Board Report: September 30, 2011
Consistent with the requirements of the Federal Information Security Management Act (FISMA), we conducted a security control review of the Board’s Visitor Registration System. The Visitor Registration System (VRS) is listed as a major application on the Board’s FISMA inventory. VRS is designed to register Board visitors and provide Law Enforcement Officers with the ability to quickly sign in/out visitors, print badges, and manage registered visitors.
Our audit objective was to evaluate the adequacy of selected security controls and techniques for protecting data from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we used a control assessment review program based on the security controls defined in National Institute of Standards and Technology Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems (SP 800-53). This document provides a baseline for managerial, operational, and technical security controls for organizations to use in protecting their information systems.
Overall, our review of VRS found that, in general, controls are adequately designed and implemented. For those control families where control objectives were not met, we identified the aspect of the control that was deficient or where improvements could be made, and we highlighted the recommended action. The Board’s Chief Operating Officer and Director of the Management Division generally agreed with our recommendations and outlined corrective actions. We will follow up on the implementation of these recommendations as part of our future FISMA-related audit activities. Given the sensitivity of information security review work, our reports in this area are generally restricted.