- Get Involved
The Federal Information Security Management Act of 2002 (FISMA) directs the Office of the Inspector General to annually evaluate the information security program of the entity. Although not subject to FISMA, the Smithsonian has adopted FISMA through its policy because it is consistent with and advances the Smithsonian’s mission and strategic goals.
The objective of this audit was to evaluate the effectiveness of the information security program and practices at the Smithsonian Institution (Smithsonian). We did this by assessing the Smithsonian’s compliance with (1) its security policies, standards, and guidelines, and (2) the standards and guidelines promulgated by the National Institute of Standards and Technology (NIST).
FISMA requires organizations to adopt a risk-based, life cycle approach to addressing information security that includes annual security program reviews, independent evaluations by the Office of the Inspector General, and reports for the Department of Homeland Security and Congress.
During our fiscal year 2013 audit of the Smithsonian’s information security program, we found that OCIO management could strengthen configuration management by timely implementing security patches, improving workstation configuration settings, and deleting obsolete software. In addition, management needs to:
Further, we found that Smithsonian Astrophysical Observatory (SAO) management did not fully enforce configuration and account management procedures. We also found that management needed to strengthen its physical access monitoring capabilities and report on continuous monitoring activities. Lastly, various sections of SAO’s system security plan for one system was not current, accurate, or complete.
Finally, we found that the National Museum of Natural History (NMNH) management needed to improve account modification procedures for its research collection information system.
We made eight recommendations to improve OCIO’s information security program. We made five recommendations to SAO and two recommendations to NMNH to improve their information security practices. These recommendations address improvements needed in seven information security control groups: configuration management, access control, physical and environmental protection, contingency planning, incident response, awareness and training, planning, and security assessment and authorization.
Management concurred with our findings and recommendations and has proposed corrective actions.