
NISTSP800‐53,Rev.4,CM‐10,SoftwareUsageRestrictions,states:
Control:Theorganization:a.Usessoftwareandassociateddocumentationinaccordancewithcontractagreementsandcopyrightlaws;b.Trackstheuseofsoftwareandassociateddocumentationprotectedbyquantitylicensestocontrolcopyinganddistribution;andc.Controlsanddocumentstheuseofpeer‐to‐peerfilesharingtechnologytoensurethatthiscapabilityisnotusedfortheunauthorizeddistribution,display,performance,orreproductionofcopyrightedwork.
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
32
AUDIT REPORT OIG-AR-17-04
Recommendation, Management’s Response, and Evaluation of Management’s Response
Recommendation9:
WerecommendthattheEXIMBankCIO:
a. Removeallinstancesof softwarethathavenotbeenproperlylicensedorauthorizedbythevendor,ormakearrangementswith topurchasethecurrentexcessamount.
b. DocumentandimplementprocedurestoperiodicallyreviewandreconcilethenumberofsoftwarelicensesusedforallsoftwareproductstoensurethattheBankisincompliancewithitsvendoragreements.
Management’sResponse:
TheBankconcurswiththisrecommendation.
TheBankisnowinfullcompliancewiththequantitiesof softwarecurrentlyownedbytheBank.Further,theOCIOwilldevelopwrittenprocedurestoimplementtheprocesscurrentlyusedtoreviewcompliancewithoursoftwarelicensequantities.TheBankexpectstohavethiseffortcompletedbyApril1,2017.
EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankremovesallinstancesofsoftwarethathavenotbeenproperlylicensed,andthatitimplementsdocumentedproceduresforperiodicallyreviewingandreconcilinglicensequantities.
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
33
AUDIT REPORT OIG-AR-17-04
Federal Laws, Regulations, Policies, and Guidance
Aspartofourtestsofinternalcontrols,wereviewedEXIMBank’sinformationsecurityprogramtodetermineitseffectiveness,asprescribedbyapplicablefederallawsandregulationsrelatedtoinformationsecurity,includingbutnotlimitedto:
FederalInformationSecurityModernizationActof2014
FY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetricsV1.1.3
NISTSPsandFIPS,particularly:
o SP800‐53,Rev.4,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations
o SP800‐53A,Rev.4,AssessingSecurityandPrivacyControlsinFederalInformationSystemsandOrganizations:BuildingEffectiveAssessmentPlans
o SP800‐34,Rev.1,ContingencyPlanningGuideforFederalInformationSystems
o SP800‐37,Rev.1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems
o SP800‐30Rev.1,GuideforConductingRiskAssessments
o SP800‐60,Rev.1,VolumeIRevision1:GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
o SP800‐61,Rev.2,ComputerSecurityIncidentHandlingGuide
o FIPSPublication199,StandardsforSecurityCategorizationofFederalInformationandInformationSystems
APPENDIX A
34
AUDIT REPORT OIG-AR-17-04
Prior Coverage
Thefollowingtableshowsthestatusofallprior‐yearauditfindingsandrecommendations,includingtheyearofinitialdiscoveryandthecurrentstatus.Allre‐issueditemsareaddressedindetailinthe“Results”sectionofthereport.
Finding RecommendationFY
IdentifiedFY2016Status
DuringourFY2011testing,wefoundthatEXIMBankhadnotdevelopedanddocumentedaplanfortheimplementationofPIVcardsasthecommonmeansofauthenticationforaccesstotheagency’sfacilities,networks,andinformationsystems,asdirectedinOMB‐M‐11‐11.Inaddition,EXIMBankwasnotemployingPIVmultifactorauthenticationmechanismsforusersconnectingtotheBank’snetworksinternally.TheCIOstatedthatactionhadnotbeentakentoimplementPIVaccesstoEXIMBank’sinternalnetworkduetootherpriorities.GiventhataplanhadnotbeendevelopedforPIVimplementation,thedateforupgradingthenetwork’sacceptanceforitsusewasunknown.DuringourFY2013testing,wenotedthatEXIMBankhaddevelopedaplanfortheimplementationanduseofPIVcardstoachievemultifactorauthenticationforaccesstotheEXIMBanknetworkandhadrolledoutapilotprogramtobegintheimplementation.However,thisprogramwasstillinthetestingphaseandhadnotbeendeployedthroughouttheagency.ForFY2015,wefoundthattheBankhadcompletedPIVimplementationforlogicalaccessforBankemployees;however,thiswasnotfullyrolledoutuntiltheendofthefiscalyear,inSeptember2015.WealsofoundthattheBankhadnotyetfullyimplementedPIVaccessforallcontractorsaccessingtheBank’s
WerecommendthattheCIOfullyimplementtheuseofPIVcardstoachievemultifactorauthenticationtotheEXIMBanknetworkforallaccess,asrequiredbyOMBM‐11‐11.
