P
P |
As part of the FISMA requirement, Carson Associates provided information security audit support to the FTC OIG to conduct an annual independent assessment of FTC's security program. Carson services consisted of:
Relevant security documentation reviewed included risk assessments, security plans, security test and evaluation reports, critical infrastructure protection plans, and contingency and disaster recovery plans. Internal and external penetration testing was performed, using the SAINT® network vulnerability security assessment tool to identify network vulnerabilities. Social engineering techniques were used to identify vulnerabilities and a penetration test of the FTC's voice mail system was conducted using war-dialing techniques. Carson Associates used its Model Solutions® trademarked methodology and followed General Accounting Office (GAO) Government Auditing Standards, OMB Circular A-130, Management of Federal Information Resources, Appendix III, and the National Institute of Standards and Technology (NIST) Federal Information Technology Security Framework to conduct the audit. Project deliverables included a written comprehensive Independent Evaluation Report in addition to the report to OMB. The Independent Evaluation Report detailed audit findings in terms of conditions, criteria, cause and effect and provided a comprehensive INFOSEC statement of FISMA compliance.