Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report: 2013-IT-B-019 November 14, 2013

2013 Audit of the Board's Information Security Program

available formats

Appendix A: Scope and Methodology

To accomplish our audit objectives, we reviewed the effectiveness of the Board's information security program across eleven areas outlined in DHS's 2013 FISMA reporting guidance for IGs. These areas include continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, plan of action and milestones, remote access management, contingency planning, contractor systems, and security capital planning. To assess the Board's information security program in these areas, we interviewed Board management and staff; analyzed security policies, procedures, and documentation; and observed and tested specific security processes and controls.

In addition to FISMA requirements, we performed follow-up reviews of open audit recommendations from prior OIG information security-related audits and application control reviews to help us evaluate the Board's compliance with FISMA and related information security policies and procedures and report to the DHS and OMB.

We conducted our fieldwork from April 2013 to September 2013. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.