2012 Closed
35
AUDIT REPORT OIG-AR-17-04
Finding RecommendationFY
IdentifiedFY2016Status
networks.UntilEXIMBankhasfullyimplementedtheuseofPIVcards,itwillnotbeincompliancewithOMBrequirementsandwillhaveanincreasedriskofunauthorizedaccess.
ControlsarenotadequatetoensurethatEXIMBankhasimplementedeffectiveaccountmanagementprocessesfortheInfrastructureGSS.
WerecommendthattheEXIMBankCIO:
1. Ensurethattheaccountreviewprocessisconductedinaccordancewithorganizationalpoliciesandprocedures.
2. Ensurethatinactive
accountsaredisabledafteraperiodof90days,inaccordancewithorganizationalpolicyandprocedures.
3. Ensurethataccounts
forterminatedindividualsareremovedimmediatelyuponseparation.
2013 Closed
InourFY2014FISMAauditreport,wefoundthatcontrolswerenotadequatetoensurethatremoteusersaretimedoutordisconnectedfromtheEXIMBanknetworkinaccordancewithEXIMBankpolicy.Specifically,wefound:
Remoteconnectionsthroughthevirtualprivatenetwork(VPN)didnottimeout.EXIMBankpolicyrequiresremoteconnectionstotimeoutafter30minutesofinactivity.
Remoteconnectionsdisconnectedafter8hours.EXIMBankpolicy
WerecommendthattheEXIMBankCIO:
1. Ensurethatremoteaccesspoliciesandsettingsareappropriatelyconfiguredandimplemented.
2. TestallNISTSP800‐53,Rev.4securitycontrolstoensurethattheyareappropriatelyoperatingasintended.
2014 Closed
36
AUDIT REPORT OIG-AR-17-04
Finding RecommendationFY
IdentifiedFY2016Status
requiresremoteconnectionstodisconnectafter6hours.
Remotedesktopconnectionsettingsweresettotimeoutafter1hourratherthantherequired30minutes.
DuringourFY2015testing,wenotedthat,whiletheaboveweaknesseswereremediated,controlsoverremoteaccessstillneedimprovement.Specifically,wenotedthatremoteusersarerequiredtousetwo‐factorauthenticationtologintoEXIMBank’snetwork.AfterloggingontotheVPN ,usersnotusinganEXIMBankmachinemustthenremotedesktop(RDP)intoaBankmachineinordertoaccessBankresources.However,wefoundthatthesystemdoesnotforceuserstologontoRDPtoaccessthenetwork.Non‐BankmachinescanbeconfiguredtoskipovertheRDPstepaftersuccessfullyconnectingtotheVPN,insteaddirectlyaccessingEXIMresources,whichviolatesBankpolicy.
ControlsarenotadequatetoensurethatEXIMBankdataaccessiblefrom
isadequatelyprotected.InFY2015,wenotedthattheBankhasacquiredsoftwarethatwillenableittoenforcesecuritycontrolson
.Thissoftwarehasbeenconfiguredandimplementedfor
.
WerecommendthattheEXIMBankCIOdeploy securitycontrolsthat:
1.
2. Restricttheinstallation
ofunapprovedormalicioussoftware.
3. Prevent
fromconnectingtointernalEXIMBankresources.
2014 Reissued
Numbers2and3closed;Number
1remainsopen
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
37
AUDIT REPORT OIG-AR-17-04
Finding RecommendationFY
IdentifiedFY2016Status
ControlsarenotadequatetoensurethatallEXIMBanksystemsecurityplans(SSPs)areappropriatelydocumentedtoaddressallapplicableNIST800‐53,Rev.4controls.Specifically,wenotedthattheFMS‐NGSSPdidnotaddressNIST800‐53,Rev.4privacycontrols.
WerecommendthattheEXIMBankCIOupdatetheFMS‐NGSSPtoidentifyanddocumentallapplicableNISTSP800‐53,Rev.4controls.
