Board Report: 2013-IT-B-019 November 14, 2013
Overall, we found that the Board's CIO is maintaining a FISMA-compliant approach to the Board's information security program that is generally consistent with requirements established by the National Institute of Standards and Technology (NIST) and OMB. The Information Security Officer (ISO) continues to issue policies and procedures that include attributes identified within the DHS reporting metrics. In analyzing the status of the Board's information security program in the 11 DHS reporting metrics for 2013, we found that the Board has effective programs in place that are consistent with FISMA requirements and that include attributes identified by DHS for plan of action and milestones, remote access management, identity and access management, contingency planning, configuration management, and security capital planning. We also found that the Board has programs in place that include attributes identified within the DHS reporting metrics for incident response and reporting, security training, and contractor systems; however, we identified opportunities for improvement within those areas. Our report includes a recommendation for improving tracking of training for individuals with significant information security responsibilities and keeps open our 2012 recommendations related to incident reporting and contractor systems.
During the past year, the ISO has continued to make progress in implementing an enterprise information technology (IT) risk management framework and a continuous monitoring program; however, additional steps are needed to fully implement programs that are consistent with FISMA requirements. The ISO continued to enhance the risk management program and has made progress identifying enterprise IT risks, division-embedded IT risks, and information system risks; however, the ISO has not fully implemented all the objectives outlined in the Board’s risk management program. Thus, our report keeps our related 2011 recommendation open. The ISO has outlined a strategy for continuous monitoring and continues to develop a program that provides details around the Board’s continuous monitoring strategy. The Board has implemented a manual continuous monitoring program and has implemented tools and components of an automated continuous monitoring program. The ISO is still developing policy and procedures to fully implement the automated continuous monitoring program Board-wide. Thus, our report includes a recommendation for additional continuous monitoring actions.