Close this Advertisement

What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close

GAO updates manual for information system audits

The Government Accountability Office today said it has significantly revised its manual for guiding agencies how to perform information system control audits to reflect the use of modern technology, more technical criteria and changes in government auditing standards.

The Federal Information System Controls Audit Manual focuses on evaluating the effectiveness of general and application controls that include system, business process and data management system controls, GAO said in a report. The manual also incorporates an evaluation of security management controls in networks, operating systems, infrastructure applications and business process applications across an agency.

Controls provide reasonable assurance that systems are managed effectively, such as periodic assessment of risk for security management or routine monitoring of secure configuration for configuration management, GAO said.

Inspectors general may use the manual as a foundation on which to independently evaluate their agencies’ information security program under the Federal Information Security Management Act (FISMA), the report said. Topics in the manual can help agency IGs to select a set of systems to evaluate and to report the results of tests of controls as part of FISMA requirements, GAO said.

Based on guidance from the National Institute of Standards and Technology, the manual uses a top-down, risk-based approach to determine how effective and efficient audit procedures are, GAO said. The federal environment has become very networked over the years, and the nature of information system risks continues to evolve, said Gregory Wilshusen, GAO’s director of information security issues.

“Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks,” he said.

The manual was originally issued in 1999, and GAO published a draft of the updates for public comments in July 2008, GAO said.

The update reorganized control categories to broaden security management based on security requirements and best practices consistent with guidance from NIST and the Office of Management and Budget and to put more emphasis on controls for a networked environment, such as access controls, configuration management, segregation of duties and contingency planning, the report said.

The report is at http://www.gao.gov/cgi-bin/getrpt?GAO-09-232G

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Related Articles

Reader comments

Fri, Feb 6, 2009 Patrick pmd@myrealbox.com

I strongly support the governments position on this. I think Sharon's point is all wrong and any business that does not proscribe to standards putting their business and their businesses customers in an unacceptable position. Her complaints boil down to not wanting to do hard work and cost. Many studies show that the cost of data breaches are far more expensive than good security standards. Auditing is a good segment of that security.

I think the length of the manual position is silly. Well it is an extremely complicated world. I currently have over 20 books on my desk or disks that are from Microsoft and all are over 1000 pages. Auditing and secure coding standards have taken a back seat in the industry and the business customer and society has suffered because of it. I would agree that it would be nicer to not allow products onto the market until they met security standards but that is not going to happen.

Peace

Thu, Feb 5, 2009 M.

This standard set an expectation of reactive adherence to standards and good practices, rather than building it into the process from the get go. I know FISMA's intention is to build it right, but often it becomes a reactive exercise of checking the already built system against the requirements and auditing the system after the fact. There's no doubt that budget is better spent building it right in the first place, not reactively checking for audit issues after it's been build wrong. Essentially, what I'm trying to say is there should be more emphasis and expectation to develop and procure systems that are already FISMA and FISCAM compliant. This is far more cost-efficient than retrofitting the requirements into an existing system. What are OMB and GAO doing to encourage vendors working with federal government to provide compliant systems out of the box?

Tue, Feb 3, 2009 Sharon

The manual for info systems audits is 601 pages long. This is why there are problems. How could any commercial company stay in business with procedures of this nature? They couldn't afford it. And the level of detail is mind boggling so imagine how long it will take a new auditor, replacing a retiring auditor, to perform the audit. And what person in their right mind would want to do this? I just don't see why the procedures must be so extreme. I understand the need for security and the cost auditing, but why shuld the customer, the government, need to dictate how procedures are executed so long as the product is good qulaity, the security is in place and the costs are within budget. And speaking of within budget, the time required for these audits may well contribute to budgets and schedules being missed.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Related Webcasts

Related White Papers

Related Podcasts

Related Resources

Editorial Webcasts

  • Service Consolidation: How to Avoid Basic Pitfalls of Shared Services Register Now

    This is the first webcast of the Series “Future First: Three Steps to Data Center Transformation”. Plan to attend this webcast to support your agency efforts to design a practical roadmap for consolidation of resources and shared services to meet current and emerging program demands. Learn from those who are doing to help you evaluate services in your current operations that may lend themselves to future shared service arrangements. Read more

More Editorial Webcasts

Federal Computer Week eNewsletters

  • Subscribe to Newsletters Subscribe

    Federal Computer Week's eNewsletters deliver the latest policy and management news to your inbox.