United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S government and is not subject to copyright protection in the United States The published product may be reproduced and distributed in its entirety without further permission from GAO However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) The FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999 We have updated the FISCAM for significant changes affecting IS audits This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G) GAO would like to thank the Council of the Inspectors General on Integrity and Efficiency and the state and local auditor community for their significant input into the development of this revised FISCAM Summary of Major Revisions to FISCAM The revised FISCAM reflects changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS), Information system (IS) controls consist of those internal controls that are dependent on information systems processing and include general controls (entitywide, system, and business process application levels), business process application controls (input, processing, output, master file, interface, and data management system controls), and user controls (controls performed by people interacting with information systems) Page as presented in Government Auditing Standards (also known as the “Yellow Book”) The FISCAM provides a methodology for performing information system (IS) control audits in accordance with GAGAS, where IS controls are significant to the audit objectives However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls This manual focuses on evaluating the effectiveness of such general and application controls This manual is intended for both (1) auditors to assist them in understanding the work done by IS controls specialists, and (2) IS controls specialists to plan and perform the IS controls audit The FISCAM is not intended to be used as a basis for audits where the audit objectives are to specifically evaluate broader information technology (IT) controls (e.g., enterprise architecture and capital planning) beyond the context of general and business process application controls The FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM) Also, the FISCAM control activities are consistent with the NIST Special Publication (SP) 800-53 and other NIST and OMB IS control-related policies and guidance and all SP 800-53 controls have been mapped to FISCAM The FISCAM is organized to facilitate effective and efficient IS control audits Specifically, the methodology in the FISCAM incorporates: • Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives GAO, Government Auditing Standards, GAO-07-162G (Washington, D.C.: July 2007) To assist the auditor in identifying criteria that may be used in the evaluation of IS controls, Chapters and include references, where appropriate, to NIST SP 800-53, other NIST standards and guidance, and OMB policy and guidance Also, Appendix IV includes a summary of the mapping of the FISCAM controls to such criteria In addition, audit procedures in FISCAM are designed to enable the auditor to determine if related control techniques are achieved Page • • • • • • Evaluation of entitywide controls and their effect on audit risk Evaluation of general controls and their pervasive impact on business process application controls Evaluation of security management at all levels (entitywide, system, and business process application levels) A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses Groupings of control categories consistent with the nature of the risk Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM As discussed above, this manual is organized in a hierarchical structure to assist the auditor in performing the IS controls audit Chapter (general controls) and Chapter (business process application level controls) contain several control categories, which are groupings of related controls pertaining to similar types of risk For each control category, the manual identifies critical elements— tasks that are essential for establishing adequate controls within the category For each critical element, there is a discussion of the associated control activities that are generally necessary to achieve the critical element, as well as related potential control techniques and suggested audit procedures This hierarchical structure facilitates the auditor’s audit planning and the auditor’s analysis of identified control weaknesses Because control activities are generally necessary to achieve the critical elements, they are generally relevant to a GAGAS audit unless the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS risk and the audit objectives The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques Page Also, depending on IS risk and the audit objectives, the nature and extent of control techniques necessary to achieve a particular control objective will vary If control techniques are sufficient as designed, the auditor should determine whether the control techniques are implemented (placed in operation) and are operating effectively Also, the auditor should evaluate the nature and extent of testing performed by the entity Such information can assist in identifying key controls and in assessing risk, but the auditor should not rely on testing performed by the entity in lieu of appropriate auditor testing If the control techniques implemented by the entity, as designed, are not sufficient to address the control activity, or the control techniques are not