INFORMATION TECHNOLOGY: Improving Security of Publicly Accessible Websites Could Help Limit Cyber Risk

The Office of Inspector General (OIG) conducted an audit of Amtrak’s (the company) website security program. Our audit objective was to assess whether current controls provide reasonable assurance that the company’s publicly accessible websites are secure. The company uses numerous information technology (IT) applications accessible to the public via the Internet. Given the company’s reliance on publicly accessible websites, we compared its practices for IT website security to leading practices from the private and public sectors, including those of the National Institute of Standards and Technology.