Board Report: 2013-IT-B-019 November 14, 2013
Our specific audit objectives, based on the requirements the Federal Information Security Management Act of 2002 (FISMA),1 were to evaluate the effectiveness of security controls and techniques for select information systems of the Board of Governors of the Federal Reserve System (Board) and to evaluate the Board's compliance with FISMA and related information security policies, procedures, standards, and guidelines. Our scope and methodology are detailed in appendix A.
FISMA provides a framework for ensuring the effectiveness of information security controls over federal operations and assets and a mechanism for the oversight of federal information security programs. FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided by another agency, a contractor, or other source.
Agency information security programs must provide for, among other things, periodic risk assessments, policies and procedures based on the risk assessments, periodic testing and evaluation of the effectiveness of policies and procedures, security planning, security awareness training, and continuity of operations. FISMA also requires each agency Inspector General (IG) to perform an annual independent evaluation of the information security program and practices of its respective agency to determine the effectiveness of such program and practices.
As part of an agency's annual FISMA reporting, the Office of Management and Budget (OMB) requests that both the Chief Information Officer (CIO) and the IG perform analysis and report on certain information security program components. As discussed in OMB Memorandum 10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS), DHS is exercising primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to FISMA.
We also review security controls implemented for the Board's information systems on an ongoing basis. During the past year, we completed security control reviews for three Board systems:
Our reviews of information security controls for these systems identified areas in which controls need to be strengthened. Given the sensitivity of the issues involved with these reviews, the specific results were provided to management in separate restricted reports that are summarized on our publicly available website. During this year's FISMA review, we started security control reviews of the Board's travel system and a major system used by the statistics function at the Federal Reserve Banks and the Board to collect and edit over 75 periodic statistical reports from financial institutions. In addition, we started audits of the Board's contingency planning and continuity of operations, data center relocation, and IT services.
