GAO updates manual for information system audits

The Government Accountability Office today said it has significantly revised its manual for guiding agencies how to perform information system control audits to reflect the use of modern technology, more technical criteria and changes in government auditing standards.

The Federal Information System Controls Audit Manual focuses on evaluating the effectiveness of general and application controls that include system, business process and data management system controls, GAO said in a report. The manual also incorporates an evaluation of security management controls in networks, operating systems, infrastructure applications and business process applications across an agency.

Controls provide reasonable assurance that systems are managed effectively, such as periodic assessment of risk for security management or routine monitoring of secure configuration for configuration management, GAO said.

Inspectors general may use the manual as a foundation on which to independently evaluate their agencies’ information security program under the Federal Information Security Management Act (FISMA), the report said. Topics in the manual can help agency IGs to select a set of systems to evaluate and to report the results of tests of controls as part of FISMA requirements, GAO said.

Based on guidance from the National Institute of Standards and Technology, the manual uses a top-down, risk-based approach to determine how effective and efficient audit procedures are, GAO said. The federal environment has become very networked over the years, and the nature of information system risks continues to evolve, said Gregory Wilshusen, GAO’s director of information security issues.

“Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks,” he said.

The manual was originally issued in 1999, and GAO published a draft of the updates for public comments in July 2008, GAO said.

The update reorganized control categories to broaden security management based on security requirements and best practices consistent with guidance from NIST and the Office of Management and Budget and to put more emphasis on controls for a networked environment, such as access controls, configuration management, segregation of duties and contingency planning, the report said.

The report is at http://www.gao.gov/cgi-bin/getrpt?GAO-09-232G

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.