Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report:  June 1, 2009

Security Control Review of the Electronic Security System

  • REPORT SUMMARY

available formats

  • Report Summary

    HTML

To evaluate security controls and techniques of the Board's information systems, the Office of Inspector General (OIG) reviews controls over Board applications on an ongoing basis. Consistent with Federal Information Security Management Act (FISMA) requirements, we evaluated the adequacy of controls in a bundle of subsystems referred to as the Electronic Security System (ESS). Our objective was to evaluate the adequacy of selected security controls for protecting ESS from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we developed a control assessment methodology based on the security controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems (SP 800-53). SP 800-53 provides a baseline of management, operational, and technical security controls for use by organizations in protecting their information systems. We tested selected SP 800-53 controls through observation and analysis of policies, procedures, and other control-related documentation. 

Overall, for ten of the seventeen control families we evaluated, ESS generally met control objectives, based on information available at the time of our review. However, our testing was based on a judgmental sample of controls within each family. For those control families where control objectives were not met, we identified the deficient aspect of the control, suggested where improvements can be made, and highlighted the recommended action. The Director of the Management Division generally agreed with our recommendations and indicated that corrective action has either been taken or is under way to enhance the specific controls highlighted in the report. We will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board's continuing implementation of FISMA. Given the sensitivity of information security review work, our reports in this area are generally restricted.