Posted: 2:03 am ET
State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:
The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).
This report describes the policies and controls used by the Department for five specific topics identified in the Act:
(1) logical access policies and practices;
The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.
(2) logical access controls and multi-factor authentication used;
With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.
(3) the reasons logical access controls or multi-factor authentication have not been used;
With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.
(4) information security management practices used for covered systems;
With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.
(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.
With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).
The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).
The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf