Alemania - - Acuerdo internacional. Alemania - - Ley. Federal Act to establish minimum working conditions. Concerns appointment of committees by the Ministry for Labour and Social Affairs under this Act to establish minimum wages and working conditions.
|Published (Last):||28 January 2005|
|PDF File Size:||16.92 Mb|
|ePub File Size:||7.10 Mb|
|Price:||Free* [*Free Regsitration Required]|
Los sitios del Gobierno federal frecuentemente terminan en dominios. Independent Evaluation of U. Equal Employment Opportunity Commission's information security program for the fiscal year FY ended September 30, The period covered by this independent evaluation is October 1, through September 30, These standards require that we plan and perform the evaluation to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our evaluation objectives.
We believe that the evidence we obtained provides a reasonable basis for our findings and conclusions based on the evaluation objectives. FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
This report contains nineteen 19 FISMA findings with nineteen 19 recommendations concerning issues such as:. EEOC is responsible for enforcing federal laws that make it illegal to discriminate against a job applicant or an employee because of the person's race, color, religion, sex including pregnancy , national origin, age 40 or older , disability or genetic information.
It is also illegal to discriminate against a person because the person complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit. President and confirmed by the U. Commissioners are appointed for five-year staggered terms; the General Counsel's term is for four years.
The President designates a Chair and a Vice Chair. OIT promotes the application and use of information technologies and administers policies and procedures within EEOC to ensure compliance with related federal laws and regulations, to include information security.
OIT is responsible for designing the enterprise information architecture; determining the requirements of EEOC's information systems; and developing the integrated systems for nationwide use. The objective of this independent evaluation is to conduct a review of EEOC's information security program and practices. The objective involved reviewing the effectiveness of the agency's oversight of the information security program and evaluation of the following information systems:.
DDI , the premier provider of managed security risk assessment solutions , to conduct an internal vulnerability assessment and penetration testing to determine the exploitability of identified vulnerabilities. The results of our independent evaluation identified areas in need of improvement to the EEOC information system security program. These nineteen 19 findings and recommendations are discussed below. Tier 1addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy.
Tier 2 addresses risk from a mission and business process perspective closely associated with enterprise architecture and core missions and business processes for the organization. Tier 3 addresses risk from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. EEOC's approach to meet the standard was to compile their system level risk assessments into a single report. Compiling the system level assessment reports only meets the Tier 3 requirement.
In addition, the assessment lacked organizational risk governance structure that covers field offices. The lack of an organization-wide risk assessment program leaves the organization with the inability to identify, measure, and prioritize risk in order to take appropriate action to minimize losses. EEOC cannot address risk from an organizational perspective without the development of a comprehensive governance structure and organization-wide risk management strategy as described in NIST SP , Rev.
We recommend EEOC develop, document, and implement organizational level and mission-business process level risk assessment strategies that include a clear expression of the risk tolerance for the organization, including field offices; acceptable risk assessment methodologies; risk mitigation strategies; the organization's defined metrics for acceptable risk tolerance; and approaches for monitoring risk. Management's response is appropriate to address the finding and recommendation.
Effective implementation of the recommendation will resolve the reported condition. In addition, the EEOC network configuration diagrams for field offices were not included in the report at all.
Updates to the risk assessment reports help to ensure that the information system owners, common control providers, and authorizing officials maintain the appropriate awareness with regard to security control effectiveness. The overall effectiveness of security controls directly affects the ultimate security state of the information system and decisions regarding explicit acceptance of risk.
EEOC has not updated its information security system level risk assessment reports. Therefore the reports do not reflect the near real-time risk conditions of its information systems. Without an updated system level risk assessment reports the organization loses the ability to manage and take appropriate action to minimize losses. For example, a loss of reputation and public image could increase legal liability and add additional cost for unforeseen circumstances.
We recommend that EEOC OIT update its system level management report to ensure that risk for these systems are adequately assessed, evaluated, mitigated, accepted, and monitored. Knowing the real-time risk of these systems will help to reduce uncertainties, which in turn would improve the rate of success for carrying out the business mission of the organization. A mobile device security policy should define which types of the organization's resources may be accessed via mobile devices, which types of mobile devices are permitted to access the organization's resources, the degree of access that various classes of mobile devices may have-for example, organization-issued devices versus personally-owned bring your own device devices-and how provisioning should be handled.
It should also cover how the organization's centralized mobile device management servers are administered, how policies in those servers are updated, and all other requirements for mobile device management technologies. The mobile device security policy should be documented in the system security plan. To the extent feasible and appropriate, the mobile device security policy should be consistent with and complement security policy for non-mobile systems.
The lack of comprehensive mobile device security policy and procedures increases the risk of an unauthorized remote access to EEOC information and information systems. Mobile devices are at a higher risk of threat than other client devices.
They are more likely to be lost or stolen, increasing the risk of data being compromised. Effective implementation of the recommendation will resolve the reported condition, and address OIT responsibility for operation, maintenance, and disposal of mobile devices. Visitors to the EEOC official website are not informed of the demarcation of privacy policies between the agency and third-party websites. EEOC has placed external links to third-party websites that do not display "popup" alert warnings that they are leaving EEOC's official website and stating that the agency's privacy policies are not inherited.