2015 Closed
ControlsarenotadequatetoensurethatEXIMBankhasdocumentedconfigurationmanagementplansthataddressconfigurationmanagementrequirementsforallofitssystems.Specifically,wenotedthatEXIMBankdidnotprovideconfigurationmanagementplansfortheInfrastructureGSSand systems.TheBankstatedthatplansdidexist;however,theplanswerenotconsistentlyupdatedorwereoutdated.Asaresult,theBankwouldnotprovidetheplanstotheauditors.Withoutappropriateconfigurationmanagementplansthataddresshowtomovechangesthroughchangemanagementprocesses;howtoupdateconfigurationsettingsandbaselines;howtomaintaininformationsystemcomponentinventories;howtocontroldevelopment,test,andoperationalenvironments;andhowtodevelop,release,andupdatekeydocuments,theBankmaybesusceptibletounauthorizedandmalicioussystemchanges.
WerecommendthattheEXIMBankCIOdocumentconfigurationmanagementplansfortheInfrastructureGSSand systemsthat:
a. Addressroles,
responsibilities,andconfigurationmanagementprocessesandprocedures.
b. Establishaprocessforidentifyingconfigurationitemsthroughoutthesystemdevelopmentlifecycleandformanagingtheconfigurationoftheconfigurationitems.
c. Definetheconfiguration
itemsfortheinformationsystemandplacetheconfigurationitemsunderconfigurationmanagement.
d. Protecttheconfiguration
managementplanfromunauthorizeddisclosureandmodification.
2015 Closed
ControlsarenotadequatetoensurethattheBankperformedappropriate
WerecommendthattheEXIMBankCIOensurethattestingof
2015 Closed
(b) (7)(E)
(b) (7)(E)
38
AUDIT REPORT OIG-AR-17-04
Finding RecommendationFY
IdentifiedFY2016Status
contingencyplanningactivitiesinFY2015.Specifically,wefoundthatinFY2015,theBankdidnotperformitsannualcontinuityofoperationsplan(COOP)exercisethatvalidatestheBank’sabilitytocontinueoperationsintheeventofadisaster.TheBankstatedthatduetoalapseinitsauthority,resourceconstraintsandre‐prioritizationpreventeditfromcoordinatingandexecutingtheplan.WithoutvalidationofCOOPcapabilities,theBankmaynotbeawareoftheplan’seffectivenessorpotentialweaknessesthatrequireremediation.Inaddition,thereisanincreasedriskthattheBankwillbeunabletoperformitsmissionintheeventthatsystemsareunavailableforextendedperiodsoftime.
theCOOPplanisperformedonanannualbasistoensurethattheBankispreparedtocontinueoperationsandappropriatelyrespondtopotentialdisasters.
ControlsarenotadequatetoensurethatappropriatePOA&Mmanagementcontrolsareinplace.Specifically,wenotedthefollowing:
Forthe ,theBankhadnotstartedaddressingPOA&Ms
ndthescheduledcompletiondatespassedwithnomilestoneupdates.
Forthe ,theBankhadnotstartedaddressingPOA&M
,andthescheduledcompletiondatepassedwithnomilestoneupdates.
WerecommendthattheEXIMBankCIOimplementaprocesstoensurethatallsystemPOA&Msarereviewedonanorganization‐definedfrequencyandthatmilestonesareupdatedtoreflectactionstakentoremediatePOA&Mitems.
2015 Reissued
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
42
AUDIT REPORT OIG-AR-17-04
(b) (7)(E)
(b) (7)(E)(b) (7)(E) (b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E) (b) (7)(E)(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
43
AUDIT REPORT OIG-AR-17-04
(b) (7)(E)(b) (7)(E) (b) (7)(E)(b) (7)(E)(b) (7)(E)(b) (7)(E)
(b) (7)(E)
(b) (7)(E)
44
AUDIT REPORT OIG-AR-17-04
Selected Security Controls and Testing Results
800‐53Control
ControlTitle System Results
AC‐2 AccountManagement APS Controlsarenoteffective
AU‐2 AuditEvents APS Controlsareeffective
AU‐6 AuditReview,Analysis,andReporting APS Controlsareeffective
CM‐2 BaselineConfiguration APS Controlsareeffective
CM‐3 ConfigurationChangeControl APS Controlsareeffective
CM‐6 ConfigurationSettings APS Controlsarenoteffective
IA‐2 IdentificationandAuthentication APS Controlsareeffective
CM‐8 InformationSystemComponentInventory
GSS Controlsareeffective
CM‐10 SoftwareUsageRestrictions GSS Controlsarenoteffective
CM‐11 User‐InstalledSoftware GSS Controlsareeffective
MP‐1 MediaProtectionPolicyandProcedures GSS Controlsareeffective
MP‐2 MediaAccess GSS Controlsareeffective
MP‐4 MediaStorage GSS Controlsareeffective
MP‐5 MediaTransport GSS Controlsareeffective
APPENDIX C
45
AUDIT REPORT OIG-AR-17-04
DHS FY 2016 IG FISMA Metrics Results
ThefollowingtablesrepresenteachoftheNISTCybersecurityFrameworkdomainsthatwereviewedtorespondtotheFY2016IGFISMAMetrics.Eachofthefivedomainareas(Identify,Protect,Detect,Respond,andRecover)hadspecificcontrolobjectivesthatweevaluated,andeachobjectivewasassociatedwithamaturitylevel.ThetablesbelowrepresentthenumberofobjectivesthatweevaluatedforeachCybersecurityFramework,theirassociatedmaturitylevel,andwhetherthecontrolobjectivewas“met”or“notmet.”Thenumberofcontrolobjectives“met”foreachlevelwithintherespectivedomainsdeterminedtheoverallscoreforthatdomain.PerDHS’FY2016IGFISMAmetrics,onlyagencyprogramsthatscoreatoraboveLevel4:ManagedandMeasureable(13points)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea.
