Audit of NTSB's Information Security Program
On October 13, we issued a final report on NTSB's information security program. In FY 2006, NTSB made a concerted effort to correct security weaknesses identified in prior years. However, continued management attention is needed in several areas: (1) assessing systems risk and assigning a priority to reviewing and testing security protection of systems with a higher-risk impact on NTSB operations, (2) enforcing and following through on the newly established network security requirements, and (3) identifying systems containing sensitive personally identifiable information for proper protection. As a result, NTSB's information security program in our opinion still has a significant deficiency that should be reported as a material internal control weakness on the annual Federal Managers' Financial Integrity Act Report to OMB and Congress.