NSF Needs to Tackle Inappropriate Electronics Use, IT Security, IG Semiannual Report Says

Concerns over the National Science Foundation’s (NSF’s) inappropriate electronics use and information security program shortfalls were two of several highlighted in NSF’s Office of Inspector General’s (OIG’s) semiannual report to Congress that was publicly released today.

Among cases OIG highlighted in the report, the office highlighted an audit that found NSF could improve its controls in detecting, managing, and remedying inappropriate use of its electronics devices.

More specifically, NSF didn’t have consistent methods for ensuring mobile phones and tablets were properly enrolled in mobile device management software; preventing users from installing inappropriate mobile applications; ensuring an ongoing business need exists for mobile devices; and reviewing reports identifying excessive attempts to access inappropriate websites.

“As a result, NSF may be missing opportunities to prevent and remedy inappropriate use of its [IT] resources. Additionally, NSF may be paying for mobile communication devices that are no longer needed or services beyond the business needs of its users,” OIG said.

OIG made several recommendations on this front – which the agency agreed with – and were that NSF:

  • Provide guidance concerning applications needed to conduct agency business;
  • Develop a policy for the agency’s quarterly application review process;
  • Implement a way to ensure all NSF-owned devices are enrolled in a mobile device management service;
  • Develop a rule to ensure the full completion of an annual mobile device recertification process;
  • Educate users annually on acceptable mobile device use and the consequences of inappropriate or personal use; and
  • Establish and implement procedures to periodically obtain web filter reports.

OIG also rose concerns over NSF’s information systems and IT security. The report cited a fiscal year 2018 Federal Information Security Modernization Act (FISMA) audit that flagged concerns with two areas in NSF’s IT – “Identify and Access Management” and “Data Protection and Privacy.”

The FISMA audit yielded five recommendations for NSF to address in its IT security program, which OIG said NSF is working on and stressed the importance of securing NSF’s information systems, which are critical to its everyday operations.

“NSF depends on computerized information systems to process, maintain, and report essential information. Reliability of computerized data and systems is essential, and protecting information systems continues to be a challenge for NSF,” OIG said.

Categories

Recent