Information Security
Federal Reserve Needs to Address Treasury Auction Systems
Gao ID: GAO-06-659 August 30, 2006
The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems--including the systems that support the Department of the Treasury's auctions of marketable securities--on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.
In general, the FRBs had implemented effective information system controls over the mainframe applications they maintain and operate for BPD in support of Treasury's auctions and financial reporting. On the distributed-based systems and supporting network environment used for Treasury auctions, however, they had not fully implemented information system controls to protect the confidentiality, integrity, and availability of sensitive and financial information. The FRBs did not consistently (1) identify and authenticate users to prevent unauthorized access; (2) enforce the principle of least privilege to ensure that access was authorized only when necessary and appropriate; (3) implement adequate boundary protections to limit connectivity to systems that process BPD business; (4) apply strong encryption technologies to protect sensitive data both in storage and on its networks; (5) log, audit, or monitor security-related events; and (6) maintain secure configurations on servers and workstations. Without consistent application of these controls, the auction information and computing resources for key distributed-based auction systems remain at increased risk of unauthorized and possibly undetected use, modification, destruction, and disclosure. Other FRB applications that share common network resources may also be at increased risk. Contributing to these weaknesses in information system controls were the Federal Reserve's lack of (1) an effective management structure for coordinating, communicating, and overseeing information security activities across bank organizational boundaries and (2) an adequate environment in which to sufficiently test the security of its auction applications.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-06-659, Information Security: Federal Reserve Needs to Address Treasury Auction Systems
This is the accessible text file for GAO report number GAO-06-659
entitled 'Information Security: Federal Reserve Needs to Address
Treasury Auction Systems' which was released on August 31, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Board of Governors of the Federal Reserve
System:
August 2006:
Information Security:
Federal Reserve Needs to Address Treasury Auction Systems:
GAO-06-659:
GAO Highlights:
Highlights of GAO-06-659, a report to the Chairman, Board of Governors
of the Federal Reserve System
Why GAO Did This Study:
The Federal Reserve System‘s Federal Reserve Banks (FRB) serve as
fiscal agents of the U.S. government when they are directed to do so by
the Secretary of the Treasury. In this capacity, the FRBs operate and
maintain several mainframe and distributed-based systems”including the
systems that support the Department of the Treasury‘s auctions of
marketable securities”on behalf of the department‘s Bureau of the
Public Debt (BPD). Effective security controls over these systems are
essential to ensure that sensitive and financial information is
adequately protected from inadvertent or deliberate misuse, disclosure,
or destruction.
In support of its audit of BPD‘s fiscal year 2005 Schedule of Federal
Debt, GAO assessed the effectiveness of information system controls in
protecting financial and sensitive auction information on key mainframe
and distributed-based systems that the FRBs maintain and operate for
BPD. To do this, GAO observed and tested FRBs‘ security controls.
What GAO Found:
In general, the FRBs had implemented effective information system
controls over the mainframe applications they maintain and operate for
BPD in support of Treasury‘s auctions and financial reporting. On the
distributed-based systems and supporting network environment used for
Treasury auctions, however, they had not fully implemented information
system controls to protect the confidentiality, integrity, and
availability of sensitive and financial information. The FRBs did not
consistently (1) identify and authenticate users to prevent
unauthorized access; (2) enforce the principle of least privilege to
ensure that access was authorized only when necessary and appropriate;
(3) implement adequate boundary protections to limit connectivity to
systems that process BPD business; (4) apply strong encryption
technologies to protect sensitive data both in storage and on its
networks; (5) log, audit, or monitor security-related events; and (6)
maintain secure configurations on servers and workstations.
Without consistent application of these controls, the auction
information and computing resources for key distributed-based auction
systems remain at increased risk of unauthorized and possibly
undetected use, modification, destruction, and disclosure. Other FRB
applications that share common network resources may also be at
increased risk.
Contributing to these weaknesses in information system controls were
the Federal Reserve‘s lack of (1) an effective management structure for
coordinating, communicating, and overseeing information security
activities across bank organizational boundaries and (2) an adequate
environment in which to sufficiently test the security of its auction
applications.
What GAO Recommends:
GAO is recommending that the Chairman, Board of Governors, establish an
effective management structure for information security activities and
a test environment for auction systems. In written comments on a draft
of this report, the Federal Reserve generally agreed with the report
and described actions to correct the identified weaknesses.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-659].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory C. Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
Objective, Scope, and Methodology:
Security of Treasury Auction Systems Needs to Be Addressed:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Comments from the Federal Reserve:
Appendix II: GAO Contacts and Staff Acknowledgments:
Figure:
Figure 1: One FRB System Managed by Multiple Information Technology
Groups:
Abbreviations:
BPD: Bureau of the Public Debt:
FRB: Federal Reserve Bank:
FRIT: Federal Reserve Information Technology:
IT: information technology:
[End of Section]
August 30, 2006:
The Honorable Ben Bernanke:
Chairman, Board of Governors of the Federal Reserve System:
Dear Mr. Bernanke:
As the central bank of the United States, the Federal Reserve System
has an important role in ensuring the safety and soundness of the
nation's banking and financial system. The Federal Reserve System's
Federal Reserve Banks (FRB) serve as fiscal agents of the U.S.
government when directed to do so by the Secretary of the Treasury. In
this capacity, the FRBs operate and maintain several mainframe and
distributed-based systems[Footnote 1] on behalf of the Department of
Treasury's Bureau of the Public Debt (BPD). Effective controls[Footnote
2] over these information systems are essential to ensuring that
sensitive and financial information is adequately protected from
inadvertent or deliberate misuse, disclosure, or destruction.
