computerwoche.de

Archiv

US gov't questions federal banks' security

01.09.2006
Dramatically improved data security methods, including stronger encryption, tighter access controls and comprehensive transaction logging and auditing, are needed in the Federal Reserve banking system to better safeguard key government financial information, according to a new report from the Government Accountability Office.

The 21-page report, "Information Security: Federal Reserve Needs to Address Treasury Auction Systems," concludes that data security methods used to protect electronic auctions of marketable securities conducted by the U.S. Treasury Department's Federal Reserve banks (FRB) are inadequate to protect the auctions from unauthorized access.

In a review of the data security methods currently in use, the GAO found the banks "generally implemented effective controls over their mainframe applications that they maintain and operate" on behalf of the Treasury Department's Bureau of Public Debt. But the report added that "the FRBs had not effectively implemented information system controls to protect the confidentiality, integrity, and availability of sensitive data and computing resources for the distributed-based systems and the supporting network environment relevant to Treasury auctions."

The report found that the Federal Reserve banks are not consistently identifying and authenticating users to prevent unauthorized access, and they are not enforcing the principle of least privilege to ensure that authorized access was necessary and appropriate. The banks also are not implementing adequate boundary protections to limit connectivity to systems that process the transactions, nor are they applying strong encryption technologies to protect sensitive data in storage and on its networks, the report stated. Logging, auditing and monitoring of security-related events are also inadequate, and secure configurations on servers and workstations are not properly maintained, the report stated.

"As a result, auction information and computing resources for key distributed-based auction systems that the FRBs maintain and operate on behalf of [the Bureau of Public Debt] are at an increased risk of unauthorized and possibly undetected use, modification, destruction, and disclosure," according to the report.

The IT control system problems stem from the "lack of an effective management structure for coordinating, communicating, and overseeing information security activities across bank organizational boundaries," the report said, as well as the lack of an adequate environment in which to sufficiently test the auction applications.