Audit Reports

Develop an enterprise architecture that includes information security considerations and the resulting risk to the Agency, as well as incorporates STB’s existing cyber security architecture.

Identify and define all software programs that are not authorized to execute on STB information systems.

Establish and implement procedure to manage hardware asset inventory connected to STB’s network.

Review all open Plan Of Actions & Milestones and assign scheduled completion dates which account for the required resources and corrective actions, including milestones, to manage and mitigate the identified risk.

Develop a Supply Chain Risk Management strategy and supporting policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Develop a process to make improvements to its baseline configuration, secure configuration, and flaw remediation policies and procedures through the use of lessons learned.

Implement documented processes for configuration management changes as required by STB policies and procedures.

Evaluate deviations from Center for Internet Security benchmarks and determine if the associated configurations should align with best practices or if deviations should be risk accepted.

Update vulnerability management procedures to support implementation of STB’s Vulnerability Disclosure Policy.

Update the Access Recertification Process document to align with STB’s existing practices to ensure users complete all required training and onboarding forms.

Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.

Develop a process to make improvements to the effectiveness of its Identity, Credential, and Access Management policy, strategy, and road map.

Define procedures to review and remove unnecessary PII collection on an organization defined frequency.

Perform the review of Privacy Threshold Analysis for STB General Support System, At Hoc, and Dynamic Case Management system on an annual basis.

Implement data protection policies and procedures for Data at Rest, prevention and detection of untrusted removable media, and destruction or reuse of media containing PII or other sensitive agency data.

Address the knowledge, skills, and abilities gaps identified during the FY 2020 skill gap assessment through training or talent acquisition.

Complete the transition from traditional three (3) year authorizations to ongoing authorizations for STB-LAN.

Implement documented processes for collecting and reporting performance metrics at the organization and system level to assess the effectiveness of Information Security Continuous Monitoring program.

Develop a process to make improvements to the effectiveness of its ISCM program through the collection and reporting of quantitative and qualitative performance metrics, and lessons learned.

Define the performance metrics for measuring the incident response capability.

Update STB Incident Response Plan to include requirements for the technologies utilized to support Incident Response processes.

Define the frequency for the performance of Post Incident activities.

Update STB Incident Response plan containment strategies to reflect the current agencies risk prioritization processes.

Implement documented processes for Incident Response resolutions of tickets in consistent manner, as required by STB policies and procedures.

Define the frequency for the performance of system level Business Impact Analyses (BIA).

Review the organization wide BIA on an annual basis.

Conduct a tabletop exercise of the General Support System’s information system contingency plan (ISCP) on an annual basis.