U.S. Department of State Fiscal Year 2019 Agency Financial Report

abandon ineffective efforts that do not advance goals and objectives. Entities responsible for foreign assistance funds should focus on strategic planning that ensures programs are designed and resources are allocated to meet foreign policy goals. Additionally, a special evaluation of the Antiterrorism Assistance Explosive Detection Canine Program highlighted issues with an overall lack of policies and standards governing this program. The Department routinely provides dogs to foreign partners without signed written agreements that outline standards for minimum care, retirement, and use of the canines, and the Department conducts health and welfare follow-ups infrequently and inconsistently. Specifically, OIG received reports of health and welfare concerns experienced by specific dogs in Jordan since an April 2016 site visit and report. One of the canines provided by DS/ATA died while working in Jordan in July 2017, and two others were returned to the U.S. in critically ill condition. One of those dogs was euthanized in March 2018, and the other had to be nourished back to health in April 2018 because it was severely underweight. 29  3  I nformation S ecurity and M anagement The Department depends on information systems to function, and the security of these systems is vital to protecting national and economic security, public safety, and the flow of commerce. The Department acknowledges that its information systems and networks are subject to serious threats that can exploit and compromise sensitive information, and it has taken some steps to address these concerns. However, notwithstanding the expenditure of substantial resources by the Department, OIG continues to identify significant issues that put its information at risk. 29 OIG, Evaluation of the Antiterrorism Assistance Explosive Detection Canine Program—Health and Welfare (ESP-19-06, September 2019). 30 OIG, Audit of the Department of State Information Security Program (AUD-IT-19-08, October 2018). 31 ISSOs are responsible for implementing the Department’s information systems security program and for working closely with system managers to ensure compliance with information systems security standards. 32 OIG, Management Assistance Report: Non-Performance of Information Systems Security Officer Duties by Overseas Personnel (ISP-17-24, May 2017). 33 ISP-I-19-20, July 2019; ISP-I-19-18, June 2019; OIG, Inspection of the Office of Foreign Missions (ISP-I-19-21, May 2019); ISP-I-19-14, April 2019; ISP-I-19-15, March 2019; OIG, Inspection of Embassy Majuro, Republic of the Marshall Islands (ISP-I-19-07, February 2019); ISP-I-19-06, February 2019; OIG, Inspection of Embassy Kolonia, Federated States of Micronesia (ISP-I-19-05, February 2019); ISP-I-19-04, November 2018; OIG, Inspection of Embassy Dakar, Senegal (ISP-I-19-03, November 2018); ISP-I-19-08, October 2018. Although the Department has taken steps to improve its information security program, as in prior years, OIG’s annual assessment of the Department’s information security program identified numerous control weaknesses that affected program effectiveness and increased the Department’s vulnerability to cyberattacks and threats. 30 The lack of fully-implemented risk management strategy and dispersed authority contribute to many of OIG’s concerns regarding IT security and management at the Department. As OIG has reported in previous years, the Chief Information Officer (CIO) is not well placed in the organization to be fully accountable for information security program issues. For example, DS, which also has information security responsibilities, does not report to the CIO. Additionally, OIG has identified concerns with the CIO’s ability to track and control IT investments, which affects the Department’s ability to obtain a clear picture of total IT spending. The Department took some steps to strengthen the delegation of authority to the CIO, and we continue to assess whether the Department’s IT security program has noticeably improved as a result. Lapses in the performance of duties by Information Systems Security Officers (ISSOs) 31 persisted in FY 2019. We first identified pervasive concerns in this area in 2017, 32 but our overseas inspections work continued to find numerous posts where unclassified and classified ISSOs did not perform all information systems security duties as required. 33 As a result, OIG found information security issues that could have been prevented with regular performance of these mandated duties. Moreover, without a systematic approach to monitoring networks and recording findings, Department networks could be breached, and information security compromised. 2019 A gency F inancial R eport U nited S tates D epartment of S tate | 117 INSPECTOR GENERAL’S STATEMENT ON THE DEPARTMENT’S MAJOR MANAGEMENT AND PERFORMANCE CHALLENGES | OTHER INFORMATION