Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices

Requested By
Required by the Federal Information Security Modernization Act of 2014
Project ID
QC2024038
File Attachment

What We Looked At 
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget. To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2024 FISMA review. We contracted with Williams Adley & Company-DC LLP, an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover. We performed a quality control review (QCR) of Williams Adley’s report and related documentation. 

What We Found 
Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards. 

Our Recommendations 
STB concurs with Williams Adley’s audit’s findings and nine recommendations.
 

Recommendations

No. 1 to STB
Develop and implement a formal process to integrate the results of the STB's business impact analysis (BIA) with its enterprise risk management activities.
No. 2 to STB
Update existing methods of resource allocation to account for system categorization.
No. 3 to STB
Perform a cost benefit analysis of introducing automation to support a centralized view of cybersecurity risks, manage risk designations, maintain privileged accounts, and test system contingency plans; and apply the appropriate risk mitigation strategy.
No. 4 to STB
Develop profiles of expected activities on its networks and systems.
No. 5 to STB
Develop qualitative and quantitative performance measures to evaluate the effectiveness of the following: Configuration management plan and change control activities; Data exfiltration and enhanced network defenses; Data breach response plan; Privacy awareness training program; Incident response capability; ISCM policies, strategy, and processes; Incident detection, analysis, handling, and response activities; Information system contingency plans. For all performance measures, ensure that supporting data is obtained accurately, consistently, and in a reproducible format.
No. 6 to STB
Develop a formal process to collect, analyze, and respond to feedback on the performance of its secure configuration policies and procedures and security awareness and training program.
No. 7 to STB
Resume the assessment of the skills and knowledge of its workforce to tailor its awareness and specialized security training.
No. 8 to STB
Obtain access to the appropriate subject matter experts or training to assist with the implementation of secure configuration settings for its information systems.
No. 9 to STB
Implement the logging requirements outlined within OMB's M-21-31.