October 26, 2017
Requested by the Surface Transportation Board
The Surface Transportation Board’s Information Security Program Is Not Effective
What We Looked At
The Federal Information Security Management Act of 2002, requires agencies to implement information security programs, conduct annual effectiveness reviews, and report the results to OMB. For 2017’s review, OMB required determination of programs’ maturity levels—(lowest to highest) Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, or Optimized. Our objective was to determine the program’s effectiveness for the 12 months prior to June 30, 2017, in five control areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
STB’s program is at the Ad Hoc maturity level.
STB’s Identify controls—risk management, weakness remediation, and security authorization—were inadequate. STB did not have a risk management program and its process to reauthorize systems was inadequate.
STB’s Protect controls—configuration management, user identity management, and security training—were inadequate. Policy and procedures did not cover software patch installation or parts of user identity management. Only 66 percent of STB employees completed 2017 security awareness training.
STB did not have policy for Detect controls—to identify cybersecurity incidents in an information security continuous monitoring program—and lacked a monitoring strategy.
STB’s Respond controls—incident handling and reporting—were inadequate. The policy did not cover incident response planning and analysis. STB had not collaborated with DHS on incident response.
STB had not implemented Recover controls for contingency planning. STB lacked a plan for system recovery after emergency shutdowns, impact analysis, alternative sites, or data back-up.
We made several recommendations to serve as a roadmap for STB to develop an effective information security program. STB concurred with all of our recommendations.