effectively implemented as designed, the auditor should determine the effect on IS controls and the audit objectives Throughout the updated FISCAM, revisions were made to reflect today’s networked environment The nature of IS risks continues to evolve Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks In addition, the FISCAM includes narrative that is designed to provide a basic understanding of the methodology (Chapter 2), general controls (Chapter 3) and business process application controls (Chapter 4) addressed by the FISCAM The narrative may also be used as a reference source by the auditor and the IS control specialist More experienced auditors and IS control specialists may find it unnecessary to routinely refer to such narrative in performing IS control audits For example, a more experienced auditor may have sufficient knowledge, skills, and abilities to directly use the control tables in Chapters and (which are summarized in Appendices II and III) Page A summary of significant changes to FISCAM from the prior version is presented on pages 6-10 Future updates to the FISCAM, including any implementation tools and related materials, will be posted to the FISCAM website at http://www.gao.gov/special.pubs/fiscam.html The revised FISCAM is available only in electronic form at http://www.gao.gov/products/GAO-09-232G on GAO’s Web page This version supersedes previously issued versions of the FISCAM through January 2001 Should you need additional information, please contact us at FISCAM@gao.gov or call Robert Dacey at (202) 512-7439 or Greg Wilshusen at (202) 512-6244 GAO staff who made key contributions to the FISCAM are listed on page 15 Robert F Dacey Chief Accountant Gregory C Wilshusen Director, Information Security Issues Attachment and enclosures Page SUMMARY OF SIGNIFICANT CHANGES TO THE FISCAM Chapter ¾ Expanded purpose ● ● provide guidance for performing effective and efficient Information System (IS) controls audits, either alone or as part of a performance audit, a financial audit, or an attestation engagement, including communication of any identified IS control weaknesses; and inform financial, performance, and attestation auditors about IS controls and related audit issues, so that they can (1) plan their work in accordance with Generally Accepted Government Auditing Standards (GAGAS) and (2) integrate the work of IS controls specialists with other aspects of the financial or performance audit or attestation engagement ¾ Conformity with July 2007 Revision to Government Auditing Standards – (“Yellow Book”)(GAGAS), including information system control categories ¾ Conformity with AICPA auditing standards, including new risk standards ¾ An overall framework of IS control objectives (see summary on pages 11-13) This section summarizes significant changes to the FISCAM since the prior version Page Chapter ¾ IS audit methodology consistent with GAGAS and FAM, including planning, testing, and reporting phases (see a summary of methodology steps on pages 14-15), which incorporates: • • • • • Page A top-down, risk-based evaluation that considers materiality and significance in determining effective and efficient audit procedures (the auditor determines which IS control techniques are relevant to the audit objectives and which are necessary to achieve the control activities; generally, all control activities are relevant unless the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to test all relevant IS controls) An evaluation of entitywide IS controls and their effect on audit risk, and therefore on the extent of audit testing (effective entitywide IS controls can reduce audit risk, while ineffective entitywide IS controls result in increased audit risk and generally are a contributory cause of IS control weaknesses at the system and business process application levels) An evaluation of general controls and their pervasive impact on business process application controls (effective general controls support the effectiveness of business process application controls, while ineffective general controls generally render business process application controls ineffective) An evaluation of security management at all levels of control —entitywide, system (includes networks, operating systems, and infrastructure applications), and business process application levels A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses (if a critical element is not achieved, the respective control category is not likely to be achieved; if one of the nine control categories are not effectively achieved, IS controls are ineffective, unless other factors sufficiently reduce the risk) • Groupings of control categories consistent with the nature of the risk ¾ Change from “installation level” general controls to “system level” general controls to reflect the logically networked structure of today’s systems ¾ IS controls audit documentation guidance for each audit phase ¾ Additional audit considerations that may affect an IS audit, including: • information security risk factors • automated audit tools • sampling techniques Chapter ¾ Reorganized general control categories, consistent with GAGAS: • Security management - broadened to consider statutory requirements and best practices • Access controls - restructured to incorporate system software, eliminate redundancies, and facilitate IS auditing in a networked environment: o System boundaries o Identification and authentication o User authorization o Sensitive system resources o Audit and