Audit Reports

-A A +A

Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices

Required by the Federal Information Security Modernization Act of 2014
Project ID: 
What We Looked At
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget (OMB). To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2020 FISMA review. We contracted with Williams Adley & Company-DC LLP (Williams Adley), an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
We performed a quality control review (QCR) of Williams Adley’s report and related documentation. Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.
STB concurs with Williams Adley’s six recommendations.




No. 1 to STB

Implement documented processes for granting and removing user access in a consistent manner, as required by STB policies and procedures.

No. 2 to STB

Implement processes for conducting, documenting, and maintaining Position Risk Designations in a consistent manner, as required by STB policies and procedures.

No. 3 to STB

Develop a process for ensuring that the completion of rolebased training is tracked and maintained.

No. 4 to STB

Consistently implement the process to ensure all new users complete the mandatory security awareness training requirements prior to being granted access to STB systems.

No. 5 to STB

Fully develop the ISCM Strategy and all information system ISCM plans to include the required criteria documented in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137 such as: a. Considerations at the organization/business process level; b. Considerations at the information system level; and c. Processes to review and update the ISCM program and strategy.

No. 6 to STB

Define the process to ensure the timely collection of established metrics across its operational systems and reporting evaluation process to assist ISCM Stakeholders to make informed decisions.