Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report:  November 14, 2011

Audit of the Board's Information Security Program

  • REPORT SUMMARY

available formats

  • Report Summary

    HTML
  • Full Report:

    PDF

The audit was performed pursuant to the Federal Information Security Management Act of 2002 (FISMA), which requires that each agency IG conduct an annual independent evaluation of the agency's Information Security Program and practices. Based on FISMA requirements, our specific audit objectives were to evaluate (1) the Board's compliance with FISMA and related information security policies, procedures, standards, and guidelines and (2) the effectiveness of security controls and techniques for a subset of the Board's information systems.

In accordance with Department of Homeland Security reporting requirements, our FISMA review included an analysis of the Board's information security-related processes in the following areas: risk management, continuous monitoring management, plans of action and milestones, identity and access management, remote access management, security configuration management, security training, contractor oversight, contingency planning, incident response and reporting, and security capital planning.

Overall, we found that the Board's Chief Information Officer (CIO) continued to maintain a FISMA-compliant approach to the Board's Information Security Program that is generally consistent with National Institute of Standards and Technology (NIST) and Office of Management and Budget (OMB) requirements. The Information Security Officer (ISO) continued to issue and update information security policies and guidelines. During 2011, the ISO developed an enterprise IT risk assessment framework initiative and a continuous monitoring strategy and began to implement a new automated workflow support tool that will provide an automated workflow method for documenting, reviewing, and approving the security posture of all Board information systems. In addition, the ISO took corrective actions in response to a number of open recommendations from our prior FISMA reports.  

Although progress has been made by the ISO to address the new NIST guidance regarding risk management, the enterprise IT risk assessment framework needs to be fully implemented Boardwide and the automated workflow support tool needs to be fully operational for the Board to meet the requirements of NIST's organizationwide risk management approach. Our report contained a recommendation that the CIO complete and fully implement the enterprise IT risk assessment framework Boardwide and ensure that the automated workflow support tool is fully operational to comply with updated NIST guidance on the new Risk Management Framework. 

In addition, our report included matters for management's consideration based on our analysis of the Board's contractor oversight and security capital planning programs. While not specifically required by NIST or OMB, the following actions could help strengthen the Board's information security posture: (1) under the Board's contractor oversight program, ensure that the Board's new automated workflow tool for managing the security posture of all Board information systems incorporates appropriate security management information for third-party systems operated by Federal Reserve Banks on behalf of the Board and (2) under the Board's security capital planning and investment program, to ensure adequate tracking of system security investments, enhance the Board's system development methodology by clarifying steps to account and budget for security over the system life cycle and analyze how security capital planning information at the system and enterprise levels can be integrated into the IT performance dashboard to provide a more comprehensive understanding of the business value and performance of the Board's information systems. 

Upon review of open recommendations from our prior FISMA reports, we determined that sufficient action had been taken to close the recommendations from our 2010 FISMA report. To transform the Board's certification and accreditation process into the NIST Risk Management Framework and implement new NIST requirements for assessing security controls, our 2010 FISMA report included the following two recommendations to the CIO: (1) continue to develop and implement a Boardwide IT risk management strategy as required by NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (SP 800-53), Program Management family of controls and (2) as additional NIST and OMB guidance is issued and becomes effective, develop a continuous monitoring strategy and implement a continuous monitoring program as required by SP 800-53, Security Assessment and Authorization family of controls. Because the ISO developed and began implementing an enterprise IT risk assessment framework within the Division of Information Technology, we closed out the first recommendation. With the ISO issuing a continuous monitoring strategy and beginning the implementation of an expanded continuous monitoring program, we also closed the second recommendation.

Our 2010 FISMA report also included a recommendation that the CIO identify all IT services provided by organizations other than the Board and determine whether they need to be accredited as a third-party contractor system or as part of an existing general support system or major application. The CIO has taken sufficient actions to close this recommendation.  

In addition, given the new NIST guidance regarding risk management that incorporates risk assessment, we closed a recommendation from our 2008 FISMA report that the CIO ensure that risk assessments are adequately identifying, evaluating, and documenting the level of risk to information systems based on potential threats, vulnerabilities, and currently implemented or planned controls, to determine whether additional controls are needed.  

The Director of the Board's Division of Information Technology, in her capacity as the CIO, agreed with our 2011 recommendation that the CIO complete and fully implement the enterprise IT risk assessment framework Boardwide and ensure that the automated workflow support tool is fully operational for the Board to be compliant with updated NIST guidance on risk management. We will continue to monitor the ISO's actions in implementing the enterprise IT risk assessment framework Boardwide, which include improving overall risk assessments.