Management Letter: Review of Configuration Management

FISMA assigned the responsibility for establishing governmentwide polices for the management of information security programs to the director of the Office of Management and Budget (OMB). As part of this responsibility, OMB issued memorandum M-04-25 in August 2004 to assist agencies in fulfilling their FISMA evaluation and reporting responsibilities. M-04-25 required each OIG to report on specific security-related performance measures, including whether the agency's Chief Information Officer (CIO) has implemented agency wide policies that require detailed specific security configurations and the degree to which the configurations are implemented. To accomplish this reporting requirement, we obtained security settings for selected categories of hardware such as servers, workstations, and routers from staff in the Division of Information Technology (IT). We then compared the actual settings used in production against the information provided by IT staff for a judgmental sample of devices maintained by IT and the Division of Research and Statistics. We did not evaluate the appropriateness of the settings as part of this review.

Based on our fieldwork, we provided a restricted management report to the Board's CIO for review and comment. Our report contains four recommendations designed to address the Board's security configuration setting process and related procedures. Although the CIO's initial written response indicated disagreement with several of our recommendations and the underlying issues, we note that the Board's Information Security Committee has initiated actions to address our three recommendations specifically related to configuration management. We will continue to review actions taken in this area during future FISMA audit work.