Furthermore,thepointallotmentforeachlevelofmaturityisdeterminedbymeetingalloftherequirementsinthepreviouslevel(s),andhalformoreofthelevelcurrentlyunderassessment.Forexample,anagencyisconsideredtobeatlevel3ifithasmetallofthelevel1andlevel2requirementsandhalformoreofthelevel3requirements.
Identify
Level Met Not Met % Points Possible
Level 1: Ad‐hoc 0 0 100% 3 3
Level 2: Defined 2 2 50% 4 4
Level 3: Consistently Implemented 9 2 82% 6
Level 4: Managed and Measureable 5 1 83% 5
Level 5: Optimized Achieve 100% of Level 4 Capabilities 2
Level 2: Defined Effective No 7 20
Protect
Level Met Not Met % Points Possible
Level 1: Ad‐hoc 0 0 100% 3 3
Level 2: Defined 2 3 40% 4
Level 3: Consistently Implemented 12 6 67% 6
Level 4: Managed and Measureable 6 2 75% 5
Level 5: Optimized Achieve 100% of Level 4 Capabilities 2
Level 1: Ad‐hoc Effective No 3 20
Detect
Level Met Not Met % Points Possible
Level 1: Ad‐hoc 10 0 100% 3 3
Level 2: Defined 8 2 80% 4 4
Level 3: Consistently Implemented 1 9 10% 6
APPENDIX D
46
AUDIT REPORT OIG-AR-17-04
Level 4: Managed and Measureable 0 12 0% 5
Level 5: Optimized 0 7 0% 2
Level 2: Defined Effective No 7 20
Respond
Level Met Not Met % Points Possible
Level 1: Ad‐hoc 12 0 100% 3 3
Level 2: Defined 8 4 67% 4 4
Level 3: Consistently Implemented 3 10 23% 6
Level 4: Managed and Measureable 0 9 0% 5
Level 5: Optimized 0 8 0% 2
Level 2: Defined Effective No 7 20
Recover
Level Met Not Met % Points Possible
Level 1: Ad‐hoc 0 0 100% 3 3
Level 2: Defined 2 0 100% 4 4
Level 3: Consistently Implemented 6 0 100% 6 6
Level 4: Managed and Measureable 3 0 100% 5 5
Level 5: Optimized Achieve 100% of Level 4 Capabilities 2 2
Level 5: Optimized Effective Yes 20 20
Area Level Points Possible Effective
Identify Level 2: Defined 7 20 No
Protect Level 1: Ad‐hoc 3 20 No
Detect Level 2: Defined 7 20 No
Respond Level 2: Defined 7 20 No
Recover Level 5: Optimized 20 20 Yes
Total 44 100
Effective No
47
AUDIT REPORT OIG-AR-17-04
To Report Fraud, Waste, or Abuse, Please Contact:
Email: [email protected]
Telephone: 1‐888‐OIG‐EXIM(1‐888‐644‐3946)
Fax: (202)565‐3988
Address: OfficeofInspectorGeneral Export‐ImportBankoftheUnitedStates 811VermontAvenue,NW Suite138 Washington,DC20571
Comments and Suggestions
Ifyouwishtocommentonthequalityorusefulnessofthisreportorsuggestideasforfutureaudits,pleasecontactTerrySettle,AssistantInspectorGeneralforAudits,[email protected](202)565‐3498.Comments,suggestions,andrequestscanalsobemailedtotheattentionoftheAssistantInspectorGeneralforAuditsattheaddresslistedabove.