Review of Selected Common Information Security Controls

Pursuant to requirements in the Federal Information Security Management Act (FISMA) we conducted security control reviews of three major applications. Through our information security control reviews, we identified opportunities for the Board’s Information Security Officer (ISO) to enhance and enforce existing policies and procedures and to provide additional guidance for implementing security controls, thus assisting all system owners in implementing the Board’s Information Security Program.

We recognize that the ISO and his staff have completed a significant amount of work over the past few years to develop a security program that complies with new National Institute of Standards and Technology (NIST) requirements. However, as the Board’s Security Program evolves and matures, we believe that the ISO will need to continue providing oversight, training, and develop additional guidance for the program to remain effective. Our restricted report contained six recommendations to assist the ISO in this effort. We will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board’s continuing implementation of FISMA.