Federal Reserve Banks:

Areas for Improvement in Computer Controls

AIMD-00-218: Published: Jul 7, 2000. Publicly Released: Jul 7, 2000.

Contact:

Gary T. Engel
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on the Federal Reserve Banks' (FRB) computer control vulnerabilities.

GAO noted that: (1) while GAO found that the FRBs had implemented effective general and application controls, GAO's fiscal year 1999 audit procedures identified certain general and application control vulnerabilities; (2) these vulnerabilities relate to; (a) the entitywide security management program at a data center; (b) the entitywide security management program, access controls, and system software at a second data center; (c) access controls at one FRB; (d) entitywide security management program and access controls at a third data center; and (e) access controls, system software, application software development and change controls, and segregation of duties at a fourth data center; (3) GAO also identified vulnerabilities relating to authorization controls over two key applications; (4) GAO's follow-up on the status of the FRBs corrective actions to address vulnerabilities identified in GAO's audits for fiscal years 1998 and 1997 found that the FRBs had corrected or mitigated the risks associated with 19 of the 30 general and application control vulnerabilities discussed in GAO's prior reports; (5) while these vulnerabilities do not pose significant risks to the Financial Management Service and Bureau of the Public Debt financial systems, they warrant FRB management's action to decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, or disruption of critical operations; (6) in commenting on a draft of this report and GAO's more detailed Limited Official Use report, the Board of Governors of the FRB informed GAO that it agreed with 17 of GAO's 22 findings and had corrected or was in the process of correcting those findings; and (7) further, the board stated that it is studying the remaining five findings before developing and implementing corrective actions.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendation for Executive Action

    Recommendation: The Board of Governors of the Federal Reserve System should: (1) assign to cognizant FRB officials responsibility and accountability for correcting each vulnerability that GAO identified during its testing and summarized in its Limited Official Use version of this report; and (2) direct the Director of the Division of Reserve Bank Operations and Payment Systems to monitor the status of all vulnerabilities, including actions taken to correct them.

    Agency Affected: Federal Reserve System: Board of Governors

    Status: Closed - Implemented

    Comments: During GAO's fiscal year 2000 testing of the effectiveness of the Federal Reserve Banks (FRB) general and application controls, GAO followed up on the status of FRBs corrective actions to address vulnerabilities identified in this report. GAO found that, at September 30, 2000, the FRBs had corrected or mitigated all the vulnerabilities that were identified in this report.

    Apr 7, 2014

    Jan 8, 2014

    Dec 11, 2013

    Nov 14, 2013

    Oct 29, 2013

    Sep 6, 2013

    Jul 18, 2013

    Jul 8, 2013

    Looking for more? Browse all our products here