The Office of Inspector General (OIG) Export-Import Bank ((EXIM Bank) of the United States released KPMG’s independent audit report on EXIM Bank’s information security program for FY2018 on March 13. In the report, KPMG, a public accounting firm, provided 14 recommendations that “should strengthen…EXIM’s information security program.”
In the audit, KPMG was specifically not only examining EXIM Bank’s overall information security program and practices, but also its compliance with the Federal Information Security Modernization Act of 2014 (FISMA).
“To determine whether EXIM developed and implemented an effective information security program and practices for the period of October 1, 2017 to September 30, 2018, we evaluated the Bank’s security plans, policies, and procedures in place for effectiveness as required by applicable Federal laws and regulations, and guidance issued by OMB [Office of Management and Budget] and the National Institute of Standard and Technology (NIST),” the report explained. KPMG used the Cybersecurity Functions identifies in NIST’s Cybersecurity Framework, which are Identify, Protect, Detect, Respond, and Recover.
As alluded to with 14 recommendations being included in the report, the audit’s results were mixed. KPMG explained that EXIM has established and maintained its information security program and practices for its information systems for the five Cybersecurity Functions and eight FISMA Metric Domains, consistent with FISMA requirements, OMB policy and guidance, and NIST standards and guidelines. Additionally, EXIM has also implemented corrective actions over the last year to remediate prior-year deficiencies regarding vulnerability management, baseline configurations, information assurance monitoring, and firewall capabilities. “Additionally, the Bank effectively designed and implemented 12 of 13 controls from NIST Special Publication (SP) 800-53, Revision (Rev.) 4, Security and Privacy Controls for Federal Information Systems and Organizations,” the report found.
However, the report did note that when KPMG assessed EXIM’s information security program against the DHS FY 2018 IG FISMA Reporting Metrics, it found “that the Cybersecurity Functions’ Identify, Protect, and Detect scored at Level 3: Consistently Implemented, and Respond and Recover scored at Level 2: Defined.” It further explained that “an information security program is effective when a majority of the five Cybersecurity Functions score Level 4: Managed and Measurable.” However, based on KPMG’s audit, the majority of EXIM’s Cybersecurity Functions scored at a Level 3, “the information security program was considered not effective.”
Additionally, regarding the Cybersecurity Functions, the report found an issue with four of the five functions. For Identify, KPMG noted that risk management policies and procedures need improvement. It also found that information security continuous monitoring program was not fully established, which tied back to the Detect function. Incident handling policies and procedures were not completely documented at the Bank, which relates to the Respond function. Finally, in regard to Recover, contingency planning program needs improvement.
KPMG’s recommendations were wide-reaching, and included suggestions on conducting more monitoring and audits, continuing existing information security initiatives and efforts, documenting and implementing baseline security settings, and implementing stronger policies and procedures.
In its response, EXIM said it “concurs with all fourteen recommendations and will move forward with implementing the recommendations.”