monitoring o Physical security • Configuration management - broadened to include network components and applications • Segregation of Duties - relatively unchanged • Contingency Planning - updated for new terminology Page Sensitive information Sensitivity accounts Server Service Service auditor Service Bureau Service organization Significant deficiency – FISMA Significant deficiency – A-123 Significant Deficiency – financial reporting Page 585 Appendix XI - Glossary Any information that an entity has determined requires heightened protection from unauthorized access, use, disclosure, disruption, modification, or destruction [e.g., by using specific access controls] because of the nature of the information (e.g., personal information required to be protected by the Privacy Act, proprietary commercial information, information critical to law enforcement activities, and information that has or may be determined to be exempt from public release under the Freedom of Information Act) See privileged account A computer running administrative software that controls access to all or part of the network and its resources, such as disk drives or printers A computer acting as a server makes resources available to computers acting as workstations on the network Refers to customer or product-related business functions such as file transfer protocol (FTP), hypertext transfer protocol (HTTP), and mainframe supervisor calls Each system provides a set of services For example, a computer network alls its users to send packets to specified destinations and a database system responds to queries An independent auditor hired by the service organization to provide a report on internal controls at the service provider See Service Organization A computer facility that provides data processing services to clients on a continual basis Outside organizations used to support business processes Service organizations provide services ranging from performing a specific task (e.g., payroll processing) to replacing entire business units or functions of an entity A weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets OMB Circular A-123 uses the same definition for significant deficiency as financial reporting (See Significant Deficiency – Financial Reporting), but continues to refer to it as a reportable condition A deficiency in internal control, or combination of deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected Significant deficiency – Single Audit compliance Simultaneous peripheral operations online (SPOOL) Single Audit Smart card SMTP (Simple Mail Transport Protocol) Sniffer Social engineering Software Source code Spyware Standard Standard profile Page 586 Appendix XI - Glossary A control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to administer a federal program such that there is more than a remote likelihood that noncompliance with a type of compliance requirement of a federal program that is more than inconsequential will not be prevented or detected by the entity’s internal control In the mainframe environment, a component of system software that controls the transfer of data between computer storage areas with different speed capabilities Usually, an intermediate device, such as a buffer, exists between the transfer source and the destination (e.g., a printer) The Single Audit is intended to provide a cost-effective audit for nonfederal entities in that one audit is conducted in lieu of multiple audits of individual programs Such audits are performed in accordance with the Single Audit Act (31USC ch75) of 1984 (with amendment in 1996) and OMB Circular A-133 (Audits of States, Local Governments, and Non-Profit Organizations) to ensure that federal funds to nonfederal entities are expended properly A credit card-sized token that contains a microprocessor and memory circuits for authenticating a user of computer, banking, or transportation services The standard e-mail protocol on the Internet Synonymous with packet sniffer A program that intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text A method used by hackers to obtain passwords for unauthorized access For example, a hacker may call an authorized user of a computer system and pose as a network administrator to gain access A computer program or programs, in contrast to the physical environment on which programs run (hardware) Human-readable program statements written in a highlevel or assembly language, as opposed to object code, which is derived from source code and designed to be machine-readable Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge In computing, a set of detailed technical guidelines used as a means of establishing uniformity in an area of hardware or software development A set of rules that describe the nature and extent of access to each resource that is available to a group of users with similar duties, such as accounts payable clerks Supervisor call (SVC) Switch System System administrator System analyst System designer System developer System development life cycle (SDLC) methodology System level System management facility System privilege System programmer System security plan System software System testing System utilities TCP (transmission control protocol) Page 587 Appendix XI - Glossary A supervisor call instruction interrupts a program being executed and passes control to the supervisor so that it can perform a specific service indicated by the instruction A device that forwards packets between LAN devices or segments LANs that use