Board Report: September 30, 2008
This audit was performed pursuant to the Federal Information Security Management Act of 2002 (FISMA), which requires that each agency OIG conduct an annual independent evaluation of the agency's information security program and practices. Our specific audit objectives, based on FISMA requirements, were to evaluate compliance by the Board with FISMA and related information security policies, procedures, standards, and guidelines, and to evaluate the effectiveness of security controls and techniques for a subset of the Board's information systems.
To evaluate the Board's compliance with FISMA and related policies and procedures, we reviewed components of the Board's certification and accreditation (C&A) process, including risk assessments, security plans, and security assessments. We also collected and reviewed information concerning the Board's processes related to areas for which the Office of Management and Budget requests a specific response as part of the agency's annual FISMA reporting. Our work included analyzing the Board's security-related processes for security awareness and training, remedial action monitoring, incident response, configuration management, controls over personally identifiable information (PII), and privacy impact assessments.
Overall, we found that the Board continues to advance and improve its information security program. During 2008, the Board enhanced its annual security awareness training and its processes for tracking security-related issues and initiatives. It also certified and accredited minor applications and subsystems by bundling them (1) under the security plans of a General Support System (GSS) or a major application that provides a significant portion of its security control requirements; or (2) with other minor applications to form a single major application. We found that the Board's inventory has remained stable since 2007, and that the bundling of minor applications and subsystems is a reasonable approach to implement the Board's security program.
However, our review of the C&A of major applications and the central GSS supported by the Division of Information Technology (IT) identified opportunities for the Board to improve its risk assessment process and security assessment testing. We found that the risk assessments can be improved to explicitly identify the residual risk remaining, and the additional security controls needed, after implementing minimum baseline controls. We also found that the security assessments performed as part of the C&A process need to be strengthened to include necessary and sufficient independent testing to provide the system owners with assurance that information security controls for these systems are effectively implemented and functioning as intended.
Our report contained two recommendations to the Chief Information Officer (CIO) designed to ensure that (1) risk assessments adequately identify, evaluate, and document the level of risk to an information system based on potential threats, vulnerabilities, and currently implemented or planned controls to determine if additional controls are needed; and (2) security assessments include necessary and sufficient independent testing to support the authorization for the system to operate, and to provide the authorizing official and the Board assurances that information security controls for these systems are implemented correctly, working as intended, and producing the desired results.
We provided our draft report for review and comment to the Director of IT, in her capacity as the CIO for FISMA. The director concurred with our recommendations.