State/OIG Reminds @StateDept of IT Contingency Planning Deficiencies

Posted: 12:59 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week, State/OIG issued a Management Assistance Report (MAR-PDF) reminding the State Department of continued deficiencies identified in information technology contingency planning at its overseas posts:

OIG identified IT contingency planning deficiencies in 69 percent (20 out of 29) of overseas inspections performed during FYs 2014 and 2015. The issues identified ranged from information management staff at posts not developing, updating, or testing IT contingency plans to plans that lacked appropriate key stakeholders and contact information as part of emergency preparedness, contrary to requirements set forth in 5 Foreign Affairs Manual (FAM) 1064, 12 FAM 623.7, 12 FAM 632.3, and National Institute of Standards and Technology Special Publication 800-34. This report recommends that the Department take action to ensure that information management personnel are held accountable for IT contingency planning by making this responsibility explicit in their work requirements.

Recommendations from 2011 OIG Memorandum Report Unimplemented

OIG inspection teams continue to report IT contingency planning findings in overseas inspection reports, despite a December 2011 OIG memorandum2 to the Bureau of Information Resource Management with two recommendations addressing the topic. The memorandum identified IT contingency planning issues involving bureaus’ and posts’ lack of attention to developing and testing IT contingency plans as part of their emergency preparedness activities. The Bureau of Information Resource Management stated in compliance responses that it was planning to implement a tracking mechanism and develop a SharePoint site to capture risk scoring compliance for posts and bureaus. However, after 4 years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses. The September 2015 compliance response noted that the bureau is researching other alternatives to comply with OIG recommendations.

 So State/OIG is trying again with this MAR and a nudge on the Work Requirements of Information Management Staff

A review of Foreign Service employee evaluation reports for information management officers or the most senior information management personnel at embassies and consulates revealed that only 12 percent (32 out of 272) had a stated work requirement to develop and test IT contingency plans. According to 5 FAM 825 and 5 FAM 826, responsibility for the development and testing of IT contingency plans lies with the information management staff overseas.

Recommendation 1: The Bureau of Information Resource Management, in coordination with the regional bureaus, should include the requirement to complete and test information technology contingency plans in the work requirements for information management personnel. (Action: IRM, in coordination with AF, EAP, EUR, NEA, SCA, and WHA).

In related news:

#