2014 Audit of the Board's Information Security Program

Appendix A: Scope and Methodology

To accomplish our audit objectives, we reviewed the effectiveness of the Board's information security program across 11 areas outlined in DHS's 2014 FISMA reporting guidance for Inspectors General. These areas include continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, POA&M, remote access management, contingency planning, contractor systems, and security capital planning. To assess the Board's information security program in these areas, we interviewed Board management and staff members; analyzed security policies, procedures, and documentation; and observed and tested specific security processes and controls.

We also reviewed security controls implemented for the Board's information systems and IT processes on an ongoing basis. During the past year, we issued the following reports:

• Audit of the Board's Data Center Relocation
• Opportunities Exist to Achieve Operational Efficiencies in the Board's Management of Information Technology Services
• Security Control Review of the Board's E² Solutions Travel Management System
• The Board Can Better Coordinate Its Contingency Planning and Continuity of Operations Program

Given the sensitivity of the issues involved with these reviews, the specific results were provided to management in separate reports, some of which are restricted.

Additionally, during this FISMA cycle we completed the fieldwork on several other audits of Board processes that relate to certain DHS FISMA metric areas:

• Audit of the Board's Data Center Relocation
• Audit of the Board's Information System Security Life Cycle Process
• Audit of the Board's STAR Modernization Project

In addition to the FISMA requirements, we performed follow-up reviews of open audit recommendations from prior OIG information security–related audits and application control reviews. These follow-up reviews help us evaluate the Board's compliance with FISMA and related information security policies and procedures and report to DHS and OMB.

• Security Control Review of Aon Hewitt Employee Benefits System
• Security Control Review of the Visitor Registration System
• Security Control Review of Contingency Planning Controls for the Information Technology General Support Systems

We conducted our fieldwork for this audit from June 2014 to September 2014. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.