Our Objective(s)
To perform a quality control review (QCR) of Williams Adley & Company-DC LLP's fiscal year 2025 audit of the effectiveness of STB's information security program and practices.
Why This Audit
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. The Act also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget. To meet this requirement, STB requested that we perform its fiscal year 2025 FISMA review. Williams Adley of Washington, DC, completed the audit of STB's information security program and practices under contract with the Office of Inspector General. We performed a QCR of Williams Adley's report and related documentation.
What We Found
The independent auditor, Williams Adley, found that STB's information security program and practices were not effective and made five recommendations to improve STB's information security program.
Develop and implement a formal process for defining, documenting, and maintaining its cybersecurity target profile(s).
Develop and formalize thresholds or target values for key cybersecurity and risk performance metrics.
Develop and implement detailed procedures to support its existing supply chain risk management policy and implementation plan.
Establish policies and standards for data classification, quality, access, lifecycle management, and metadata management.
Identify the baseline knowledge, skills, and abilities required for STB's cybersecurity workforce, conduct an assessment to determine any skill gaps, and customize specialized training to address the identified deficiencies.
Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.
Recommendations
STB concurs with Williams Adley's five recommendations.
