Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report:  June 24, 2010

Security Control Review of the Lotus Notes and Lotus Domino Infrastructure


available formats

  • Report Summary


To evaluate the security controls and techniques of the information systems of the Board, the OIG reviews controls over associated major applications on an ongoing basis. Consistent with the requirements of the Federal Information Security Management Act of 2002 (FISMA), we conducted a security control review of the Board’s Lotus Notes and Lotus Domino infrastructure. The Lotus Notes and Lotus Domino infrastructure is a component of the general support system supported by the Board’s Division of Information Technology. The general support system infrastructure provides network and general computing capabilities for the Board’s end-user community. The Lotus Notes application provides users with access to e-mail, calendar, and other databases that reside in a Lotus Domino server environment.

Our audit objective was to evaluate the adequacy of selected security controls for protecting the Lotus Notes and Lotus Domino infrastructure from unauthorized access, modification, destruction, or disclosure. To accomplish our objective, we developed a control assessment methodology based on the security controls identified in the National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This document provides a baseline of security controls for organizations to use in protecting their information systems. The controls are divided into 17 “families,” such as access control, risk assessment, and personnel security.

Overall, the audit showed that controls were generally well-designed and well-implemented. However, we found opportunities to strengthen information security controls in the control families that we evaluated. For those control families where control objectives were not met, we identified the aspect of the control that was deficient or where improvements could be made, and we highlighted recommended action. The Director of the Division of Information Technology generally agreed with our recommendations and identified corrective actions that have been taken, are under way, or are planned to enhance the specific controls highlighted in the report. We will follow up on the implementation of the recommendations as part of our future audit activities related to the Board’s continuing implementation of FISMA. Given the sensitivity of information security review work, our reports in this area are generally restricted.