September 30, 2014
GAO continues to include as a priority for federal agencies the protection of information systems and the nation's cybercritical infrastructures. The OIG has also identified information security as a major management challenge for the Board. Management should place a high priority on implementing new federal requirements for developing a Boardwide continuous monitoring program and a Boardwide risk management program. In addition, the Board is challenged to ensure that information systems and services provided by third-party providers, including the Federal Reserve Banks, meet the requirements of the Federal Information Security Management Act of 2002 (FISMA) and the Board's information security program.
Implementing Boardwide continuous monitoring of information security that complies with National Institute for Standards and Technology (NIST) requirements will pose challenges for the Board. NIST requires that agencies establish a continuous monitoring strategy and implement a continuous monitoring program that includes a configuration management process for the information system and its constituent components, a determination of the security impact of changes to the information system and the environment of operation, ongoing security control assessments in accordance with the organizational continuous monitoring strategy, and a reporting of the security state of the information system to appropriate organizational officials.
NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137), states that at the mission/business processes tier, the organization needs to establish the minimum frequency with which each security control or metric is to be assessed or monitored. Frequencies need to be established across all organizational systems and common controls. SP 800-137 states that the organization-wide information security continuous monitoring strategy and associated policy should be developed at the organizational tier, with general procedures for implementation at the mission or business tier. OIG reports have identified that the Board's Chief Information Officer has continued to make progress in implementing a continuous monitoring program; however, the Chief Information Officer should finalize policies and procedures, establish metrics, and define the frequency of monitoring.
The Board's Information Security Officer (ISO) outlined a strategic plan for the Board and has made progress in implementing NIST guidance. The initial plan for continuous monitoring was developed in 2011 and was updated in August 2012 to include additional continuous monitoring automation tools and to provide more detailed implementation status information. In August 2013, the ISO evolved the continuous monitoring strategy into an Information Security Continuous Monitoring Program document, which discusses three primary activities: continuous monitoring automation, manual processes, and key metrics. Lastly, the ISO developed a draft version of the continuous monitoring standard.
Implementing Boardwide risk management will pose challenges to the Board. Although the majority of the Board's computing environment is managed by the Division of IT, NIST requires that the risk management program be expanded to address and cover all aspects of the Board's computing environments within all divisions' missions and business processes.
FISMA requires organizations to develop and implement an organization-wide information security program for the information and the information systems that support the operations and assets of the organization, including those provided or managed by another organization, a contractor, or another source. NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, expands the concept of risk management and covers a strategic-to-tactical organizational approach to risk management. NIST Special Publication 800-39, Managing Information Security Risk, states that it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk—that is, the risk associated with the operation and use of information systems that support the mission and business functions of their organizations. OIG reports have identified that the Board's Chief Information Officer has continued to make progress in implementing a risk management program; however, the program still needs to be implemented Boardwide.
The ISO developed the Risk Management Program and Risk Assessment Guide to enhance the original risk assessment framework initiative.
The Board will be challenged to ensure that information systems and services provided by third-party providers, including systems supported by the Federal Reserve Banks while they transition to a NIST-based information security program, meet FISMA requirements. FISMA requires agencies to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, a contractor, or another source. The Board's information security program requires third parties, including Federal Reserve Banks, other agencies, and commercial providers, to use appropriate security controls to protect Board-provided information and services. The level of controls provided by third parties must be comparable to the controls provided for in NIST requirements.
The Board is part of the Federal Reserve System and relies on some services provided through the Federal Reserve Banks; however, the Federal Reserve Banks are not bound by the requirements of FISMA. We have issued information security control review reports to the Board that identified services provided by third-party providers, including Federal Reserve Banks, that did not meet the Board's information security requirements.
The Federal Reserve System is currently implementing NIST guidance as the strategic direction for the Federal Reserve Bank information security program. The information security program defines the rules, such as the security objectives and control requirements, and the risk management process that help the Federal Reserve System manage information security risk.
The ISO performs onsite security reviews of Federal Reserve Bank systems that store or process Board data to ensure that the systems are meeting the requirements of the Board's information security program. The ISO has developed a security policy that applies to all third parties that collect or maintain Board information or those that operate or use information systems on behalf of the Board. The ISO also published an inventory guide that outlines how the Board accounts for all information assets and tracks the security compliance of all systems, including systems used or operated by third parties on behalf of the Board.
