The HHS Office of Inspector General released an audit earlier this month of HHS' compliance with the Federal Information Security Modernization Act of 2014 for fiscal year 2017.
The Federal Information Security Modernization Act requires inspectors general to perform annual independent audits of the information security programs and practices in their respective agencies. The OIG tapped Ernst & Young to conduct the audit.
Here are four notes on the report's findings.
1. The OIG said HHS has made improvements and strengthened its information security program by updating its policies and procedures. For example, HHS is working toward implementing a continuous diagnostics and mitigation program to monitor personnel activity and networks.
2. The OIG identified information security program weaknesses in areas related to risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response and contingency planning.
3. The OIG noted HHS must ensure all operating divisions regularly review and address vulnerabilities, implement account management procedures, and track systems to ensure they perform functions with valid authorities to operate.
4. HHS agreed with the OIG's recommendations and submitted information on actions the agency has taken to address them, according to the report.
To access the OIG's report, click here.