GAO updates manual for information system audits

The Government Accountability Office today said it has significantly revised its manual for guiding agencies how to perform information system control audits to reflect the use of modern technology, more technical criteria and changes in government auditing standards.

The Federal Information System Controls Audit Manual focuses on evaluating the effectiveness of general and application controls that include system, business process and data management system controls, GAO said in a report. The manual also incorporates an evaluation of security management controls in networks, operating systems, infrastructure applications and business process applications across an agency.

Controls provide reasonable assurance that systems are managed effectively, such as periodic assessment of risk for security management or routine monitoring of secure configuration for configuration management, GAO said.

Inspectors general may use the manual as a foundation on which to independently evaluate their agencies’ information security program under the Federal Information Security Management Act (FISMA), the report said. Topics in the manual can help agency IGs to select a set of systems to evaluate and to report the results of tests of controls as part of FISMA requirements, GAO said.

Based on guidance from the National Institute of Standards and Technology, the manual uses a top-down, risk-based approach to determine how effective and efficient audit procedures are, GAO said. The federal environment has become very networked over the years, and the nature of information system risks continues to evolve, said Gregory Wilshusen, GAO’s director of information security issues.

“Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks,” he said.

The manual was originally issued in 1999, and GAO published a draft of the updates for public comments in July 2008, GAO said.

The update reorganized control categories to broaden security management based on security requirements and best practices consistent with guidance from NIST and the Office of Management and Budget and to put more emphasis on controls for a networked environment, such as access controls, configuration management, segregation of duties and contingency planning, the report said.

The report is at http://www.gao.gov/cgi-bin/getrpt?GAO-09-232G

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.