U.S. Department of State Fiscal Year 2019 Agency Financial Report

8 ULOs. However, without an effective process to accurately monitor child funds, there is a risk of errors in the Department’s future consolidated financial statements. VI. Information Technology The Department’s information systems and electronic data depend on the confidentiality, integrity, and availability of the Department’s comprehensive and interconnected IT infrastructure using various technologies around the globe. Therefore, it is critical that the Department manage information security risks effectively throughout the organization. The Department uses several financial management systems to compile information for financial reporting purposes. The Department’s general support system, a component of its information security program, is the gateway for all the Department’s systems, including its financial management systems. Generally, control deficiencies noted in the information security program are inherited by the systems that reside in it. In accordance with the Federal Information Security Modernization Act of 2014 (FISMA), 9 the Office of Inspector General (OIG) is responsible for the audit of the Department’s information security program. In the FY 2019 FISMA report, 10 OIG reported security weaknesses that significantly impacted the Department’s information security program. Specifically, OIG reported weaknesses in all eight FY 2019 Inspector General FISMA metric domains: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning. OIG reported: The deficiencies identified within the information security program occurred for several reasons. For example, the Department has not completed the development and implementation of an information security risk management strategy and filled allocated resource positions to support the implementation of a Department-wide information security risk management strategy. Furthermore, the Department has not fully maintained a complete and accurate organization-wide information system inventory. Without an effective information security program, the Department remains vulnerable to IT-centered attacks and threats to its critical mission-related functions. Information security program weaknesses can affect the integrity of financial applications, which increases the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered, either accidentally or intentionally. Information security program weaknesses increase the risk that the Department will be unable to report financial data accurately. 9 Federal Information Security Modernization Act of 2014, Public L. No. 113-283, 128 STAT. 3079-3080 (December 18, 2014). 10 OIG, Audit of the Department of State Information Security Program (AUD-IT-20-04, October 2019). 56 | U nited S tates D epartment of S tate 2019 A gency F inancial R eport FINANCIAL SECTION | INDEPENDENT AUDITOR’S REPORT