Submitting Agency
- (-) Railroad Retirement Board OIG (1)
- Department of Agriculture OIG (2)
- Department of Commerce OIG (1)
- Department of Defense OIG (6)
- Department of Education OIG (12)
- Department of Health & Human Services OIG (22)
- Department of Homeland Security OIG (15)
- Department of Housing and Urban Development OIG (10)
- Department of Justice OIG (1)
- Department of Labor OIG (24)
- Department of the Interior OIG (3)
- Department of the Treasury OIG (48)
- Department of Transportation OIG (4)
- Election Assistance Commission OIG (2)
- Environmental Protection Agency OIG (4)
- General Services Administration OIG (1)
- National Security Agency OIG (1)
- Pandemic Response Accountability Committee (1)
- Pension Benefit Guaranty Corporation OIG (1)
- Small Business Administration OIG (31)
- Social Security Administration OIG (2)
- Treasury Inspector General for Tax Administration (7)
- U.S. Agency for International Development OIG (5)
Any Open Recommendations
Reports
Railroad Retirement Board Did Not Implement Sufficient Internal Controls in the Mobile Phones Deployed as a Result of the Pandemic
The Bureau of Information Services should update their mobile phone policies to include and implement a National Archives and Records Administration-approved records schedule and transfer procedures for electronic records associated with mobile phones.
The Bureau of Information Services should develop and implement a records management and retention system for electronic records.
The Bureau of Information Services should research the capabilities of Railroad Retirement Board's Microsoft Azure Cloud's functionality to determine feasibility of incorporating the automated records management and retention capabilities to govern the mobile phones electronic records.
The Bureau of Information Services should submit a yearly affidavit to confirm electronic records associated with mobile phones have been identified and retained until the full transition into Microsoft Azure Cloud.
The Railroad Retirement Board's Director of Administration should define and communicate 'personal usage' establishing Railroad Retirement Board's core hours of 5:00 am to 7:00 pm. Any usage outside of core hours would be considered personal usage excluding business management purposes.
The Railroad Retirement Board's Bureau of Information Services should 1) continue efforts to update the Telecommuting and Mobile Security Computing Policy with current laws and regulations and 2) develop a periodic monitoring control to assess personal usage and address it according to agency guidance.
The Bureau of Information Services should incorporate the mobile phones in an existing assessable unit and update their mobile phone policies to include documentation regarding the specific roles and responsibilities of each office overseeing the mobile phone program.
The Bureau of Information Services should enforce and execute a review and approval process for application and software download and restrict access to specified applications found in their Railroad Retirement Board G-6 Rules of Behavior.
The Bureau of Information Services should implement procedures to periodically track, log, and monitor iPhone usage and the completion of the G-6 Acknowledgement Statement.
The Bureau of Information Services should periodically review the mobile phone inventory for completeness and accuracy to include a comparison with Railroad Retirement Board's personnel position index.
The Bureau of Information Services should implement the use of unique identifiers between disparate data sets (e.g., mobile phone inventory, personnel position index) to facilitate comparisons and reconcile inconsistent information.