HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.
Publication Report
2023-OE-0007 | December 12, 2024
U.S. Department of Housing and Urban Development Personally Identifiable Information Risk Management in a Zero Trust Environment (2023-OE-0007) Evaluation Report
The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII). HUD maintained a significant number of records that contain PII… moreRelated Recommendations
Chief Information Officer
- Status2023-OE-0007-01OpenClosed
HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.
- Status2023-OE-0007-02OpenClosed
HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.
- Status2023-OE-0007-06OpenClosed
HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.
Policy Development & Research
- Status2023-OE-0007-03OpenClosed
The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.
Office of Administration
- Status2023-OE-0007-05OpenClosed
HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).