Federal Information Security Management Act

1
Federal InformationSecurity Management Act

• Department of Energy
• OIG Evaluation Methodology
• Dan Weeber

2
Expertise Issues

• FISMA requires specialized IT audit skills
• Knowledge of the IT environment
• Ability to conduct general and application
  control reviews
• Ability to perform vulnerability and penetration
  testing

3
Logistical Issues

• DOE highly decentralized
• 8 major programs areas
• Major contractor operations (approximately 90 of
  120,000 total employees)
• Over 60 major laboratories and field facilities
  nationwide
• Over 1,100 major computer systems

4
Resource Issues

• Limited internal IT audit resources
• 125 OIG auditors
• 12 OIG IT auditors
• Limited financial resources to contract out IT
  audit work

5
Solution

• Requested and received funding to contract out
  major portions of work
• Contracted with KPMG to perform IT audit work

6
Solution

• Collaborative Approach
• Piggyback on annual financial audit
• Use rotational approach to site selection
• Select appropriate subset of sites/systems
• Incorporate review work done by DOE Oversight
  Office/GAO/Others

7
ContractorEvaluation Tasks

• Conduct general and application control reviews
• Perform vulnerability and penetration testing
• Follow-up on status of all prior year findings
• Develop draft findings of weaknesses

8
OIG Evaluation Tasks

• Review Department-wide cyber security program
  planning and management
• Coordinate between contract auditors and the
  Department
• Oversee contract auditor field work
• Review contractor workpapers
• Consolidate all IT evaluation work

9
OIG FISMA Products

• Annual evaluation report with recommendations
  covering
• Department-wide cyber security program planning
  and management issues
• In-depth review of 31 systems at 20 locations
• Partial review of numerous other systems and
  locations through other sources
• Annual submission to OMB

10
Collaborative Approach