Information Security: Federal Reserve Needs to Address Treasury Auction Systems
Highlights
The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems--including the systems that support the Department of the Treasury's auctions of marketable securities--on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Board of Governors | To help strengthen the FRBs' information security over key distributed-based auction systems, the Board of Governors of the Federal Reserve should establish a management structure that ensures decentralized information security activities are effective. |
Closed – Implemented
FRB has designated the Director of Federal Reserve Information Technology (FRIT) as the focal point for overseeing and coordinating enterprise-level information security, identified the responsibilities that go along with this role, and granted the authority to determine and establish the appropriate organizational model for discharging these responsibilities. The Director of FRIT discharged the focal point responsibilities through the establishment of a National Information Security Assurance (NISA) function within FRB. In addition, the FRIT Director has recently sponsored an Information Security Advisory Council (ISAC) whose membership will include representatives of the FRB business and IT entities. The purpose of the ISAC is to provide guidance and advice to the Director of FRIT and managers regarding enterprise information security strategy and operating decisions, investment prioritization, and operational compliance programs. Largely due to these actions, FRB has greater assurance for being able to successfully coordinating, communicating, and overseeing its decentralized enterprisewide operational and technological view of its computing environment, including the interdependencies and interrelationships across the entity's business operations and underlying IT infrastructure and applications that support these functions.
|
| Board of Governors | To help strengthen the FRBs' information security over key distributed-based auction systems, the Board of Governors of the Federal Reserve should implement an application test environment for the auction systems. |
Closed – Implemented
In July 2010, we verified that the Federal Reserve Bank (FRB) has established a test environment that is a mirror image of its production network.
|