Skip navigation
Share this page

Smithsonian Enterprises: Audit of the Effectiveness of the Information Security Program (OIG-A-16-05, March 25, 2016)

What OIG Did

OIG contracted with an independent public accounting firm, Crowe Horwath LLP (Crowe), to conduct this audit. The audit objective was to evaluate the effectiveness of Smithsonian Enterprises' (SE) information security program and practices as well as SE’s compliance with the Payment Card Industry Data Security Standard (PCI DSS).


In 1998, the Smithsonian organized its various business activities into a centralized entity known as SE. SE operates a variety of revenue-generating activities including museum stores, a mail-order gift catalog and websites, three IMAX theaters, magazines, licensing, and media.

Crowe completed an information security risk assessment on a sample of servers and network devices across the SE corporate and retail networks, which are a subset of Smithsonian’s corporate network (SInet). Crowe completed an internal penetration assessment across SInet and the SE corporate and retail environments, testing approximately 5,000 devices (servers, workstations, and printers) for vulnerabilities. Crowe also completed a PCI DSS gap assessment.

What Was Found

Crowe found that improvements are needed to address vulnerabilities in four key areas: (1) identity and access management, (2) configuration management, (3) information stored on unencrypted laptops and backup tapes, and (4) unsupported systems.

Identity and access management is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. In its testing, Crowe was able to guess the passwords for some user accounts and to identify multiple accounts that shared the same password. Furthermore, Crowe found that the SE corporate network could be at risk due to systems with weak passwords on the Smithsonian network, SInet.

Configuration management is a collection of activities focused on establishing and maintaining the integrity of information technology products and information systems. This is accomplished through control of processes for initializing, changing, and monitoring the configurations of those products and systems. Crowe found that SE was utilizing insecure communication protocols on its networks. Additionally, a component of point-of-sale system had a vulnerability that could be used to harvest credit card data, known as skimming.

Information stored on laptop computers and backup tapes can be vulnerable to breaches in confidentiality and integrity. SE adopted an industry standard in 2014 to encrypt new laptops to prevent unauthorized access. However, Crowe found that only 16 of 104 existing laptops were encrypted because employees were encouraged, not required, to have existing laptops encrypted. Crowe also found that backup tapes sent for off-site storage were not encrypted.

Unsupported systems are those that need to be replaced because support for the systems’ components is no longer available from the developer, vendor, or manufacturer. Crowe identified some systems were using obsolete, unsupported software. In addition, some servers on the SInet network were running unsupported operating systems, and a network monitoring device was outdated and not receiving updates.

What Was Recommended

Crowe made recommendations to strengthen password requirements, disable insecure communications protocols, disable an insecure card reader function, encrypt mobile media, and replace or update servers that had unsupported operating systems. Smithsonian management concurred with the findings and said that they have addressed or plan to address all the recommendations.

Click for Full Report

Download Adobe Reader for PDF files at