Within the State Department, Information Systems Security Officers (ISSOs) in overseas posts have an unclear reporting system, a lack of management oversight, and not enough dedicated staff time, leading to deficiencies in ISSO performance, according to a report released Dec. 15 by the State Department’s Office of the Inspector General (OIG).
In inspection reports of ISSO performance from October 2016 to September 2019, the report found deficiencies in 49 percent of reports reviewed, an increase over previous years. Common deficiencies included a lack of random reviews of user accounts, not ensuring that systems are configured in accordance with standards, not reviewing system audit logs, and not remediating identified vulnerabilities.
“With cybersecurity listed as one of the Department’s objectives in its Information Technology Strategic Plan for Fiscal Years 2019 – 2022, the Department has a responsibility to ensure that ISSOs are performing their duties,” OIG states.
The report digs into the reasons why, finding that while the State Department’s Information Resource Management (IRM) bureau sets ISSO requirements, the reporting chain of command only goes to embassy information management (IM) officials. Most ISSOs are not assigned to the position full-time and have to choose what IT work to prioritize, making the reporting chain an important factor.
“More than 70 percent of overseas ISSOs who responded to OIG’s survey stated they are not required to report their work to embassy management and IRM, and, accordingly, they allocated their time to and prioritized the completion of other IM-related tasks over ISSO duties,” the report notes.
OIG recommended that the State Department conduct an organizational assessment with an eye towards creating full-time ISSO positions, which State concurred with.
The reporting chain of command also lacked the needed oversight from embassy management, as that issue was commonly cited for deficiencies. While bureau chiefs have to complete a statement of assurance, the statement does not include specific questions about ISSO performance, which OIG recommended as an addition.
“Without embassy management oversight of ISSO duties, the lack of performance of required information management and security responsibilities by overseas ISSOs will continue to negatively affect the Department’s cybersecurity,” the report states.