Board Report: 2012-AA-B-001 November 12, 2012
We completed our annual Federal Information Security Management Act of 2002 (FISMA) audit of the Board. Our specific audit objectives were to evaluate the effectiveness of security controls and techniques for selected information systems and to evaluate the Board’s compliance with FISMA and related information security policies, procedures, standards, and guidelines provided by NIST, OMB, and the Department of Homeland Security.
In accordance with reporting requirements, our FISMA review included an analysis of the Board’s security-related processes in the following areas: risk management, continuous monitoring management, plan of action and milestones, identity and access management, remote access management, configuration management, security training, contractor systems, contingency planning, incident response and reporting, and security capital planning.
Overall, we found that the Board’s CIO is maintaining a FISMA-compliant approach to the Board’s information security program that is generally consistent with requirements established by NIST and OMB. During the past year, the Information Security Officer (ISO) continued to issue and update information security policies and guidelines. In addition, progress has been made to implement (1) an enterprise IT risk assessment framework initiative and a continuous monitoring strategy as well as (2) a new automated workflow support tool to provide an automated method for documenting, reviewing, and approving the security posture of all Board information systems. These efforts were undertaken to transform the Board’s Certification and Accreditation process into the NIST Risk Management Framework.
An additional part of the overall risk assessment framework requires the CIO to ensure that risk assessments are adequately identifying, evaluating, and documenting the level of risk to information systems based on potential threats, vulnerabilities, and currently implemented or planned controls to determine whether additional controls are needed. Although progress has been made by the ISO to address the NIST guidance regarding risk management, the enterprise IT risk assessment ramework needs to be fully implemented Board-wide and the automated workflow support tool needs to be fully operational for the Board to meet the requirements of NIST’s organization-wide risk management approach.
Our prior 2011 report contained one recommendation: that the CIO complete and fully implement the enterprise IT risk assessment framework Board-wide and ensure that the automated workflow support tool is fully operational in order to comply with updated NIST guidance on the new Risk Management Framework. This recommendation will remain open as work continues on various phases of the IT risk assessment framework initiative and continuous monitoring strategy. We will continue to monitor the ISO’s actions in implementing the enterprise IT risk assessment framework Board-wide, which includes improving overall risk assessments.
Our 2012 report contained two new recommendations related to the Board’s contractor oversight program and incident response and reporting program. First, to ensure that all Board data meet the requirements of the Board Information Security Program and NIST standards and controls, we recommend that the CIO develop and implement a security review process for third-party systems located outside the Federal Reserve System to ensure that systems employ information security controls sufficient to meet the requirements of the Board Information Security Program and NIST standards. Second, we recommend that the CIO document the roles and responsibilities of the Board and National Incident Response Team staffs supporting Board incidents and analyze changes that are needed to existing agreements to ensure that the respective roles and responsibilities of the National Incident Response Team and the Board are specified.
The Director of the Division of Information Technology, in her capacity as the CIO, agreed with the two recommendations in our report and has initiated efforts to address both issues.
