Audit Report 6-01: Independent Evaluation of SBA’s Information Security Program
Date Issued: Friday, October 7, 2005
Report Number: 06-01

On October 7, 2005, the OIG issued Audit Report 6-01, Independent Evaluation of SBA’s Information Security Program.  The Federal Information Security Management Act (FISMA) requires the Office of Inspector General to conduct an independent evaluation of the SBA’s Information Security Program.  The objective of this audit was to evaluate SBA’s information security program in accordance with FISMA guidelines.  The OIG found that the SBA continued to have 19 of 20 major systems (95 percent) certified and accredited.  However, the SBA has been able to timely or sufficiently address, the 161 unimplemented system risk-assessment vulnerabilities, and 50 unresolved OIG audit findings for which recommendations had exceeded their estimated target date for correction completion.  A number of these unimplemented audit recommendations and risk-assessment weaknesses are significant to SBA’s information technology environment.

For FY 2005, the Office of Management and Budget (OMB) requested an in depth review of SBA’s Certification and Accreditation Process.  The OIG identified the following areas of concern during the FISMA review process, specifically:  (1) SBA’s Certification and Accreditation Program does not meet all necessary aspects of NIST Requirements, and (2) SBA’s Privacy Impact Assessment Program did not meet all necessary aspects of OMB Requirements.