Federal Reserve Banks: Areas for Improvement in Computer Controls
As part of its audit of the U.S. government's fiscal year 2000 financial statements, GAO reviewed computer controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of the Department of the Treasury's Financial Management Service (FMS) and the Bureau of the Public Debt (BPD). GAO identified opportunities to improve general controls related to access at two data centers; access, system software, and service continuity at a third data center; and access and system software at a fourth data center. GAO also identified opportunities to improve authorization controls over four key applications and accuracy controls over one of these key applications. FRB had corrected or mitigated the risks associated with all vulnerabilities discussed in earlier GAO reports. Although the general and application controls identified do not pose significant risks to the FMS and BPD financial systems, they warrant action to decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, and disruption of critical operations.
Recommendations for Executive Action
|Division of Reserve Bank Operations and Payment Systems||The Director of the Federal Reserve System's Division of Federal Reserve Bank Operations should assign to cognizant FRB officials responsibility and accountability for correcting each vulnerability that GAO identified and for addressing each of the specific recommendations detailed in the enclosure to that letter.||
GAO's follow-up on the status of the FRBs' corrective actions to address the vulnerabilities identified in this report found that the FRB had corrected or mitigated the risks associated with 25 of the 29 general and application control vulnerabilities, and are in the process of addressing the remaining four. GAO will follow up on these matters during its audit of the U.S. government's fiscal year 2002 financial statements.