DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OPM OIG Audit Finds Significant Problems Remain

Posted on November 24, 2015 by Dissent

From the Executive Summary of FY 2015 FISMA Results:

  •   The significant deficiency related to information security governance has been dropped due to the reorganization of the Office of the Chief Information Officer (OCIO).
  •   OPM’s system development life cycle policy is not enforced for all system development projects.
  •   OPM does not maintain a comprehensive inventory of servers, databases, and network devices.
  •   Up to 23 major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM’s IT security program.
  •   OPM does not have a mature continuous monitoring program. Also, security controls for all OPM systems are not adequately tested in accordance with OPM policy.
  •   The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.
  •   We are unable to independently attest that OPM has a mature vulnerability scanning program.
  •   Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11.
  •   OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.
  •   OPM has not fully established a Risk Executive Function.
  •   Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.
  •   Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&M) and the majority of systems contain POA&Ms that are over 120 days overdue.
  •   OPM has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.
  •   Not all OPM systems have reviewed their contingency plans or conducted contingency plan tests in FY 2015.
  •   Several information security agreements between OPM and contractor-operated information systems have expired.

SOURCE:

Federal Information Security Modernization Act Audit FY 2015
Report Number 4A-CI-00-15-011
November 10, 2015

Category: Commentaries and AnalysesGovernment SectorOf NoteU.S.

Post navigation

← UK: Niall O’Kane eye patients alerted over lost records
FBI has lead in probe of 1.2 billion stolen Web credentials: documents →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.