Office of Inspector General PBGC should strengthen its controls around verifying the identity of PBGC personnel prior to temporarily disabling their requirement for MFA for remote access should a user purportedly have a malfunctioning PIV card or other MFA token.
PBGC should implement an effective specialized security training program that includes steps to identify and prevent phone-based social engineering for all employees.
PBGC should establish a comprehensive system for monitoring, analyzing, and reporting on quantitative performance measures to evaluate the effectiveness of its Data Breach Response policies and procedures.
PBGC should establish robust network segmentation and configure firewalls with default rules to ensure the guest wireless network is effectively isolated from internal resources.
PBGC should manage Active Directory certificate template settings effectively by hardening and auditing existing templates in the environment. Privileges should also be assessed for all templates to prevent unauthorized changes to the configuration settings.