Board Report: 2018-IT-B-017 October 31, 2018
The Federal Information Security Modernization Act of 2014 requires us to perform an annual, independent evaluation of the Board's information security program. We evaluated the program's maturity level (from a possible low of 1 to a possible high of 5) across several areas.
Overall, the Board's information security program is operating at level 4 (managed and measurable), which indicates an effective level of security. Nonetheless, the Board has opportunities to mature its information security program, particularly by implementing an agencywide risk management governance structure and strategy, as well as through greater automation and centralization of IT security services.
We are making recommendations to strengthen the Board's information security program in the areas of risk management, configuration management, data protection and privacy, and security training.