Federal Reserve Banks Cited for Security Deficiencies

Government Audit Report Finds Weaknesses in Security Program, Access Control The Federal Reserve Banks have 12 information security control deficiencies that must be improved, according to a new report from the U.S. Government Accountability Office (GAO).

On Monday, June 16, the GAO issued its annual audit report in connection with its requirement to audit the financial statements of the Federal Reserve Banks, saying there are "areas for improvement" in the Federal Reserve Banks' information security controls. No significant deficiencies were found, by the GAO's definition, however the report notes a total of 12 information security control deficiencies related to entitywide security program planning and management, access control and system software.

GAO says in its report that its findings "warrant management's attention and action to limit the risk of unauthorized access, disclosure, loss or impairment" of critical operations.

This audit report comes on the heels of the GAO's recent report on the Federal Deposit Insurance Corporation (FDIC), which noted similar information controls that need to be fixed. (See related: FDIC Cited for Repeated Security Weaknesses)

Report Findings
The report, authored by Gary Engel, Director of the GAO's Financial Management and Assurance, shows while the GAO found matters involving information security controls that the GAO does not consider to be significant deficiencies - ones that "adversely affects the entity's ability to initiate, authorize, record, process, or report financial data ..." -- but showed these 12 information security control deficiencies:

6 control deficiencies related to entitywide security program planning and management;
5 control deficiencies related to access control;
1 control deficiency related to system software.

The GAO, in a separate "Limited Official Use Only" report, says it communicated detailed information to the Federal Reserve Banks' management and made 14 detailed recommendations.

"None of our findings pose significant risks to the FRB financial systems," Engel notes in the letter to the Board of Governors of the Federal Reserve System. "As it related to controls over financial reporting and compliance with applicable laws and regulations, the potential effect of such control deficiencies was mitigated by the FRBs and the Bureau of Public Debt (BPD)."

The FRBs mitigated the potential effect of such control deficiencies with physical security measures and a program of monitoring user and system activity, Engle says, and BPD did it through compensating management and reconciliation controls "designed to detect potential irregularities or improprieties in financial data or transactions."

The report concludes that the 14 recommendations made by the GAO have been acted upon or are being planned for by the FRBs to address the control deficiencies identified.

Role of FRBs
Federal Reserve Banks were established by Congress in 1913 as the operating arms of the nation's central banking system, known as the Federal Reserve System (http://www.federalreserve.gov). Much of the services provided to depository institutions and the federal government by Reserve Banks are similar to services provided by commercial banks and thrift institutions to business customers and individuals.

There are 12 FRBs across the U.S., and they hold the cash reserves of financial institutions and make loans to them. FRBs also move currency and coin into and out of circulation, and collect and process millions of checks each day and provide checking accounts for the Treasury, issue and redeem government securities, and act in other ways as fiscal agent for the U.S. government.

The FRBs also supervise and examine roughly 900 member banks for safety and soundness. These responsibilities include the conduct of field examinations and inspections of state-chartered member banks, bank holding companies, and foreign bank offices in this country, as well as the authority to approve certain types of bank and bank holding company applications.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.