Audit Report 3-37: Independent Evaluation of SBA’s Information Security Program
On September 17, 2003, the OIG issued Audit Report 3-37, Independent Evaluation of SBA’s Information Security Program. The Federal Information Security Management Act (FISMA) permanently reauthorized and amended agency information security reporting requirements previously authorized under the Government Information Security Reform Act (GISRA). The requirements under FISMA, like GISRA, require the Office of Inspector General to conduct an independent evaluation of the SBA’s Information Security Program. This report presents the results of that evaluation in accordance with specific FISMA reporting instructions issued by the Office of Management and Budget (OMB). The OIG found that generally, SBA’s information security program continued to improve for high priority financial management and general support systems. However, material weaknesses and security vulnerabilities continue to exist in: (1) computer intrusion detection and incident escalation procedures; (2) security controls in the systems development life cycle, (3) system access controls; (4) system certification and accreditation, and (5) disaster recovery and contingency planning. No recommendations were made.