Board Report: September 25, 2007
This audit was performed pursuant to the Federal Information Security Management Act of 2002 (FISMA), which requires that each agency Inspector General (IG) conduct an annual independent evaluation of the agency's information security program and practices. Our specific audit objectives, based on the Act's requirements, were to evaluate the effectiveness of security controls and techniques for selected information systems and to evaluate compliance by the Board with FISMA and related information security policies, procedures, standards, and guidelines.
To evaluate security controls and techniques, we reviewed controls over three Board applications and followed up on the open issues from our 2006 application control reviews. We also recently began a review of controls provided by the Federal Reserve Bank of Boston for applications that the Reserve Bank maintains in support of the Board's supervision and regulation function. We performed our 2007 application control testing based on controls identified in the National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems. These control tests identified areas where security controls need to be strengthened. Because some of the issues we identified are more significant-either alone or in combination with other weaknesses-we classified several of our findings as "control deficiencies." Given the sensitivity of the issues involved with these reviews, we will provide the specific results to management in separate restricted reports. In addition, follow-up work on our 2006 application control reviews revealed that the Board had taken sufficient actions to allow us to close several open recommendations in this area.
To evaluate the Board's compliance with FISMA and related policies and procedures, we followed up on the open recommendations from our prior information security audit reports issued pursuant to FISMA's requirements. Because FISMA authorizes the IGs to base their annual evaluation in whole or in part on existing audits, evaluations, or reports relating to programs or practices of the agency, we also incorporated the results from, and actions taken on, other audit reports with information security-related recommendations. Based on our follow-up work, we determined that the Board's actions over the past year were sufficient to close seven of the ten recommendations that were not fully closed as of the beginning of our 2007 information security audit.
We also collected and reviewed information concerning the Board's processes related to areas for which the Office of Management and Budget (OMB) requested a specific response as part of the agency's annual FISMA reporting. Areas we reviewed include security awareness and training, certification and accreditation, remedial action monitoring, incident response, configuration management, controls over personally identifiable information, and privacy impact assessment processes.
Overall, we found that the Board's information security program continues to evolve and mature. The Board has made additional progress toward implementing a structured information security program as outlined by FISMA and has taken action to address open audit recommendations. Specifically, we found that the Board revised its information security program to incorporate guidance and standards recently issued by NIST. The Board also updated many of its information security policies and guidance, continued to certify and accredit information systems, and provided training to system owners and developers on their security-related responsibilities. Despite this progress, however, the Board still has work remaining to fully implement its information security program for all systems on the application inventory; consequently, three of our prior audit recommendations remain open or partially closed.
Based on our security-related fieldwork over the past year, we did not make any new recommendations in our report. In our opinion, the primary challenge going forward for the Board's Chief Information Officer (CIO) and Information Security Officer (ISO) is to ensure that all aspects of the revised information security program are fully and consistently implemented across the systems supporting divisions and offices-as well as for third-party applications supporting Board programs and operations-and that controls are implemented correctly, working as intended, and producing the desired results. We will continue to review the qualitative aspects of the program as part of future FISMA audits and evaluations.
We provided our draft report to the Director of the Division of Information Technology, in her capacity as CIO for FISMA, and discussed the report with her and the Board's ISO at our closing meeting. During the meeting, the Director generally agreed with the report's contents. She and the ISO also discussed ongoing and planned activities to further enhance the Board's information security program.