Board Report: 2019-IT-B-016 October 31, 2019
The Federal Information Security Modernization Act of 2014 requires us to perform an annual, independent evaluation of the Board's information security program. We evaluated the program's maturity level (from a possible low of 1 to a possible high of 5) across several areas.
Overall, the Board's information security program is operating at level 4 (managed and measurable), which indicates an effective level of security. Nonetheless, the Board has opportunities to mature its information security program. For example, similar to our previous FISMA audits, a consistent theme we noted is that the decentralization of information technology services results in an incomplete view of the risks affecting the Board's security posture.
We are making recommendations to strengthen the Board's information security program in the areas of risk management, identity and access management, and data protection and privacy.
