The 21-page report, "Information Security: Federal Reserve Needs to Address Treasury Auction Systems," concludes that data security methods used to protect electronic auctions of marketable securities conducted by the U.S. Treasury Department's Federal Reserve banks (FRB) are inadequate to protect the auctions from unauthorized access.
In a review of the data security methods currently in use, the GAO found the banks "generally implemented effective controls over their mainframe applications that they maintain and operate" on behalf of the Treasury Department's Bureau of Public Debt. But the report added that "the FRBs had not effectively implemented information system controls to protect the confidentiality, integrity, and availability of sensitive data and computing resources for the distributed-based systems and the supporting network environment relevant to Treasury auctions."
The report found that the Federal Reserve banks are not consistently identifying and authenticating users to prevent unauthorized access, and they are not enforcing the principle of least privilege to ensure that authorized access was necessary and appropriate. The banks also are not implementing adequate boundary protections to limit connectivity to systems that process the transactions, nor are they applying strong encryption technologies to protect sensitive data in storage and on its networks, the report stated. Logging, auditing and monitoring of security-related events are also inadequate, and secure configurations on servers and workstations are not properly maintained, the report stated.
"As a result, auction information and computing resources for key distributed-based auction systems that the FRBs maintain and operate on behalf of [the Bureau of Public Debt] are at an increased risk of unauthorized and possibly undetected use, modification, destruction, and disclosure," according to the report.
The IT control system problems stem from the "lack of an effective management structure for coordinating, communicating, and overseeing information security activities across bank organizational boundaries," the report said, as well as the lack of an adequate environment in which to sufficiently test the auction applications.
To improve the system, the GAO recommends that the Treasury Department "establish an effective management structure for implementing key information security activities and a test environment for auction systems."
"Without proper safeguards, the speed and accessibility that create the enormous benefits of the computer age may allow individuals and groups with malicious intent to gain unauthorized access to systems and use this access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other sites," the report states.
In a letter in response, Louise Roseman, director of Division of Reserve Bank Operations and Payment Systems, said that since the GAO review was conducted, her agency has "taken actions to improve our ability to coordinate and oversee our complex IT systems effectively," including a realignment of the information security governance structure within the Federal Reserve banks and the designation of the director of the Reserve Banks' Federal Reserve IT organization as the focal point for enterprisewide information security.
"The Treasury auction applications reviewed in this report were developed starting in 1998, when Web technology, tools and development practices were substantially less evolved than those available today," Roseman stated in her letter.
"The Treasury and the Federal Reserve are currently undertaking a significant development initiative to replace the existing applications and operational infrastructure by year-end 2007," the letter continues. "The new auction applications will be operated within the Federal Reserve's strengthened information security architecture, and information security compliance will be monitored through our improved information security governance structure."
Roseman could not be reached for comment at deadline.
As fiscal agents of the Treasury Department, the Federal Reserve banks receive bids, issue securities to awarded bidders, collect payments on behalf of the Treasury and make interest and redemption payments from the Treasury's account to the accounts of securities holders, according to the GAO. During fiscal year 2005, the Federal Reserve banks processed debt held by the public of about US$4.5 trillion in issuances, about $4.2 trillion in redemptions and about $128 billion in interest payments.