Information Security: Fiscal Year 2024 Independent Evaluation of the Smithsonian Institution’s Information Security Program

The Office of the Inspector General contracted with Castro & Company, LLC to evaluate the effectiveness ofthe Smithsonian's information security program in fiscal year 2024.  For Fiscal year 2024, Castro found that the Smithsonian Institution’s Information security program was effective overall because it was operating at a managed and measurable level (Level 4) in all five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover).
 

Castro noted Smithsonian continues to make improvements to their information security program.  Castro made six recommendations to improve Smithsonian’s configuration management.  Management concurred with all six recommendations.