On September 23, , two law firms shared a "like posting" that automatically posted their company's links onto the EEOC's Official social media website. If an agency posts a link that leads to a third-party website or any other location that is not part of an official government domain, the agency should provide an alert to the visitor, such as a statement adjacent to the link or a "pop-up," explaining that visitors are being directed to a non-government website that can have different privacy policies from those of the agency's official website.
There was a technical coding error on the homepage of the EEOC official website that prevented the pop-up alert from appearing for social media links. The agency branded all social media websites except one. Improperly designed websites that do not protect visitors' privacy could unknowingly provide personal privacy information to third parties. At the same time, EEOC should comply with the requirements in this Memorandum to ensure that privacy is fully protected.
The one area remaining is the action item section referencing the EEOC linking to third-party websites such as Twitter and Facebook. The EEOC has the proper notifications in place on our website. However, we are not aware of any way to comply in the case of links posted on our social media accounts. Third-party social media platforms don't give users the ability to provide pop-up notifications, and limits on the size of postings often makes adding a statement adjacent to the link impractical.
This restriction also applies to the Twitter feed posted to the front of eeoc. Additionally, it is not possible to prevent users from posting links to third-party sites on our social media accounts.
We do however address the issue of posting of inappropriate links and endorsements in the comments policy statement. Finally, we have reached out through the Federal Web Content Manager's Forum to learn of best practices in this area and will continue to do so to determine an adequate solution. Management's response is appropriate to address the finding and recommendation for providing an alert to the visitor, such as a statement adjacent to the link or a "pop-up," explaining that visitors are being directed to a non-government website that can have different privacy policies from those of the agency's official website.
Management's response to seek best practices to reduce the security risk associated with visitor's links posted on EEOC's social media accounts is appropriate. We recommend management monitors the posting of links to the EEOC social media accounts to ensure the links do not violate agency's security policies and procedures.
In addition, VPN configuration contains default settings that are not recommended by the vendor. For example, the VPN Concentrator Series Manger's configuration general parameters for minimum password length are set to five characters, and there is a default setting for alphabet only passwords to be used, which is not recommended by the vendor.
Attackers attempt to determine weak passwords and to recover passwords using two types of techniques: guessing and cracking. Many information system components are shipped with factory default authentication credentials to allow for initial installation and configuration.
Default authentication credentials are often well known, and easily discoverable. Therefore, they present a significant security risk and should be changed upon installation.
The limiting factor is lack of funds to acquire this VPN solution, or to substantially upgrade our enterprise authentication architecture such as implementation of two-factor authentication. In response to this finding, OIT will redouble its efforts to notify VPN users of the password requirements through specific modules of its annual Security Awareness Training, targeted security tips, and VPN application and operation instructions. EEOC accepts these policy and training actions as compensating controls.
Effective implementation of the recommendation will help to ensure VPN configurations meet the agency's policy requirements and NIST authenticator management controls. Protection of digital backup media during transport or while waiting to be transported outside of controlled areas of the agency was not clearly defined.
EEOC System Backup Procedure states that digital backup media is performed by writing the data to a removable drive and then sending the removable drive offsite to a third party vendor storage area without encryptions. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
EEOC catalogs backup media when it leaves the agency and is sent offsite to a third-party vendor's storage area. EEOC backup and offsite storage policy and procedures do not address how digital data is protected and controlled when it is transported or waiting to be transported to a third-party's secured area. In addition, the agency has not chosen cryptographic mechanisms to protect the confidentiality and integrity of digital backup data stored offsite.
Transporting digital data that is not encrypted reduces the agency's ability to ensure only authorized individuals are able to access the media. The effects of not implementing cryptographic mechanism on digital backup media will compromise the confidentiality, integrity, and availability of agency data. Incorporate encryption mechanisms into the agency backup media system to provide confidentiality and integrity protections for media while in transit and storage.
EEOC currently has a contract with Iron Mountain for the secure transportation and storage of backup media tapes offsite at Iron Mountain facilities. While the backup media awaits pickup, it is secured in controlled server room, accessible only by authorized personnel.
It is then hand-transferred by EEOC staff to official Iron Mountain staff, not third-party delivery personnel, using sealed, steel, locked boxes. Individual media are bar-coded and logged, and the bar-code is scanned by the Iron Mountain staff during both acceptance and return.
The media is additionally validated against the media cycling schedule for returned media. The media that is transported via this method is limited to HQ Network server backups, so no sensitive PII is included on the data backups. EEOC has accepted the risk of the method, which has been developed as a compensating control due to the unreliability of restoring from encrypted media using OIT devices, especially when attempting to restore on different equipment; minor bit errors, otherwise easily corrected or of minor impact, tend to make the entire encrypted backup unusable.
An unusable backup in a disaster recovery situation, due to de-encryption issues, is an unacceptable risk. We recommend that management document the acceptance of this risk, and reassess the risk at least annually.
For Fiscal Year 2014