Agency Management 7-14 – Evaluation of The Small Business Administ

Reviews
Shared by: justinmcqueen
Categories
Tags
Stats
views:
0
rating:
not rated
reviews:
0
posted:
8/22/2009
language:
pages:
0
EVALUATION OF THE SMALL BUSINESS ADMINISTRATION'S INFORMATION SECURITY PROGRAM Report Number: 07-74 Date Issued: February 22, 2007 Memorandum U.S. Small Buslnws Admlnlstratlon O - of Inspdor General W Christine Liu Chief Information Officer [Exemption 6] February 22,2007 Assistant Inspector General for Auditing subject: Advisory Memorandum Report on SBA's Information Security Program This report presents the results of our fiscal year (FY) 2006 evaluation of the Small Business Administration's (SBA) information security program. The Federal Information Security Management Act (FISMA) requires the Office of Inspector General (OIG) annually assess SBA's progress in correcting to weaknesses identified in last year's FISMA review and to provide input on SBA's annual FISMA report i accordance with specific reporting instructions issued by n the Ofice of Management and Budget (OMB). Reporting instructions for FY 2006 were provided i OMB Memorandum 06-20, FY 2006 Reporting n Instructions for f he Federal Information Securit), Managem en! Acc and Agency Privacy Management, Our input into SBA's annual FISMA report, which was submitted to O M 8 in October 2006, is attached i Appendix 1 1 This input was based on tests of 11 of n 1. SBA's 19 major systems. Three of these systems were reviewed by different lndependent Public Accountants using Statements of Auditing Standards (SAS) 70, Type I1 auditing procedures. Eight of these systems were reviewed by our Independent Public Accountants, KPMG, in accordance with the Federal Information Systems Control. Audit Manual. We utilized reviews of these 11 systems along with our own reviews of SBA security documentation to come to our conclusions of SBA's information security p r o m . We also anempted, but were unable, to review SBA's 82 non-major systems for compliance with the certification and accreditation (C&A) provisions of FISMA. SBA had not classified the sensitivity of information in 80 of its 82 non-major systems to dekmine wrhich systems should be certified and accredited. A more detailed discussion of our scope and methodology is in Appendix I. SBA reviewed a draft of this report and concurred with the findings and recommendations. SBA's full response is included in Appendix I of this report. RESULTS Duriag FY 2006 SBA made a concerted effort to correct weaknesses identified in previous FXSMA reviews, Consequently, only four recomrn endations remain unresolved. Of these, two involve corrective actions targeted for June 30,2006, which are past due. SBA has not fully incorporated continuous m o n i t o m of - - . major applications and general support systems into its C&A requirements nor has it required that configura:ion management plans be included in C&A packages for all of its systems. Actions on the two remaining recommei~dations to be. are completed in calendar year 2007. Our ssessment of SBA's progress in correcting weaknesses previously identified is summari~ed Appendix IV. in SBA has also made improvements in its Computm S e c u r i ~ ~ Pr~laam.In,FY 2005, SBA fully certified and accredited 9 of the 1 1 systems we evaluated. 1bt twn: rernainiig systems had interim C&As. SBA also met FISMA requirements for managing an agency-wide plan of action and miIestone process to track its progress i addressing IT security weaknesses, establishing agency-wide security n configuration policy and guidelines, reporting security incidents, and providing security awareness training. Despite this progress, SBA still needs to improve its program in two areascl asslfying the sensitivity of its non-maj or systems and ensuring that contingency plans for all contractor-operated systems are tested. FIPS Publication 199, S a t a d for Security Categorization o Federal information and Information fpdrs f Systems, requires that a11 information and information systems be categorized by an appropriate risk level to ensure an appropriate level of information security. However, SBA had not classified the sensitivity of information in 80 of its 82 nonmajor systems to determine which systems should be certified and accredited. Consequently, we were unable to assess the adequacy of security protection