Board Report: March 3, 2008
Based on our security control reviews, we identified opportunities for the Board's Information Security Officer (ISO) to enhance and enforce existing policies and procedures and to provide additional guidance for implementing security controls, thereby assisting all system owners in implementing the Board's Information Security Program. Our work identified opportunities to strengthen controls in four of the seventeen control families.
We recognize that the ISO and his staff have completed a significant amount of work over the past few years to develop a security program that complies with new National Institute of Standards and Technology requirements. For example, the ISO developed and issued guidance to assist Board staff in implementing certain components of the program, such as completing risk assessments and security plans in preparation for system certifications and accreditations. In 2007, the security staff in the Board's Division of Information Technology (IT) also conducted training for system owners and developers; the training covered the requirements of the Board's Information Security Program and provided guidance on completing required documentation. As the Board's Security Program evolves and matures, we believe that the ISO will need to continue providing oversight, training, and develop additional guidance for the program to remain effective. The report contains six recommendations to assist the ISO in this effort.
The director of IT, in her capacity as Chief Information Officer for FISMA, generally agreed with all of the recommendations and identified corrective action that has either been taken or is underway to enhance the control families highlighted in our report. Given the sensitivity of information security review work, our reports in this area are generally restricted.
