Report 12-15: Weaknesses Identified During FY 2011 FISMA Review

This advisory memorandum presents risk areas requiring management follow-up as a result of our most recent Federal Information System Management Act (FISMA) review.  The Office of Inspector General (OIG) contracted with an Independent Public Accountant (IPA)to perform the audit procedures relating to FISMA.  The IPA interviewed SBA personnel, inspected documentation, and tested the effectiveness of SBA’s Information Technology (IT) security controls.  The OIG monitored the IPA’s work and reported the SBA’s compliance with FISMA with the Agency FISMA filings on November 4, 2011.  The OIG performed additional fieldwork between November 2011 and March 2012 to further clarify issues and recommend corrective actions. 

The OIG’s Fiscal Year 2011 review found that the Office of Chief Information Officer (OCIO) needs to prioritize remediation of IT security vulnerabilities identified in prior audits.  The OCIO also needs to perform recertification reviews of its general support system’s end users and monitor remote access logs for unauthorized activity.   Finally, the OIG found SBA has a number of tasks in its IT security assistance contract which are not being performed.

The OIG made three recommendations on remediating OIG recommendations more timely, recertifying network users, and reviewing remote access audit logs.  The OIG re-issued a prior year recommendation related to ing to the OCIO’s oversight of its IT Security Contractor.  In his response to the draft report, the CIO agreed to the accuracy of the current and prior year recommendations, provided updates on statuses, and adjusted closure dates.  The CIO also stated that configuration management is being performed by the Office of Communications and Technology Services and his office is in the process of having items removed for their security assistance contract. We requested the OCIO provide their management decision to this report within 30 days from the issuance of this report.