While the State Department Office of Technology Services’ (OTS) information system processes were compliant with many Department of State and Federal standards, there were some significant areas that require management attention, according to a new report from the Office of Inspector General (OIG).
In an audit released this month, the OIG found four of OTS’ six information systems had expired authorizations to operate. OTS is tasked with developing and maintaining the information systems that support human resources and business processes across the State Department and its component agencies. Therefore, the magnitude, sensitivity, and complexity of the information in systems managed by OTS require regulations relevant to operating and protecting human resources systems.
Along with the expired authorizations to operate, the OIG identified additional problem areas, including OTS staff made changes to one of the information systems without the required notification, OTS systems development lifecycle process lacked documented management approvals and a central location for project documentation storage, the office did not perform ongoing security controls assessments contrary to department standards, the office had designated third-party contractors to key positions risking inherently governmental functions being performed by contractors, and OTS contracts lacked designated contracting officer’s representatives.
OIG made ten recommendations to OTS. Such as completing assessments and authorization processes for information systems with expired authorizations to operate, regularly reviewing and updating iMatrix to reflect the status of information systems accurately, and documenting management approvals for all OTS information systems throughout the systems. According to the report, OTS agreed with all ten recommendations and have labeled them as resolved.