switches are called switched LANs See information system The person responsible for administering use of a multiuser computer system, communications system, or both A person who designs systems See system analyst See programmer The policies and procedures that govern software development and modification as a software product goes through each phase of its life cycle Controls consist of processes for managing specific system resources related to either a general support system or business process application systems Three sublevels include network, operating system, and infrastructure An IBM control program that provides the means for gathering and recording information that can be used to evaluate the extent of computer system usage Ability of the user within the database to interact with the database itself They include: CREATE, ALTER, DROP, CONNECT, and AUDIT, among many others A person who develops and maintains system software Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements The set of computer programs and related routines designed to operate and control the processing activities of computer equipment It includes the operating system and utility programs and is distinguished from application software Testing to determine that the results generated by the enterprise’s information systems and their components are accurate and the systems perform to specifications Software used to perform system maintenance routines that are frequently required during normal processing operations Some of the utilities have powerful features that will allow a user to access and view or modify data or program code A connection-based Internet protocol that supports reliable data transfer connections Packet data is verified using checksums and retransmitted if it is missing or corrupted The application plays no part in validating the transfer TCP/IP protocol Technical controls Telecommunications Teleprocessing monitor Terminal Test facility Those charged with governance Threat Token Transaction Transaction data Page 588 Appendix XI - Glossary Transmission Control Protocol/Internet Protocol) A set of communications protocols that encompasses media access, packet transport, session communications, file transfer, electronic mail, terminal emulation, remote file access and network management TCP/IP provides the basis for the Internet See logical access control A general term for the electronic transmission of information of any type, such as data, television pictures, sound, or facsimiles, over any medium, such as telephone lines, microwave relay, satellite link, or physical cable In the mainframe environment, a component of the operating system that provides support for online terminal access to application programs This type of software can be used to restrict access to online applications and may provide an interface to security software to restrict access to certain functions within the application A device consisting of a video adapter, a monitor, and a keyboard A processing environment that is isolated from the production environment and dedicated to testing and validating systems and/or their components Are those responsible for overseeing the strategic direction of the entity and the entity’s fulfillment of its obligations related to accountability This includes overseeing the financial reporting process, subject matter, or program under audit including related internal controls Any circumstance or event with the potential to adversely impact entity operations (including mission, functions, image, or reputation), entity assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service In authentication systems, some type of physical device (such as a card with a magnetic strip or a smart card) that must be in the individual’s possession in order to gain access The token itself is not sufficient; the user must also be able to supply something memorized, such as a personal identification number (PIN) A discrete activity captured by a computer system, such as the entry of a customer order or an update of an inventory item In financial systems, a transaction generally represents a business event that can be measured in money and entered in accounting records The finite data pertaining to a given event occurring in a business process The result of this process is in the form of documents or postings, such as purchase orders and obligations Transaction data input Transaction data output Transaction data processing Transaction file Trusted communication Path Uninterruptible power supply (UPS) Unit testing UNIX Update access Upload User User auditor User control User-defined processing User identification (ID) User privilege Page 589 Appendix XI - Glossary Relates to controls over data that enter the application (e.g., data validation and edit checks) Relates to controls over data output and distribution (e.g., output reconciliation and review) Relates to controls over data integrity within the application (e.g., review of transaction processing logs) A group of one or more computerized records containing current business activity and processed with an associated master file Transaction files are sometimes accumulated during the day and processed in batch production overnight or during off-peak processing periods A mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software Provides short-term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable voltage level Testing individual program modules to determine if they perform to