Audit Reports

-A A +A
skip-to-content

Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices

Required by the Federal Information Security Modernization Act of 2014
Project ID: 
QC2019001
What We Looked At
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget. To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2018 FISMA review. We contracted with Williams Adley & Company DC LLP (Williams Adley), an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
 
What We Found
We performed a quality control review (QCR) of Williams Adley’s report and related documentation. Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
STB concurs with Williams Adley’s seven recommendations.

Recommendations

Open

Closed

No. 1 to STB

Fully develop and implement a risk management strategy and the supporting procedures for maintaining an accurate system inventory.

No. 2 to STB

Develop a configuration management plan with supporting policies and procedures and ensure that the existing Change Management Charter aligns with the plan.

No. 3 to STB

Develop an ICAM strategy to guide its ICAM process and activities, and modify existing identity and access management policies and procedures to adequately address: a.) Processes to request, modify, and revoke privileged and non-privileged access; and b.) Processes to ensure separation of duties within the organization.

No. 4 to STB

Fully implement the use of PIV cards for personnel to access STB's facilities.

No. 5 to STB

Develop a privacy program, including related plans, policies and procedures, for the protection of personally identifiable information that is collected used, maintained, shared and disposed of by STB's information systems. Furthermore, identify roles and responsibilities for data exfiltration exercises.

No. 6 to STB

Develop an Incident Response plan in accordance with NIST 800-61, rev. 2.

No. 7 to STB

Modify incident response policies and procedures to incorporate the most recent incident attack vectors taxonomy in accordance with US-CERT.