Board Report: November 15, 2010
The audit of the Board's information security program and practices was performed pursuant to the Federal Information Security Management Act of 2002 (FISMA), which requires that each agency Inspector General conduct an annual independent evaluation of the agency's information security program and practices. Based on FISMA’s requirements, our specific audit objectives were to evaluate (1) the Board’s compliance with FISMA and related information security policies, procedures, standards, and guidelines; and (2) the effectiveness of security controls and techniques for a subset of the Board’s information systems.
In accordance with the Office of Management and Budget’s (OMB’s) revised requirements, our FISMA review included an analysis of the Board’s information security-related processes in the following areas: certification and a creditation, continuous monitoring, plans of action and milestones, account and identity management, remote access, security configuration management, security training, contractor oversight, contingency planning, and incident response and reporting. We also followed up on the status of corrective actions in response to five open recommendations from our prior FISMA reports and nine open recommendations from two security control reviews.
Overall, we found that the Board’s Chief Information Officer (CIO) continued to maintain a FISMA-compliant approach to the Board’s information security program that is generally consistent with requirements established by the National Institute of Standards and Technology (NIST) and OMB. The Information Security Officer (ISO) continued to issue and update information security policies and guidelines, and is piloting a Board-wide IT risk assessment framework to capture technology, operational, and strategic risks for IT resources. As NIST and OMB develop new guidance and update existing standards and publications to transform the traditional certification and accreditation (C&A) process into a new Risk Management Framework, opportunities exist for the CIO to continue to mature the Board’s information security processes through further assessment of risks and controls under an organization-wide risk management strategy, with a focus on more continuous monitoring and automated methods.
Our report contained three recommendations. To transform the Board’s C&A process into the Risk Management Framework and implement new NIST requirements for assessing security controls, our first recommendation was that the CIO continue to develop and implement a Board-wide IT risk management strategy as required by NIST Special Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, Program Management family of controls. Our second recommendation was that, as additional NIST and OMB guidance is issued and becomes effective, the CIO develop a continuous monitoring strategy and implement a continuous monitoring program as required by SP 800-53, Security Assessment and Authorization family of controls. Finally, we recommended that the CIO identify all IT services provided by organizations other than Board personnel, and determine if they need to be accredited as a third-party contractor system or as part of an existing General Support System (GSS) or major application.
In addition, our report included matters for management’s consideration based on our analysis of the Board’s security-related processes. Although not specifically required by NIST or OMB requirements, the following actions could help to strengthen the Board’s information security posture: (1) under the Board’s C&A program, provide system owners additional information on security assessments of the GSS components, include additional relevant information in system security plans, and implement risk-based sampling as part of the security control assessment testing; and (2) under the Board’s configuration management program, separately accredit the externally facing components of the IT GSS and
major applications, and clarify guidance to assist system owners in managing application level security settings.
In following up on the status of corrective actions in response to open recommendations from our prior FISMA reports, we determined that the Board’s corrective actions were sufficient to close two of the four recommendations in our 2009 FISMA report. On the other two open recommendations, which related to improving the plans of action and milestones and information security training programs, the ISO has made progress, but corrective action is still under way.
Our 2008 FISMA report included a recommendation to ensure that risk assessments adequately identify, evaluate, and document the risks to an information system based on potential threats, vulnerabilities, and controls. We are keeping this recommendation open as we continue to monitor the CIO’s and the ISO’s actions in overseeing the planned enhancements to the risk assessment process. In following up on the Board’s actions in response to the nine open recommendations from our prior security control reviews, we determined that sufficient actions had been taken to close all those recommendations. We will continue to follow up on actions taken regarding our FISMA and security control
review report recommendations as part of future audit and evaluation work related to information security.
The Director of the Board’s IT division, in her capacity as the CIO for FISMA, generally agreed with the three recommendations in our current report and stated that she intends to take immediate action to address each of the recommendations. This includes updating the Board’s program documentation to more accurately reflect the risk management and continuous monitoring programs. In addition, she will be reviewing the system inventory with each division and office to validate that all contractor services are correctly reflected in the inventory. The Director also plans to leverage the results from the continuous monitoring program to offset compliance testing requirements during 2011.