Board Report: 2014-IT-B-019 November 14, 2014
Overall, we found that the Board’s Chief Information Officer (CIO) continues to maintain a FISMA-compliant approach to the Board’s information security program that is generally consistent with requirements established by the National Institute of Standards and Technology (NIST) and OMB. The Information Security Officer (ISO) continues to issue policies and procedures that include attributes identified within the DHS reporting metrics.
In analyzing the status of the Board’s information security program within the 11 DHS reporting metrics for 2014, we found that the Board has effective programs in place that are consistent with FISMA requirements and that include attributes identified by DHS for risk management, security configuration, remote access, identity and access management, security training, incident response and reporting, and security capital planning. We also found that the Board has programs in place that include attributes identified within the DHS reporting metrics for continuous monitoring, contractor oversight, contingency planning, and plan of action and milestones (POA&M); however, we identified opportunities for improvement within those areas. Our findings related to contingency planning are being reported under separate cover.
Our report includes one new recommendation for improving the tracking of division-level POA&Ms and keeps open our 2012 recommendation on contractor systems and our 2013 recommendation on continuous monitoring. Our 2013 FISMA audit included recommendations related to incident response and reporting, security awareness training, and risk management that we are closing based on corrective actions taken by the ISO. The following summarizes the status of our prior FISMA recommendations:
2011 Recommendation: We recommended that the CIO complete and fully implement the enterprise information technology (IT) risk assessment framework across all divisions, and ensure that the automated workflow support tool is fully operational, in order to comply with updated NIST guidance on the new Risk Management Framework (RMF).
Status: Closed
2012 Recommendation: We recommended that the CIO develop and implement a security review process for third-party systems located outside the Federal Reserve System.
Status: Open
2012 Recommendation: We recommended that the CIO document the roles and responsibilities of the Board and National Incident Response Team supporting Board incidents and analyze what changes are needed to existing agreements to ensure that the respective roles and responsibilities of the National Incident Response Team and the Board are specified.
Status: Closed
2013 Recommendation: We recommended that the CIO monitor specialized training taken by all individuals at the Board with significant information security responsibilities to ensure that they have been adequately trained.
Status: Closed
2013 Recommendation: We recommended that the CIO continue to establish a continuous monitoring program by finalizing policies and procedures, establishing metrics, and defining the frequency of monitoring.
Status: Open
We also reviewed security controls implemented for select Board information systems and IT processes, and we completed the fieldwork on several other audits of Board programs related to certain DHS metrics. Our specific findings and recommendations in these areas will be transmitted under separate cover. Appendix A lists these reviews.