"The Federal Reserve needs to bolster security controls for its distributed-based systems and supporting network environment used for Treasury Department securities auctions, the Government Accountability Office said.
Federal Reserve banks have in general implemented effective information system controls over the mainframe applications they maintain and operate for the Treasury Department's Bureau of the Public Debt to support auctions and financial reporting, GAO said in its report released yesterday. But Fed banks did not consistently identify and authenticate users to prevent unauthorized access, ensure that access was authorized only when necessary and appropriate, and implement adequate boundary protections to limit connectivity to systems that process Public Debt business.
'Without consistent application of these controls, the auction information and computing resources for key distributed-based auction systems remain at increased risk of unauthorized and possibly undetected use, modification, destruction and disclosure,' GAO said in its report authored by Gregory Wilshusen, director of GAO's information security issues; Keith Rhodes, GAO's chief technologist; and Gary Engel, director of GAO financial management and assurance.
The Federal Reserve needs to establish a management structure to ensure that decentralized IT security is effective and put in place an application test environment for the auction systems. The Fed also should correct weaknesses in identification authentication, authorization, boundary protection, encryption, auditing, and monitoring and configuration management.
The Fed has already taken corrective actions, including improving its ability to coordinate and oversee its operational and technical environments, and replacing its existing auction applications and operational infrastructure by the end of 2007, said Louise Roseman, director of the Federal Reserve’s division of Reserve bank operations and payments systems.
“We have also taken actions to improve our ability to coordinate and oversee our complex IT systems effectively,” she said.
The Fed and Treasury plan to validate the integrity of the new application and infrastructure at several points during the development of the application, she said. "