Federal Reserve Banks:
Areas for Improvement in Computer Controls
AIMD-00-218: Published: Jul 7, 2000. Publicly Released: Jul 7, 2000.
- Full Report:
Pursuant to a congressional request, GAO provided information on the Federal Reserve Banks' (FRB) computer control vulnerabilities.
GAO noted that: (1) while GAO found that the FRBs had implemented effective general and application controls, GAO's fiscal year 1999 audit procedures identified certain general and application control vulnerabilities; (2) these vulnerabilities relate to; (a) the entitywide security management program at a data center; (b) the entitywide security management program, access controls, and system software at a second data center; (c) access controls at one FRB; (d) entitywide security management program and access controls at a third data center; and (e) access controls, system software, application software development and change controls, and segregation of duties at a fourth data center; (3) GAO also identified vulnerabilities relating to authorization controls over two key applications; (4) GAO's follow-up on the status of the FRBs corrective actions to address vulnerabilities identified in GAO's audits for fiscal years 1998 and 1997 found that the FRBs had corrected or mitigated the risks associated with 19 of the 30 general and application control vulnerabilities discussed in GAO's prior reports; (5) while these vulnerabilities do not pose significant risks to the Financial Management Service and Bureau of the Public Debt financial systems, they warrant FRB management's action to decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, or disruption of critical operations; (6) in commenting on a draft of this report and GAO's more detailed Limited Official Use report, the Board of Governors of the FRB informed GAO that it agreed with 17 of GAO's 22 findings and had corrected or was in the process of correcting those findings; and (7) further, the board stated that it is studying the remaining five findings before developing and implementing corrective actions.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: During GAO's fiscal year 2000 testing of the effectiveness of the Federal Reserve Banks (FRB) general and application controls, GAO followed up on the status of FRBs corrective actions to address vulnerabilities identified in this report. GAO found that, at September 30, 2000, the FRBs had corrected or mitigated all the vulnerabilities that were identified in this report.
Recommendation: The Board of Governors of the Federal Reserve System should: (1) assign to cognizant FRB officials responsibility and accountability for correcting each vulnerability that GAO identified during its testing and summarized in its Limited Official Use version of this report; and (2) direct the Director of the Division of Reserve Bank Operations and Payment Systems to monitor the status of all vulnerabilities, including actions taken to correct them.
Agency Affected: Federal Reserve System: Board of Governors