Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report:  April 20, 2012

Security Control Review of the Board's Public Website


available formats

  • Report Summary


Consistent with the requirements of Federal Information Security Management Act of 2002 (FISMA), we conducted a security control review of the Board's Public Website (Pubweb). Pubweb is listed as a major application on the Board's FISMA application inventory for the Office of Board Members. As part of the Board's Publications Program, Pubweb provides a large and diverse audience, including the public, with information about the mission and work of the Board and the functions of the Federal Reserve System.

Our audit objective was to evaluate the adequacy of selected security controls for protecting the Pubweb application from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we used a control assessment review program based on the security controls defined in National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (SP 800-53). This document provides a baseline for managerial, operational, and technical security controls for organizations to use in protecting their information systems.

Our review of the Pubweb application showed that, in general, controls are adequately designed and implemented. However, we identified opportunities to strengthen information security controls to help ensure that Pubweb meets FISMA requirements. The Director of the Board's Division of Information Technology and the Assistant to the Board, Office of Board Members, stated that they generally agree with the recommendations discussed in the report, and in many cases, corrective action has already been completed or is well underway. We will follow up on the implementation of these recommendations as part of our future FISMA-related audit activities. Given the sensitivity of information security review work, our reports in this area are generally restricted.