Information Security:

Federal Reserve Needs to Address Treasury Auction Systems

GAO-06-659: Published: Aug 30, 2006. Publicly Released: Aug 30, 2006.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems--including the systems that support the Department of the Treasury's auctions of marketable securities--on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.

In general, the FRBs had implemented effective information system controls over the mainframe applications they maintain and operate for BPD in support of Treasury's auctions and financial reporting. On the distributed-based systems and supporting network environment used for Treasury auctions, however, they had not fully implemented information system controls to protect the confidentiality, integrity, and availability of sensitive and financial information. The FRBs did not consistently (1) identify and authenticate users to prevent unauthorized access; (2) enforce the principle of least privilege to ensure that access was authorized only when necessary and appropriate; (3) implement adequate boundary protections to limit connectivity to systems that process BPD business; (4) apply strong encryption technologies to protect sensitive data both in storage and on its networks; (5) log, audit, or monitor security-related events; and (6) maintain secure configurations on servers and workstations. Without consistent application of these controls, the auction information and computing resources for key distributed-based auction systems remain at increased risk of unauthorized and possibly undetected use, modification, destruction, and disclosure. Other FRB applications that share common network resources may also be at increased risk. Contributing to these weaknesses in information system controls were the Federal Reserve's lack of (1) an effective management structure for coordinating, communicating, and overseeing information security activities across bank organizational boundaries and (2) an adequate environment in which to sufficiently test the security of its auction applications.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: FRB has designated the Director of Federal Reserve Information Technology (FRIT) as the focal point for overseeing and coordinating enterprise-level information security, identified the responsibilities that go along with this role, and granted the authority to determine and establish the appropriate organizational model for discharging these responsibilities. The Director of FRIT discharged the focal point responsibilities through the establishment of a National Information Security Assurance (NISA) function within FRB. In addition, the FRIT Director has recently sponsored an Information Security Advisory Council (ISAC) whose membership will include representatives of the FRB business and IT entities. The purpose of the ISAC is to provide guidance and advice to the Director of FRIT and managers regarding enterprise information security strategy and operating decisions, investment prioritization, and operational compliance programs. Largely due to these actions, FRB has greater assurance for being able to successfully coordinating, communicating, and overseeing its decentralized enterprisewide operational and technological view of its computing environment, including the interdependencies and interrelationships across the entity's business operations and underlying IT infrastructure and applications that support these functions.

    Recommendation: To help strengthen the FRBs' information security over key distributed-based auction systems, the Board of Governors of the Federal Reserve should establish a management structure that ensures decentralized information security activities are effective.

    Agency Affected: Federal Reserve System: Board of Governors

  2. Status: Closed - Implemented

    Comments: In July 2010, we verified that the Federal Reserve Bank (FRB) has established a test environment that is a mirror image of its production network.

    Recommendation: To help strengthen the FRBs' information security over key distributed-based auction systems, the Board of Governors of the Federal Reserve should implement an application test environment for the auction systems.

    Agency Affected: Federal Reserve System: Board of Governors

 

Explore the full database of GAO's Open Recommendations »

Sep 17, 2014

Aug 5, 2014

Jul 31, 2014

Jun 18, 2014

Apr 29, 2014

Apr 7, 2014

Jan 8, 2014

Dec 11, 2013

Nov 14, 2013

Looking for more? Browse all our products here