specifications A multitasking operating system originally designed for scientific purposes that have subsequently become a standard for midrange computer systems with the traditional terminal/host architecture UNIX is also a major server operating system in the client/server environment This access level includes the ability to change data or a software program The process of transferring a copy of a file from a local computer to a remote computer by means of a modem or network The person who uses a computer system and its application programs to perform tasks The auditor of the user organization Portions of controls that are performed by people interacting with IS controls The effectiveness of information systems processing or the reliability of information processed by IS controls The user is allowed to establish or modify processing steps This frequently occurs in application based spreadsheets and report writer/data extraction tools A unique identifier assigned to each authorized computer user Right to execute a particular type of Microsoft SQL server statement, or a right to access another user’s object User profile Utility program Validation Validity Validity Control Virtual Private Network (VPN) Virus Vulnerability Vulnerability Assessment Vulnerability scanning Wide area network (WAN) WAN War Dialer Web application Page 590 Appendix XI - Glossary A set of rules that describes the nature and extent of access to each resource that is available to each user Generally considered to be system software designed to perform a particular function (e.g., an editor or debugger) or system maintenance (e.g., file backup and recovery) The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specified requirements See Validity Control Controls designed to provide reasonable assurance (1) that all recorded transactions actually occurred (are real), relate to the entity, and were properly approved in accordance with management’s authorization, and (2) that output contains only valid data Protected IS link utilizing tunneling, security controls (see information assurance), and end-point address translation giving the impression of a dedicated line A program that “infects” computer files, usually executable programs, by inserting a copy of itself into the file These copies are usually executed when the “infected” file is loaded into memory, allowing the virus to infect other files Unlike the computer worm, a virus requires human involvement (usually unwitting) to propagate Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source Formal description and evaluation of the vulnerabilities in an information system Type of network security testing that among others enumerates the network structure and determines the set of active hosts and associated software and verifies that software (e.g., operating system and major applications) is up-to-date with security patches and software version A group of computers and other devices dispersed over a wide geographical area that is connected by communications links See wide area network Software packages that sequentially dial telephone numbers, recording any numbers that answer Is an application that is accessed via web over a network such as the Internet or an intranet The ability to update and maintain Web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity Wired Equivalent Privacy (WEP) The Wired Equivalent Privacy (WEP) security protocol for wireless local area networks (LANs) uses encryption to provide similar security to that of a wired LAN WEP is defined in the IEEE 802.11b standard Wi-Fi Protected Access (WPA) The Wi-Fi Protected Access (WPA) security protocol was designed to improve upon the security features of WEP for wireless communications It is defined in IEEE’s 802.11i standard Workstation A microcomputer or terminal connected to a network Workstation can also refer to a powerful, stand-alone computer that has considerable calculating or graphics capability World Wide Web (WWW) A sub-network of the Internet through which information is exchanged by text, graphics, audio and video Worm An independent computer program that reproduces by copying itself from one system to another across a network Unlike computer viruses, worms not require human involvement to propagate Page 591 Appendix XI - Glossary Appendix XII – Bibliography Committee on National Security Systems, National Information Assurance (IA) Glossary, CNSS Instruction No 4009 (Ft Meade, Maryland: Revised Draft 2005) Information System Audit and Control Association (ISACA), Glossary of Terms, http://www.isaca.org/glossary.htm Information System Audit and Control Foundation, CobiT: Control Objectives for Information and Related Technology, 2007 Institute of Internal Auditors, Global Technology Audit Guide (GTAG) series Office of Management and Budget, Management Responsibility for Internal Control, Circular A-123, Appendix A, (Washington, D.C July 2005) Office of Management and Budget, Financial Management Systems, Circular A-127, (Washington, D.C.: January 9, 2009) Office of Management and Budget, Security of Federal Automated Resources, Circular A-130, Appendix III, (Washington, D.C.: November 2000) Office of Management and Budget, Reporting Instructions for the Federal Information Management Security Act and Updated Guidance on Quarterly IT Security Reporting, Memorandum M-0319 (Washington, D.C.: November 25, 2003) Office of Management and Budget, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, Memorandum M-03-22 (Washington, D.C.: September 23, 2003) Office of Management and Budget, E-Authentication Guidance for Federal Agencies, Memorandum M-04-04 (Washington, D.C.: December 16, 2003) Page 592 Appendix XII – Bibliography Office of Management and Budget, Service Organization Audits, Memorandum M-04-11 (Washington, D.C.: April 30, 2004) Office of Management and Budget, Personal Use Policies and “File Sharing” Technology, Memorandum-04-26 (Washington, D.C.: September 8, 2004) Office of Management and Budget, Designation of Senior Agency Officials for Privacy, Memorandum M-05-08 (Washington, D.C.: February 11, 2005) Office of Management and Budget, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, Memorandum M-05-15 (Washington, D.C.: June 13, 2005) Office of Management and Budget, Safeguarding Personally Identifiable Information, Memorandum M-06-15 (Washington, D.C.: May 22, 2006) Office of Management and Budget, Protection of Sensitive Agency Information, Memorandum M-06-16 (Washington, D.C.: June 23, 2006) Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, Memorandum M-06-19 (Washington, D.C.: July 12, 2006) Office of Management and Budget, Use of Commercial Credit Monitoring Services Blanket Purchase Agreements, Memorandum M-07-04 (Washington, D.C.: December 22, 2006) Office of Management and Budget, Implementation of Commonly Accepted Security Configurations for Windows Operating Systems, Memorandum M-07-11 (Washington, D.C.: March 22, 2007) Office of Management and Budget, Safeguarding Against and Responding to the Breach of Personally identifiable Information, Memorandum M-07-16 (Washington, D.C.: May 22, 2007) Page 593 Appendix XII – Bibliography Office of Management and Budget, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, Memorandum M-08-21 (Washington, D.C July 14, 2008) 125 Office of Management and Budget, Guidance on the Federal Desktop Core Configuration (FDCC), Memorandum M-08-22 (Washington, D.C.: August 11, 2008) U.S Department of Commerce, National Institute of Standards and Technology, Security Requirements for Cryptographic Modules, Federal Information Processing Standards 140-2, (Washington, D.C.: May 2001) U.S Department of Commerce, National Institute of Standards and Technology, Advance Encryption Standard (AES), Federal Information Processing Standards 197, (Washington, D.C.: November 2001) U.S Department of Commerce, National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards 199, (Washington, D.C.: February 2004) U.S Department of Commerce, National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems, Federal Information Processing Standards 200, (Washington, D.C.: March 2006) U.S Department of Commerce, National Institute of Standards and Technology, Personal Identity Verification (PIV) of Federal Employees and Contractors, Federal Information Processing Standards 201, (Washington, D.C.: March 2006) U.S Department of Commerce, National Institute of Standards and Technology, Glossary of Key Information Security Terms, (Washington, D.C.: April 2006) 125 OMB generally issues updated guidance annually Page 594 Appendix XII – Bibliography U.S Department of Commerce, National Institute of Standards and Technology, Introduction to Computer Security, Special Publication 800-12, (Washington, D.C.: October 1995) U.S Department of Commerce, National Institute of Standards and Technology, Information Technology Security Training Requirements: A Role-Performance-Based Model, Special Publication 800-16, (Washington, D.C.: April 1998) U.S Department of Commerce, National Institute of Standards and Technology, Guide for Developing Security Plans for Federal Information Systems, Special Publication 800-18, (Washington, D.C.: February 2006) U.S Department of Commerce, National Institute of Standards and Technology, Guideline for Implementing Cryptography in the Federal Government, Special Publication 800-21, (Washington, D.C.): December 2005) U.S Department of Commerce, National Institute of Standards and Technology, Engineering Principles for Information Technology Security, Special Publication 800-27, (Washington, D.C.: June 2004) U.S Department of Commerce, National Institute of Standards and Technology, Risk Management Guide for Information Technology Systems, Special Publication 800-30, (Washington, D.C.: July 2002) U.S Department of Commerce, National Institute of Standards and Technology, Introduction to Public Key Technology and the Federal PKI Infrastructure, Special Publication 800-32, (Washington D.C.: February 2001) U.S Department of Commerce, National Institute of Standards and Technology, Contingency Planning Guide for Information Technology Systems, Special Publication 800-34, (Washington, D.C.: June 2002) U.S Department of Commerce, National Institute of Standards and Technology, Guide to Information Technology Security Services, Special Publication 800-35, (Washington, D.C.: October 2003) Page 595 Appendix XII – Bibliography U.S Department of Commerce, National Institute of Standards and Technology, Guide for Security Certification and Accreditation of Federal Information Systems, Special Publication 800-37, (Washington, D.C.: May 2004) U.S Department of Commerce, National Institute of Standards and Technology, Creating a Patch and Vulnerability Management Program, Special Publication 800-40, (Washington, D.C.: November 2005) U.S Department of Commerce, National Institute of Standards and Technology, Guideline on Network Security, Special Publication 800-42, (Washington, D.C.: