Board Report: December 1, 2012
To evaluate the security controls and techniques of the information systems of the Board, the Office of Inspector General reviews controls over Board applications and selected security controls provided by the Board's general support systems (GSS) on an ongoing basis. Consistent with the requirements of the Federal Information Security Management Act of 2002 (FISMA), we conducted a security control review of the contingency program controls provided by the GSS, which is supported by the Division of Information Technology (IT)-IT GSS.
Our objective was to determine whether the Board is maintaining a contingency program for the IT GSS that is generally consistent with related National Institute of Standards and Technology (NIST) and Office of Management and Budget (OMB) Federal Information Security Management Act of 2002 (FISMA) guidance. To accomplish this objective, we developed a tailored control assessment review program based on the security controls defined in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
Overall, we found that the Board has established and is maintaining a contingency program for the IT GSS that is generally consistent with NIST and OMB FISMA requirements. The Board has invested resources in the areas of hardware, mainframe computing, network bandwidth, equipment, and other logistical necessities to sustain operations at the contingency site. In addition, the Board continues to conduct semiannual contingency tests of its mission-critical applications. Although we did not identify any significant discrepancies, we found opportunities to strengthen the IT GSS contingency planning.
Management generally agreed with our recommendations and discussed corrective action that has already been completed, is underway, or is planned. We plan to conduct additional work in the area of continuity of operations and contingency planning across divisions, and we will follow up on the implementation of each recommendation as part of our future audit activities related to the Board's continuing implementation of FISMA. Given the sensitivity of information security review work, our reports in this area are generally restricted.