The audit report, released April 25, said HHS failed to meet the “managed and measurable” maturity level for four function areas: identify, protect, detect and recover. The report noted particular weaknesses surrounding risk management and contingency planning.
Here are four recommendations the OIG provided in its report:
- HHS should continue implementing automated copy data software to achieve a centralized view of risks across the department.
- HHS’ information security continuous monitoring strategy should be updated to include more specific objectives, including target dates for ISCM deployment across all HHS operating divisions.
- HHS should conduct an enterprise risk assessment over known control weaknesses and document appropriate responses.
- HHS should develop a process to monitor information system contingency plans so they are maintained and integrated with other continuity requirements by information systems.
