The OIG and Grant Thornton assessed the effectiveness of SSA’s information security policies, procedures, and practices on a representative subset of the Agency’s information systems by leveraging work performed as part of the financial statement audit and through performance of additional testing procedures as needed. We determined whether SSA’s overall information security program and practices were effective and consistent with the requirements of the Federal Information Security Management Act (FISMA) and other applicable regulations, standards, and guidance applicable during the audit period.
We determined that SSA had established an overall information security program and practices that were generally consistent with FISMA requirements. However, weaknesses in some of the program’s components limited the overall program’s effectiveness to adequately protect the Agency’s information and information systems. We concluded that these weaknesses constituted a significant deficiency under FISMA.