November 2002) U.S Department of Commerce, National Institute of Standards and Technology, Security for Telecommuting and Broadband Communications, Special Publication 800-46, (Washington, D.C.: August 2002) U.S Department of Commerce, National Institute of Standards and Technology, Security Guide for Interconnecting Information Technology Systems, Special Publication 800-47, (Washington, D.C.: August 2002) U.S Department of Commerce, National Institute of Standards and Technology, Building an Information Technology Security Awareness and Training Program, Special Publication 800-50, (Washington, D.C.: October 2003) U.S Department of Commerce, National Institute of Standards and Technology, Recommended Security Controls for Federal Information, Special Publication 800-53 (Washington, D.C.: December 2007) U.S Department of Commerce, National Institute of Standards and Technology, Security Metrics Guide for Information Technology Systems, Special Publication 800-55, (Washington, D.C.: July 2003) U.S Department of Commerce, National Institute of Standards and Technology, Recommendation for Pair-Wise Key Established Page 596 Appendix XII – Bibliography Schemes Using Discrete Logarithm Cryptography, Special Publication 800-56, (Washington, D.C.: March 2006) U.S Department of Commerce, National Institute of Standards and Technology, Recommendation for Key Management, Special Publication 800-57, (Washington, D.C.: August 2005) U.S Department of Commerce, National Institute of Standards and Technology, Security Considerations for Voice over IP Systems, Special Publication 800-58, (Washington, D.C.: January 2005) U.S Department of Commerce, National Institute of Standards and Technology, Guide for Mapping Types of Information and Information System Security Categories, Special Publication 80060 Revision 1, (Washington, D.C.: August 2008) U.S Department of Commerce, National Institute of Standards and Technology, Computer Security Incident Handling Guide, Special Publication 800-61, (Washington, D.C.: January 2004) U.S Department of Commerce, National Institute of Standards and Technology, Electronic Authentication Guidelines, Special Publication 800-63, (Washington, D.C.: April 2006) U.S Department of Commerce, National Institute of Standards and Technology, Security Considerations in the Information System Development Life Cycle, Special Publication 800-64, (Washington, D.C.: June 2004) U.S Department of Commerce, National Institute of Standards and Technology, Security Configuration Checklists Program for IT Products, Special Publication 800-70, (Washington, D.C.: May 2005) U.S Department of Commerce, National Institute of Standards and Technology, Interfaces for Personal Identity Verification, Special Publication 800-73-2, (Washington, D.C.: September 2008) U.S Department of Commerce, National Institute of Standards and Technology, Biometric Data Specifications for Personal Identity Verification, Special Publication 800-76, (Washington, D.C.: January 2007) Page 597 Appendix XII – Bibliography U.S Department of Commerce, National Institute of Standards and Technology, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, Special Publication 800-78, (Washington, D.C.: August 2007) U.S Department of Commerce, National Institute of Standards and Technology, Guide to Intrusion Detection and Prevention Systems, Special Publication 800-94, (Washington, D.C.: February 2007) U.S Department of Commerce, National Institute of Standards and Technology, Establishing Wireless Robust Security Networks, Special Publication 800-97, (Washington, D.C.: February 2007) U.S Department of Commerce, National Institute of Standards and Technology, Information Security Handbook: A Guide for Managers, Special Publication 800-100, (Washington, D.C.: March 2007) U.S Department of Commerce, National Institute of Standards and Technology, Technical Guide to Information Security Testing and Assessment, Special Publication 800-115, (Washington, D.C.: September 2008) U.S Department of Justice, Vulnerability Assessment of Federal Facilities, (Washington, D.C.: June 28, 1995) U.S General Accounting Office, Executive Guide: Information Security Management, Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May 1998) U.S General Accounting Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-01.3.1 (Washington, D.C.: November 1999) U.S General Accounting Office, Key Elements of a Risk Management Approach, GAO-02-150T (Washington, D.C.: October 2001) U.S General Accounting Office, Technologies to Secure Federal Buildings, GAO-02-687T (Washington, D.C.: April 2002) Page 598 Appendix XII – Bibliography U.S General Accounting Office, Assessing the Reliability of Computer-Processed Data, (Washington, D.C October 2002) U.S Government Accountability Office, Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999) U.S Government Accountability Office, Government Auditing Standards, GAO-07-162G (Washington, D.C.: July 2007) Page 599 Appendix XII – Bibliography ... Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) The FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental... availability of information and information systems The Federal Information System Controls Audit Manual (FISCAM) is designed to be used primarily on financial and performance audits and attestation... critical information and information systems Information system (IS) controls consist of those internal controls that are dependent on information systems processing and include general controls