Board Report: 2014-IT-B-021 December 18, 2014
To accomplish our audit objective, we obtained the Board’s FISMA inventory and extracted the major systems and general support systems from the listing because Board systems with those categorizations have the most strenuous documentation requirements. Based on the Board’s inventory as of April 2014, we selected a sample of 53 systems from the Board’s FISMA inventory. We examined supporting documentation for the current FISMA inventory as well as security categorization, authorization, security plan, and certification and testing documentation from the 2013 FISMA reporting period for compliance with NIST and internal guidance.
We compared the Board’s Risk Management Program and Risk Assessment Standard to the recommended tasks identified in SP 800-37.
For our final objective, we examined technical and user documentation associated with the Board’s automated workflow tool to assess its functionality. Based on that inspection, we selected a limited sample of controls to test for compliance with SP 800-53.
We conducted our fieldwork from March 2014 to July 2014. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
