Board Report: 2014-IT-B-019 November 14, 2014
Our specific audit objectives, based on the requirements of the Federal Information Security Management Act of 2002 (FISMA),1 were to evaluate the effectiveness of the security controls and techniques for select information systems of the Board of Governors of the Federal Reserve System (Board) and to evaluate the Board's compliance with FISMA and related information security policies, procedures, standards, and guidelines. Our scope and methodology are detailed in appendix A.
FISMA provides a framework for ensuring the effectiveness of information security controls over federal operations and assets and a mechanism for the oversight of federal information security programs. FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided by another agency, a contractor, or other source.
Agency information security programs must provide for, among other things, periodic risk assessments, policies and procedures based on the risk assessments, periodic testing and evaluation of the effectiveness of policies and procedures, security planning, security awareness training, and continuity of operations. FISMA also requires each agency Inspector General to perform an annual independent evaluation of the information security program and practices of its respective agency to determine the effectiveness of such program and practices. As discussed in Office of Management and Budget (OMB) Memorandum 10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS), the U.S. Department of Homeland Security (DHS) exercises primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to FISMA.