Skip navigation
Share this page

Fiscal Year 2015 Independent Evaluation of the Smithsonian Institution’s Information Security Program (OIG-A-16-11, September 30, 2016)

What OIG Did

The Office of the Inspector General (OIG) contracted with an independent public accounting firm, CliftonLarsonAllen LLP, to conduct this audit. The objective of this audit was to determine the extent to which the Smithsonian Institution’s information security program and practices complied with Federal Information Security Modernization Act (FISMA) requirements, Department of Homeland Security (DHS) reporting requirements, and applicable Office of Management and Budget and National Institute of Standards and Technology guidance.


FISMA was enacted in 2002 to strengthen the security of federal government information systems. Although the Smithsonian is not subject to FISMA because it is not an executive branch agency, the Smithsonian has adopted FISMA through its Technical Standards and Guidelines.

FISMA requires organizations to adopt a risk-based, life-cycle approach to improving information security that includes annual security program reviews, independent OIG evaluations, and reporting to DHS and the Congress.

What Was Found

According to CliftonLarsonAllen LLP (CLA), the Smithsonian generally exercised effective management and oversight of its information security program. However, CLA found areas in the information security program that require strengthening. Specifically, CLA found control deficiencies in

  • • identity management and user access,
  • • incident response monitoring,
  • • risk management,
  • • contractor systems oversight, and
  • • role-based security training.

For example, CLA identified that 17.9 percent of users had been granted local administrator access on desktop workstations. Administrative access allows the user to perform actions that would otherwise be restricted, such as installing software and changing security settings. Misuse of local administrator access, either intentionally or unintentionally by authorized users, can have significant adverse impacts, such as installing malicious software throughout the organization’s network.

In addition, CLA identified a lack of automated analysis and alerting of possible security incidents, such as suspected or actual computer system breaches, from the security monitoring system. This system correlates and analyzes system logs to identify potential security incidents. Without automated analysis and alerting, the ability to detect and respond to security incidents is hindered.

Finally, CLA found that the Smithsonian needs to continue to focus on fully implementing recommendations from prior years, such as maintaining an accurate inventory of hardware and software, establishing a continuous monitoring strategy, and managing system security configurations.

What Was Recommended

CLA made 11 recommendations to address the control deficiencies noted above. Key recommendations included reducing the number of users with desktop administrator access and ensuring that providing alerts for security events is automated. Smithsonian management generally concurred with CLA’s recommendations and proposed corrective actions.

Download Adobe Reader for PDF files at