On February 22, 2007, the OIG issued Evaluation Report Number 7-14, Evaluation of the Small Business Administration’s Information Security Program. The Federal Information Security Management Act (FISMA) requires the Office of Inspector General to conduct an independent evaluation of the SBA’s Information Security Program. The objective of this audit was to evaluate SBA’s information security program in accordance with FISMA guidelines.
The OIG found that the SBA made an effort to correct weaknesses identified in previous FISMA reviews, and only four previous recommendations remain unresolved: (1) the SBA has not fully incorporated continuous monitoring of major applications and general support systems, and it (2) it has not yet required that configuration management plans be included in C & A packages for all of its systems. The two remaining recommendations are to be completed during calendar year 2007. The SBA also made improvements in its Computer Security Program by fully certify and accrediting nine of the 11 systems evaluated by the SBA. However, the SBA still needs to improve its program in two areas: (1) classifying the sensitivity of its non-major systems, and (2) ensuring that contingency plans for all contractor-operated systems are tested.
The OIG also found that the SBA did not ensure that three of the seven disaster recovery plans for its major contractor-operated systems that were tested. Further, the SBA did not have documentation to show that disaster recovery plans had been tested in FY 2006 for the: (1) Business Development Management System; (2) Contract 7(2)/503/504 Loan Servicing System; and (3) Loan/Lender Monitoring System. Because these plans had not been tested, the SBA had no assurance that they could restored in the event of emergencies according to periods specified in SBA’s business impact analyses. The SBA needs to modify either existing contract language or related service-level agreements to ensure that all of its major contractor-operated systems are annually tested for disaster recovery and that test results are documented. The OIG made three recommendations.