Skip navigation
Share this page

In Brief: Smithsonian Institution Information Security Program, No. A-11-05
Issued May 15, 2012

Why We Did This Audit

The Federal Information Security Management Act of 2002 (FISMA) directs the Office of the Inspector General to annually evaluate the information security program of the entity. The Smithsonian voluntarily complies with FISMA requirements because it is consistent with its strategic goals. We hired an independent auditor to conduct this review on our behalf.


The goal of information security is to build a defensible enterprise that enables organizations to harness technological innovation, while protecting an organization’s information and information systems.

FISMA requires organizations to adopt a risk-based, life cycle approach to improving information security that includes annual security program reviews, independent evaluations by the Office of the Inspector General, and reporting to the Office of Management and Budget(OMB) and the Congress. FISMA, OMB and the National Institute of Standards and Technology (NIST) also identify security requirements for federal information security programs.

What We Found

We determined that during the past year, the Office of the Chief Information Officer (OCIO) made improvements to strengthen the information security program, including proactively reviewing security controls and identifying areas to enhance the program. As part of its ongoing security program, the Smithsonian periodically performs network and system scans and annually provides security assessments and/or authorizations for all major systems, consistent with NIST guidance.

However, additional work is still needed to ensure controls are in place and operating effectively.

We found weaknesses in four areas where OCIO did not do the following:

  • • Maintain evidence that software changes were tested and approved before the changes were implemented;
  • • Provide timely updates to its Technical Security Notes, hence the units did not always adhere to the employee separation process concerning the disabling or termination of user accounts;
  • • Enforce the requirement that units submit quarterly monitoring reports; and
  • • Implement security patches in a timely manner.

We also noted that OCIO has not completed addressing 12 information security recommendations from previous reports. By not implementing these recommendations, the Smithsonian’s IT infrastructure and systems may be more vulnerable to unauthorized modifications and access, as well as the unavailability of important resources.

What We Recommended

We made nine recommendations to strengthen configuration change controls; improve user account management; enforce requirements for continuous monitoring reports; and strengthen patch management and flaw remediation.

Management concurred with our findings and recommendations and has proposed corrective actions that, if timely implemented, will resolve the recommendations.

Click to view the full report.

Download Adobe Reader for PDF files at