Editor’s Note: The OIG 2011 Annual FISMA Report is attached below.
From: FierceGovernmentIT
The Securities and Exchange Commission hasn’t kept its cybersecurity documentation up to date, resulting in it not conducting baseline control configuration scans and not meeting other requirements of the Federal Information Security Management Act, says the SEC office of inspector general.
In a redacted report dated Feb. 2, the SEC OIG, basing its findings on an assessment conducted by Phoenix, Ariz.-based Networking Institute of Technology, says the agency does have a continuous monitoring program that assesses the security state of information system, including vulnerability scanning, patch management, and ongoing assessment of security controls.
But it lacks an updated specification for the controls that should be placed on its systems in the first place and hasn’t scanned to see that even the outdated specifications have been configured correctly, the OIG report says.
The agency’s standard baseline configuration of absolute minimum controls is at least 3 years old, the report adds, meaning it hasn’t incorporated revisions in the governmentwide control catalog, a special publication published by the National Institute of Standards and Technology known as SP 800-53. (NIST is also preparing to release yet another revision to SP 800-53 later this month.)
Auditors also chastise the agency for mistakenly believing that it need not tailor baseline controls set for low- moderate- and high- risk systems as set in SP 800-53. While agencies typically do align actual controls closely to low-, moderate- and high-risk control buckets as articulated in SP 800-53, under FISMA agencies are also supposed to review those generic sets of controls for effectiveness within their own information technology environments.
SEC’s “use of a generic controls set based only on security categorization without additional tailoring may result in its understating or overstating the security requirements for systems,” the report notes.
Leave a Reply