for these systems. SBA also did not ensure that three of seven disaster recovery plans for its major contractor-operated systems were tested. NIST SP 800-34, Cuntingenq Planning Guide for IPtformation Technology Systerns, and OM3 Memorandum 06-2 0 require agencies t o develop system disaster recovery plans and restoration procedures, which would recover SBA's systems based upon the business impact t o t h e agency. However, SBA did not have documentation to show that disaster recovery plans had been tested i FY 2006 for the: n Business Development Management System Contract 7 (a)/503/504 Loan Servicing System; and LoanLender Monitoring System. Because these plans have not been tested, SBA has no assurance that they could be restored in the event of emergencies according to time frames specified in SBA's business impact analyses. SBA needs to either modify existing contract language or related service-level agreements to ensure that all of its major contractoroperated systems are annually tested for disaster recovery and that test results arp documented. RECOMMENDATIONS We recommend that the Chief Information Officer: I. Classify the FlP S 199 risk level for all non-maj or information systems identified in SBA's systems inventory -and document these classifications in its inventory accordingly. . Certify and accredit all low-, moderate-, and high-impact non-major systems in accordance with FlSMA requirements. 3. Ensure that current contracts or service-level agreements are modified to require that disaster recovery plans for all SBA contractor-operated systems are annually tested and the test results documented, AGENCY COMMENTS The Agency provided written comments on a draft of this report concurring with all findings and recommendations in the draft report. SBA's comments are summarized in the Results in Brief section, and the full text of the comments can be found in Appendix Z to this report. APPENDIX I. SCOPE AND METHODOLOGY We performed an independent evaluation of SBA's information security program for the period, August 16,2003, to August 15, 2006 to reach conclusions about the adequacy of the FISMA reporting areas. Our evaluation was performed in accordance with instructions provided in the Ofice of Management and Budget Memorandum 06-20, FY 2006 Reporting Instructioxsfor the Federal Infornzati~jz Security Managemsr2t Act and Agency Privacy Management. Our evaluation included tests of 1 1 of SBA's 19 major systems. Three of these systems were reviewed by different Independent Public Accountants using Statements of Auditing Standards (SAS) 70, Type I1 auditing procedures. Eight of these systems were reviewed by our Independent Public Accountants, JSPMG: in accordance with the Federal Information Systems Control Audit Manual. In addition, for each major system tested we reviewed program documentation to determine whether each system maintained a valid certification and accreditation and had a tested disaster contingency plan for the fiscal year. Our findings were confirmed in discussions with SBA officials. We alsd attempted, but were unable, to review SBA's 82 non-major systems for compliance with certification and accreditation provisions. SBA did not have adequate documentation to make valid conclusions. We also considered prior audits related to SBA's information systems computer security program issued by our office in fiscal year 2006. Our evaluation was performed at SBA' s headquarters office in Washirigton, D.L. from May 2006 through October 2006. APPENDIX 11. MANAGEMENT COMMENTS Date: January 25,2007 Debra S. Ritt Assistant Inspector General for Auditing T: o From: ChristineH.Liu [Exemption 6] Chief Information Officer Chief Privacy Officer &x Subjwt: OCIO's Response to Draft Advisory Memorandum Report on SBA's Information Security Program Please find attached OCIO's response to the x&ommendations addressed in tfie above [Exemption 2] report. If you require additional in.fomation, please contact me at (202) 205-6708. Attachment cc: Jovita Carranza Deputy Admiaistrator Response Ofice o Inspector General's Audit Report on the Evaluation f o the Small Business Adininisfration's Infomution Security Program f (Project No. 6028): 1. Classify the FTPs 199 risk level for all non-major information systems identified in SBA's systems inventory and document these cbssfications in its inventory accordingly. (Avree) OCIO's Response: OCIO's I Security Ofice developed a Minor Application Certification process that T includes the classification process using FIP S 199 guidance. All systems/applications in the SBA inventory will be classified according to FIPS 199. T date, 60 systems have been rolled into a major application system or a general o support system; 7 outsourced systemslapplications are in tfie C&A process; 10 applications have been retired, and 5 outsourced systems are in the development phase. The target completion date is June 30, 2007. 