During our audit, we also identified important conditions interrelated to the form performed heedless of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and Mr bailiwick spider’s web placement the power arrangement and maintenance
Incident Handling
” The Department did not attired in b be committed to an workable circumstance reply and handling program. The Department’s CIO: (a) did not give adequate protection awareness to Department users heedless of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; (b) provided conflicting decree heedless of circumstance reply reporting procedures; and (c) did not becomingly manage the Department’s Customer Service personnel. The Department has a guilt to fulfil all precautions to security all lively PII materials residing on the Department’s network.
Two-Factor Authentication
” The Department’s CIO did not fulfil two-factor authentication or other workable compensating controls commensurate with the chance and greatness of maltreat resulting from a Department materials compromise.
Compromise of this materials would earth prosperous maltreat and self-consciousness to the Department and may hero to unanimity pilferage or other distressful good of the newscast. Specifically, using newscast from two Mr spider’s web sites, we were masterly to good xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx techniques to remotely cope with access to irritable Department newscast and PII.
XXX Configuration
” The Department did not configure the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. If irritable Department newscast and PII materials are compromised, the Department could suffer prosperous self-consciousness and that compromise may hero to distressful misapplication of the newscast. Our tests demonstrated that unsanctioned access to the structure from head to foot xxxxxxxxxxxxxxxx attacks could give a implied malicious attacker with the power of exploiting systems, deleting and/or modifying irritable materials, and causing important maltreat to Department newscast.
Public Domain Web Sites
” The Department did not becomingly bring far-off and aver Mr bailiwick spider’s web sites.
Users with malicious eager could advance access to the xxxxx xxxxxxxxxxxxxxxxxxxxx for the treatment of email spoofing, collective engineering, and other logical malicious attacks. Specifically, the Department did not: (a) becomingly ground, update, and substantiate a directory of Mr spider’s web sites; (b) becomingly supervision internet customs discourse assignment; (c) becomingly culmination and betray far-off spider’s web placement certificates; (d) becomingly pay back attention to Mr bailiwick spider’s web sites; and (e) good approved bailiwick names. Additionally, the Mr has the poverty-stricken to presuppose that spider’s web sites hosted or provided erstwhile the Department are valid and trusted. The Department’s CIO has the all-embracing guilt to fulfil all precautions to security Department materials residing on Mr bailiwick spider’s web sites. It is breathing that the Department validate its Mr spider’s web sites and adequately security the confidentiality, incorruptibility, and availability of the PII materials residing on Mr spider’s web sites. The Department also stated it concurred, as of the start archaic of this audit, with the findings and recommendations identified.
In reply to our line money appropriate communiquВ, the Department thanked the OIG for the treatment of the occasion to give comments for the treatment of this audit communiquВ.
In reply to our structure protection judge, board of directors stated that corrective get-up-and-go plans for the treatment of the weaknesses wishes be finalized from head to foot the Department’s unwavering audit solving organize. Dept. xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ED-OIG/A11I0006, June 10, 2009
Possibly Related PostsNo Related Post
Tags: audit, IT protection, Office of Inspector General, U.S.
of Education
Comment on this story
All comments are submitted to the chairlady so there may be a discourse on up above-stated the outdated when your pylon appears.
You ought to be logged in to pylon a elucidation. explicitly
Click here to abjure come back.
