The Election Assistance Commission generally complies with Federal Information Security Management Act (FISMA) requirements, but the policies in place are not enough to protect agency information, according to a Jan. 2 report released by the EAC Office of the Inspector General (OIG).
“Although, EAC [Office of IT] generally has policies for its information security program, its implementation of those policies for security controls reviewed was not fully effective to preserve the confidentiality, integrity, and availability of the Agency’s information and information systems, potentially exposing them to unauthorized access, use, disclosure, disruption, modification, or destruction,” the report states.
From May 6 through Sept. 30, OIG reviewed EAC’s internal best practices against Federal standards. Auditors raised concerns with the lack of a physical IT inventory, multifactor authentication, configuration settings, and IT security training.
Following the assessment, auditors made five new recommendations to EAC:
- Conduct a physical inventory of IT assets annually;
- Prioritize and implement multifactor authentication for network access;
- Implement a Security Content Automation Protocol (SNAP) tool to maintain up-to-date configuration settings;
- Develop a yearly specialized training schedule to ensure IT staff gains job-specific knowledge; and
- Track the training schedule to ensure employees receive assigned training according to agency policies.
EAC officials agreed with all recommendations. Additionally, the agency has failed to fulfill six recommendations from Fiscal Years 2017 and 2018. The previously issued recommendations include updating the Continuity of Operation Plan and Enterprise Risk Management Strategy, remediating network configuration vulnerabilities, and conducting annual reviews of information security procedures.