Board Report: November 17, 2009
The audit was performed pursuant to the Federal Information Security Management Act of 2002 (FISMA), which requires that each agency Inspector General conduct an annual independent evaluation of the agency's information security program and practices. Based on FISMA's requirements, our specific audit objectives were to evaluate (1) the Board's compliance with FISMA and related information security policies, procedures, standards, and guidelines; and (2) the effectiveness of security controls and techniques for a subset of the Board's information systems. We also followed up on the status of the Board's corrective actions in response to open recommendations from our prior FISMA reports and security control reviews of Board systems.
Overall, we found that the Board's Information Security Officer (ISO) continued to maintain a FISMA-compliant approach to the Board's information security program and that the Board's inventory had remained stable. Based on our prior recommendations, the ISO had allocated additional resources to the Division of Information Technology's (IT's) Security Compliance unit and implemented an improved approach to security assessments that included independent testing. In addition, the ISO continued to issue and update information security policies and guidelines and had started to develop security metrics to measure security performance and compliance. The Board continued to emphasize information security awareness by offering additional automated presentations that highlight potential vulnerabilities and posting awareness reminders throughout Board buildings.
To further enhance the Board's information security program, we identified four new recommendations to the Chief Information Officer (CIO): (1) ensure all systems have updated security plans; (2) test select critical controls within the IT general support system annually; (3) independently verify that appropriate corrective action has been implemented before items are removed from the Board's Plan of Action and Milestones (POA&M); and (4) provide mandatory FISMA training to selected staff with FISMA responsibilities. We will continue to review the qualitative aspects of the program as part of future FISMA audits and evaluations.
To evaluate security controls and techniques, we reviewed controls over two Board applications and one application operated by the Federal Reserve Bank of New York in support of the Board's Division of Monetary Affairs. We also conducted reviews of (1) audit logging controls provided for a number of Board systems and by the IT general support system, and (2) the Board's POA program and processes. We reviewed components of the Board's certification and accreditation process, including risk assessments, security plans, and security assessments. We also reviewed information concerning the Board's processes related to areas for which the Office of Management and Budget requests a specific response as part of the agency's annual FISMA reporting, including security awareness and training, system inventory, remedial action monitoring, incident reporting, configuration management, controls over personally identifiable information, and privacy impact assessments. Our reviews of Board applications' information security controls identified areas where controls needed to be strengthened. (Given the sensitivity of the issues in these reviews, we provided the specific results to management in separate restricted reports.)
In following up on the status of corrective actions in response to open recommendations from our prior FISMA reports, we determined that the Board's corrective actions were sufficient to close two of three open recommendations. The third recommendation was to ensure that risk assessments adequately identify, evaluate, and document the risks to an information system based on potential threats, vulnerabilities, and controls. The ISO had developed a supplemental controls questionnaire to assist system owners in determining whether additional controls are needed. However, our detailed review of selectedrisk assessments showed that system owners could improve in identifying, evaluating, and documenting potential system vulnerabilities, the associated level of risk, and the need for additional controls to address these risks. The ISO has plans to further enhance the risk assessment process, and we kept this recommendation open while we monitor the implementation of these enhancements. In following up on the Board's actions in response to 5 of our prior security control reviews with open recommendations, we determined that sufficient actions were taken to close 57 of the 61 open recommendations from those reviews. We will continue to monitor the Board's actions on open recommendations from our security control reviews.
The Director of IT, in her capacity as CIO for FISMA, generally agreed with our report and stated that additional program enhancements are planned for the next two years that will address most of the key improvement opportunities highlighted in our report.