Audit Report 13-15: Briefing Report for the FY 2012 Federal Information Security Management Act Review

This report presents the results of the OIG’s Federal Information Security Management Act (FISMA) review of the SBA.  Under FISMA, agencies report their compliance with information security requirements.  The OIG reports on the effectiveness of the agency’s information security program in accordance with OMB criteria. For Fiscal Year (FY) 2012, the OIG was required to report on the following 11 areas: 1) continuous monitoring management; 2) configuration management; 3) identity and access management; 4) incident and response reporting; 5) risk management; 6) security training; 7) plan of actions and milestones; 8) remote access management; 9) contingency planning; 10) contractor systems, and 11) security capital planning.

The OIG found that the SBA continues to show improvement in its IT Security Program. Specifically, the SBA showed improvement in the areas of Incident Response and Risk Management, continues to meet requirements in the area of Security Capital Planning, and needs to make significant improvement in the area of Configuration Management. The OIG also recommended the SBA update its Telework SOP, which contained outdated technical procedures.