Skip navigation
Share this page

Information Security: Opportunities to Reduce the Risk of Unauthorized Access to the Smithsonian Institution’s Publicly Accessible Websites (OIG-A-17-05, September 27, 2017)

What OIG Did

The objective of this audit was to assess to what extent the Smithsonian had processes in place to prevent, detect, and resolve security vulnerabilities on the Smithsonian’s publicly accessible websites. The audit focused on obtaining an inventory of publicly accessible websites; conducting vulnerability testing, which included an in-depth test of websites to simulate a focused attack by a skilled adversary; and reviewing the Smithsonian’s policies, procedures, and processes to manage website security.


The Smithsonian’s websites help the Smithsonian in achieving its goal of providing broader access to exhibitions, research, programs, collections, and digital assets. The Smithsonian’s web presence also allows the public to make purchases from its online stores, sign up to be a volunteer, or apply for an internship. In fiscal year 2016, more than 134 million people visited the Smithsonian’s public websites.

What OIG Found

Publicly accessible websites pose significant risk to the Smithsonian Institution (Smithsonian) because anyone with an Internet connection could target a website to gain access to its stored data or gain entry into its network. In fact, two of the Smithsonian’s information systems were compromised in 2016 due to website vulnerabilities. In one case, the compromise led to the disclosure of personal data for more than 1,000 researchers.

The Office of the Inspector General (OIG) determined that the Smithsonian had elements of the key processes in place to prevent, detect, and resolve website vulnerabilities. However, the Smithsonian needs to consistently apply those processes to resolve vulnerabilities, maintain its website inventory, and monitor websites for new threats. Specifically, Smithsonian websites were at increased risk of unauthorized access due to unresolved security vulnerabilities. In November 2016, OIG found that information technology security staff had identified 10,855 high, medium, and low vulnerabilities in websites and supporting information systems that system administrators had not resolved within the required time frames.

In addition, the inventory of publicly accessible websites was incomplete. For example, the OIG identified 36 websites that did not appear in the Office of the Chief Information Officer’s website inventory and were not being scanned for security vulnerabilities. Finally, website owners did not always monitor security logs for indicators of attack. The OIG found that responsible staff for 6 of 10 websites reviewed could not provide evidence that they reviewed website security logs for indicators of attack during the 2 months selected for testing. Until these issues are resolved, the Smithsonian’s publicly accessible websites are at heightened risk of unauthorized access.

What OIG Recommended

The OIG made four recommendations to enhance website security. Management agreed with all four recommendations.

Download Adobe Reader for PDF files at