An audit of the Pension Benefit Guaranty Corporation (PBGC) to ensure adequate compliance with the Federal Information Security Management Act (FISMA) shows a need for improvement in IT security.
The purpose of the audit was to also make sure the PBGC met Department of Homeland Security (DHS) reporting requirements and applicable Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST) guidance.
The report found that the PBGC did not reach the required level to be considered effective. Although, the PBGC did take corrective action on IT recommendations, there were still weaknesses in risk management; vulnerability and configuration management; identity and access management; data protection and privacy; security training; and information security continuous monitoring.
The framework for FISMA evaluating the information security program requires that the five functional areas in PBGC’s program be rated “Managed and Measurable,” which is a four on a scale of one to five. However, PBGC’s information security program had four out of five functional areas rate as a three, with only one program rating as a four.
The audit goes on to make additional recommendations for the PBGC to improve information security, while also suggesting that it is aware institutional maturity is required to fully resolve these issues. The audit suggests a continued focus from management to effectively address risks and weaknesses.