Board Report: January 1, 2008
We completed a security control review of a bundle of subsystems referred to as the EGov Systems as part of our information security-related requirements under the Federal Information Security Management Act (FISMA). Our objective, was to evaluate the adequacy of control techniques in place for protecting the EGov Systems from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we developed a control assessment tool based on the security controls defined in the National Institute of Standards and Technology Special Publication 800-53 Rev. 1 (SP 800-53).
Our review showed that controls within the EGov Systems were generally well-designed and well-implemented, and that controls in thirteen of the seventeen control families generally meet the control objectives. However, we found that information security controls need to be strengthened in four of the seventeen control families. Our restricted report to management contained eight recommendations to improve controls. We will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board's continuing implementation of FISMA.
