Skip navigation
Share this page

In Brief: FY 2013 Evaluation of the Smithsonian Institution’s Information Security Program, No.A-13-10, Issued July 9, 2014

Why We Did This Audit

The Federal Information Security Management Act of 2002 (FISMA) directs the Office of the Inspector General to annually evaluate the information security program of the entity. Although not subject to FISMA, the Smithsonian has adopted FISMA through its policy because it is consistent with and advances the Smithsonian’s mission and strategic goals.

The objective of this audit was to evaluate the effectiveness of the information security program and practices at the Smithsonian Institution (Smithsonian). We did this by assessing the Smithsonian’s compliance with (1) its security policies, standards, and guidelines, and (2) the standards and guidelines promulgated by the National Institute of Standards and Technology (NIST).


FISMA requires organizations to adopt a risk-based, life cycle approach to addressing information security that includes annual security program reviews, independent evaluations by the Office of the Inspector General, and reports for the Department of Homeland Security and Congress.

What We Found

During our fiscal year 2013 audit of the Smithsonian’s information security program, we found that OCIO management could strengthen configuration management by timely implementing security patches, improving workstation configuration settings, and deleting obsolete software. In addition, management needs to:

  • •Strengthen procedures for remote access,
  • •Improve system backup processes, and
  • •Ensure that staff are appropriately trained in the areas of incident reporting and security.

Further, we found that Smithsonian Astrophysical Observatory (SAO) management did not fully enforce configuration and account management procedures. We also found that management needed to strengthen its physical access monitoring capabilities and report on continuous monitoring activities. Lastly, various sections of SAO’s system security plan for one system was not current, accurate, or complete.

Finally, we found that the National Museum of Natural History (NMNH) management needed to improve account modification procedures for its research collection information system.

What We Recommended

We made eight recommendations to improve OCIO’s information security program. We made five recommendations to SAO and two recommendations to NMNH to improve their information security practices. These recommendations address improvements needed in seven information security control groups: configuration management, access control, physical and environmental protection, contingency planning, incident response, awareness and training, planning, and security assessment and authorization.

Management concurred with our findings and recommendations and has proposed corrective actions.

Click to view the full report.

Download Adobe Reader for PDF files at