Federal Information Security Management Act (FISMA) Compliance FY 2003

As part of out financial audit, we conduct information technology security reviews to evaluate the effectiveness of the Corporations information security program. Our work follows the guidance in GAO's Federal Information System Controls Audit manual and reflects the impact of the general controls on PBGC's significant financial systems. During the reporting period, we completed reviews of:

• Entity Wide Security (overall security program),
• Access Control (authorization, authentication, monitoring, and integrity),
• Service Continuity (contingency and business recovery planning),
• Systems Software (security and operational controls related to the computer platforms on which the business systems operate, i.e., UNIX, Windows NT, Novell, etc.), and
• Application Development and Change Control (system life cycle management, new system development, and maintenance to existing systems).

In past financial statement audits, the OIG has reported to PBGC internal control conditions regarding implementation of a systems development life cycle (SDLC) methodology, financial systems integration issues, information security, and business continuity. These, along with other issues related to security that were identified in the FY 2002 financial statement audits, should be included on the POA&M for FY 2003. This will provide PBGC with another mechanism to monitor progress on and final disposition of corrective actions for these issues. We are also encouraged that management initiated a major effort to integrate financial systems in response to OIG work on the Premium Accounting System.

As a result of our work, PBGC has developed and implemented written policies and procedures addressing operational; and physical controls that promote a strong security-related environment. Although weaknesses were identified in the enforcement of these policies, we are encouraged with the progress PBGC has made in addressing the issues in this report.