Recommendations

Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.

Implement system access authorization processes for Splunk administrators to include separation of duties controls. When separation of duties cannot be achieved for conflicting roles, assess the risk and document the control deviation and risk-based decisions.

Ensure that audit log collection and retention is implemented in accordance with Federal and site-level policies and procedures.

Ensure account passwords are reset, and documentation retained, whenever an individual with access to service accounts leaves BEA or is no longer in a role requiring such access.

Ensure application security controls are implemented in the MIS portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

Update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.

Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.

Enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.

Conduct an analysis or risk assessment that evaluates ransomware threats and the cost to fully recover from a ransomware event, including considerations in the Department’s guidance on Analyzing Ransomware Risk: A Blueprint for Quantification.

"Develop and implement a process to perform continuous monitoring activities to
fully evaluate third-party providers’ information technology environments for security changes or threats."