Audit Reports

-A A +A
skip-to-content

The Surface Transportation Board’s Information Security Program Is Not Effective

Requested by the Surface Transportation Board
Project ID: 
FI2018002
What We Looked At
The Federal Information Security Management Act of 2002, requires agencies to implement information security programs, conduct annual effectiveness reviews, and report the results to OMB. For 2017’s review, OMB required determination of programs’ maturity levels—(lowest to highest) Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, or Optimized. Our objective was to determine the program’s effectiveness for the 12 months prior to June 30, 2017, in five control areas—Identify, Protect, Detect, Respond, and Recover.
 
What We Found
STB’s program is at the Ad Hoc maturity level. 
 
STB’s Identify controls—risk management, weakness remediation, and security authorization—were inadequate. STB did not have a risk management program and its process to reauthorize systems was inadequate.
 
STB’s Protect controls—configuration management, user identity management, and security training—were inadequate. Policy and procedures did not cover software patch installation or parts of user identity management. Only 66 percent of STB employees completed 2017 security awareness training.
 
STB did not have policy for Detect controls—to identify cybersecurity incidents in an information security continuous monitoring program—and lacked a monitoring strategy.
 
STB’s Respond controls—incident handling and reporting—were inadequate. The policy did not cover incident response planning and analysis. STB had not collaborated with DHS on incident response.
 
STB had not implemented Recover controls for contingency planning. STB lacked a plan for system recovery after emergency shutdowns, impact analysis, alternative sites, or data back-up.
 
Our Recommendations
We made several recommendations to serve as a roadmap for STB to develop an effective information security program. STB concurred with all of our recommendations.

Recommendations

Open

Closed

Closed on 07.19.2019
No. 1 to STB

Complete implementation of policies and procedures for: a. Risk management, including a risk management plan and assessment, b. System authorization, and c. Plans of actions and milestones.

Closed on 11.07.2018
No. 2 to STB

Complete the system reauthorization of the STB LAN.

Closed on 11.07.2018
No. 3 to STB

Complete service level agreements or similar documents that permit STB or its auditor to perform tests and/or obtain supporting documentation to demonstrate that cloud systems are properly authorized to operate.

Closed on 07.19.2019
No. 4 to STB

Define specifications and acquire an automated solution to assist with the risk management program.

Closed on 04.26.2019
No. 5 to STB

Develop policies and procedures for the implementation of an information security architecture.

Closed on 05.28.2019
No. 6 to STB

Modify existing procedures to fully address identification, reporting, and resolution of information system flaws, including timely patch installation.

Closed on 11.07.2018
No. 7 to STB

Incorporate missing elements into its enterprise-wide configuration management plan such as a change control board charter

Closed on 06.07.2019
No. 8 to STB

Modify identity and access management policies and procedures to adequately address: a. Reviews of as-is states, desired states and a transition plan.b. Processes for assigning personnel risk designations prior to granting access to its systems.c. Processes for developing, documenting, and maintaining access agreements for individuals with system access.d. Requirements for remote access

No. 9 to STB

Conduct a needs assessment to formally determine the organization's awareness and training needs, including but not limited to developing and implementing a formal process for assessing the skills, knowledge, and abilities of its workforce.

No. 10 to STB

Develop and implement a formal process for measuring the effectiveness of its security awareness and training program.

No. 11 to STB

Modify the training plan to include missing elements such as funding, goals and use of technology.

No. 12 to STB

Develop and implement an ISCM program that, at a minimum provides awareness of threats and vulnerabilities.

Closed on 05.28.2019
No. 13 to STB

Modify its policies and procedures to address missing components such as incident detection and analysis; incident prioritization, containment, eradication, and recovery; coordination, information sharing, and reporting; incident response training and testing, and considerations for major incidents

No. 14 to STB

Implement its contingency planning policy by performing business impact analyses, updating or completing system contingency plans, testing contingency plans, performing necessary backups and obtaining an adequate alternate processing site, it needed.