2. Certify and accredit a11 low-, moderate-, and high-impact non-major systems in accordance with HSMA requirements. CAereeJ OClO's Response: (See Response to No. 1 above) 3. Ensure that current contracts or sewice-level agreements are modified to require that disaster recovery plans for all SBA contractor-operated systems are annually tested and test results documented. (Agree) OCJO's- Response: OCIO will meet with the Ofice of Administration to ensure that all existing contracts and service level agreements are modified to include boiler plate language requiring annual testing of all disaster recovery plans for SBA contractor-operated systems and documentation of test results. In addition, OCIO's IT Security Office will develop a method to track compliance with this new requirement. The target completion date is September 30,2007. Redaction Marker Number of Withheld Pages FOIA or PA Exemption(s) Description 7 2 Appendix III - FISMA Reporting Template Redaction Marker Number of Withheld Pages FOIA or PA Exemption(s) Description 2 2 Appendix IV – Open FISMA prior Year Recommendations APPENDIX V. REPORT DISTRlBUTION No. of Copies -. , , - Ofice of the Chief Financial Officer Attention: Jeffrey Brown .......................................-...-.................................. General Counsel,......................................................................................... 3 0 ffice of Management and Budget.............,..,..,............................................ 1 U.S. Goxwnment Accountability Office .................... . ............................. 1

Related docs
Business Management and Administ
Views: 0  |  Downloads: 0
small-business
Views: 1326  |  Downloads: 18
SUBCOMMITTEE HEARING ON OVERSIGHT OF THE ENTREPRENEURIAL DEVELOPMENT PROGRAMS IMPLEMENTED BY THE SMALL BUSINESS ADMINIST
Views: 4  |  Downloads: 0
small business seminars
Views: 31  |  Downloads: 2
information management and small business
Views: 27  |  Downloads: 0
business information management small
Views: 62  |  Downloads: 6
EVALUATION REPORT
Views: 41  |  Downloads: 2
PLANNING AND GOAL SETTING FOR SMALL BUSINESS
Views: 96  |  Downloads: 10
Small Business Administration
Views: 351  |  Downloads: 10
Small Business Handbook
Views: 1313  |  Downloads: 153
8A Business Development Small Disadvantaged Business Status Determinations
Views: 88  |  Downloads: 4
premium docs
Perfect Competition and Its Impact on business$131.40
Case Study in Gender and Family Health$43.80
Coca Cola Marketing Mix$76.65
Chemistry Comes Alive - Quick Review$2.00
Human Skeletal System - Quick Review$2.00
Lab Techniques: Introduction to Organic Chemistry$2.25
Fifteen Amendments Impact and Influence$65.70
Other docs by justinmcqueen
CorpDocs-Board Resolution Approving Merger With A Subsidiary
Views: 274  |  Downloads: 8
Form 8615 Tax for Children Under Age 14 Who Have Investment Income of More Than1 600
Views: 321  |  Downloads: 2
Ford Motor Co Ammendments and Bylaws
Views: 205  |  Downloads: 1
Transmittal Letter To California Department of Corporations Enclosing Form 25102(f)
Views: 523  |  Downloads: 7
schaefer-all
Views: 300  |  Downloads: 1
Sexual Harassment Policy
Views: 295  |  Downloads: 3
Board Resolution Authorizing Adoption of Group Legal Services Plan
Views: 189  |  Downloads: 1
adopt320
Views: 154  |  Downloads: 0
Audit Committee Charter
Views: 246  |  Downloads: 10
Form 1040 U S Individual Income Tax Return
Views: 817  |  Downloads: 6
Marketwatchcom INc Ammendments and Bylaws
Views: 325  |  Downloads: 3
Schedule D (Form 1040) Capital Gains and Losses
Views: 7113  |  Downloads: 20
THE BLIND DETECTIVE
Views: 472  |  Downloads: 0
DECLARATION SUPPORTING MOTIONTO WITHDRAW AS ATTORNEY
Views: 197  |  Downloads: 1
Transmittal Letter To Franchise Tax Board Enclosing S Corporation Election Form
Views: 785  |  Downloads: 3