The agency that administers the Thrift Savings Plan, the Federal Retirement Thrift Investment Board, received the lowest of 5 possible scores on a recent audit to determine its compliance with federal information security standards.
The consulting firm, Williams Adley, sent auditors who examined the information security program at the FRTIB under the Federal Information Security Modernization Act. The agency scored a Level 1 in accordance with the law’s fiscal 2017 inspector general reporting metrics out of 5, in the first annual study of FRTIB’s policies.
Auditors found some of the IT policies “ad hoc” in nature, despite FRTIB starting several initiatives to upgrade its IT infrastructure and cyber security recently. In comparison, an effective information security program scored at Level 4, which includes the collection of “quantitative and qualitative measures on the effectiveness of policies, procedures, and strategy” at an agency and assessment for needed changes.
“FRTIB has not fully developed and implemented an effective organization-wide information security program,” the auditors said. “Williams Adley identified a number of control deficiencies related to people, process, and technology across all 7 IG FISMA metric domains.”
However, officials at FRTIB explained their poor scoring. For a policy to be considered toward improving an agency’s FISMA score, it must be in place for an entire fiscal year. Otherwise, any changes to their information security policies made after September 30, 2016, wouldn’t be considered in the audit.
TSP Executive Director Ravindra Deo echoed this saying, “Any change needs to be operating for the entire year to show up in the score.”
Auditors listed many factors leading to the “ad hoc” scoring, including a “control-driven” or reactionary information security process, inadequately defined responsibilities and “inappropriate” oversight between FRTIB and its contractors, and efforts that focus on symptoms or problems, rather than root causes.
The audit recommended FRTIB “clearly define an organization-wide risk-based information security program” and also reevaluate its governance structure to ensure better oversight and monitoring of information security issues.
The agency said they are moving forward with plans to implement these recommendations.