Audit Report 5-02: Independent Evaluation of SBA's Information Security Program
On October 7, 2004, the OIG issued Audit Report 5-02, Independent Evaluation of SBA’s Information Security Program. The Federal Information Security Management Act (FISMA) requires the Office of Inspector General to conduct an independent evaluation of the SBA’s Information Security Program. The objective of this audit was to evaluate SBA’s information security program in accordance with FISMA guidelines. The OIG had one finding: Computer security capital planning is not FISMA compliant. The OIG also found that the SBA had not sufficiently addressed the 248 open system risk assessment vulnerabilities and open OIG audit findings that included 118 open risk assessment vulnerabilities. Further, the SBA has not sufficiently addressed the 14 OIG audit findings that had exceeded their estimated completion target date. The OIG also identified five significant deficiencies in SBA’s computer security program that had previously been identified in 11 earlier OIG recommendations.