As you know, Treasury is authorized by Congress to borrow money on the
credit of the United States to pay off maturing debt and raise the cash
needed to operate the federal government. Within Treasury, BPD is the
organizational entity designated to carry out this
responsibility.[Footnote 3] It does so by selling securities at
auctions conducted electronically through one of its internal offices
and through the FRBs and their branches. BPD has delegated the
responsibility for processing auction transactions to the FRBs. Acting
in this capacity, various FRB information technology (IT) support
organizations maintain and operate automated auction systems on BPD's
behalf. These systems receive bids, calculate the auction results, and
generate notices and receipts of electronic tenders and awarded bids.
In support of our audit of BPD's fiscal year 2005 Schedule of Federal
Debt,[Footnote 4] we assessed the effectiveness of information system
controls over key financial systems that the FRBs maintain and operate
on behalf of BPD. These systems included mainframe applications that
support Treasury auctions and financial reporting, distributed-based
systems that support Treasury auctions,and networks that interconnect
those systems. In forming an opinion on BPD's internal control relevant
to the Schedule of Federal Debt, we considered the results of our
review of information security controls at BPD and the FRBs relevant to
the Schedule of Federal Debt.[Footnote 5] Our review also considered
applicable compensating and management reconciliation controls at BPD.
This report discusses the effectiveness of information system controls
in ensuring the confidentiality, integrity, and availability of
Treasury's financial and sensitive auction information on mainframe and
distributed-based systems that the FRBs maintain and operate on behalf
of BPD and that are relevant to the Schedule of Federal Debt.
Results in Brief:
The FRBs had generally implemented effective controls over their
mainframe applications that they maintain and operate on behalf of BPD
in support of Treasury's financial reporting. However, the FRBs had not
effectively implemented information system controls to protect the
confidentiality, integrity, and availability of sensitive data and
computing resources for the distributed-based systems and the
supporting network environment relevant to Treasury auctions.
Specifically, the FRBs did not consistently (1) identify and
authenticate users to prevent unauthorized access; (2) enforce the
principle of least privilege to ensure that authorized access was
necessary and appropriate; (3) implement adequate boundary protections
to limit connectivity to systems that process BPD business; (4) apply
strong encryption technologies to protect sensitive data in storage and
on its networks; (5) log, audit, or monitor security-related events;
and (6) maintain secure configurations on servers and workstations.
As a result, auction information and computing resources for key
distributed-based auction systems that the FRBs maintain and operate on
behalf of BPD are at an increased risk of unauthorized and possibly
undetected use, modification, destruction, and disclosure. Furthermore,
other FRB applications that share common network resources with the
distributed-based systems may face similar risks.
These information system control weaknesses existed, in part, because
the FRBs did not have (1) an effective management structure for
coordinating, communicating, and overseeing information security
activities across bank organizational boundaries and (2) an adequate
environment in which to sufficiently test the auction applications.
We are making recommendations to you to establish an effective
management structure for implementing key information security
activities and a test environment for auction systems.
We are also making additional recommendations in a separate report with
limited distribution. These recommendations address actions needed to
correct the specific information security weaknesses in the distributed-
based systems and network infrastructure.
In providing written comments on a draft of this report (reprinted in
app. I), the Director, Division of Reserve Bank Operations and Payment
Systems of the Federal Reserve System, described completed, ongoing,
and planned corrective actions to address the weaknesses identified in
the report.
Background:
For any organization that depends on information systems to carry out
its mission, protecting those systems that support critical operations
and infrastructures is of paramount importance. Without proper
safeguards, the speed and accessibility that create the enormous
benefits of the computer age may allow individuals and groups with
malicious intent to gain unauthorized access to systems and use this
access to obtain sensitive information, commit fraud, disrupt
operations, or launch attacks against other sites.
Concerns about attacks from individuals and groups, including
terrorists, are well founded for a number of reasons, including the
dramatic increase in reports of security incidents, the ease of
obtaining and using hacking tools, the steady advance in the
sophistication and effectiveness of attack technology, and the dire
warnings of new and more destructive attacks to come. Given these
threats, the security of computer-supported federal operations are at
risk and place a variety of critical operations at risk of disruption,
fraud, and inappropriate disclosure. We have designated information
security as a governmentwide high-risk area since 1997[Footnote 6]--a
designation that remains today.[Footnote 7]
To address these concerns, Congress enacted the Federal Information
Security Management Act of 2002[Footnote 8] to strengthen the security
of information collected or maintained and information systems used or
operated by federal agencies, or by a contractor or other organization
on behalf of a federal agency. The act provides a comprehensive
framework for ensuring the effectiveness of information security
controls over information resources that support federal operations and
assets. The act requires each agency to develop, document, and
implement an agencywide information security program for the
information and systems that support the operations of the agency as
well as information systems used or operated by an agency or by a
contractor of an agency or other organization on behalf of an agency.
Structure of the Federal Reserve System:
Established by the Federal Reserve Act of 1913, the Federal Reserve
System consists of a 7-member Board of Governors with headquarters in
Washington, D.C; 12 Reserve Districts, each with its own FRB located in
a major city in the United States; and 25 bank branches. The Federal
Reserve System differs from other entities established to carry out
public purposes in that it is part public and part private. Although
the Board is a government agency, the banks are not. Also, the Federal
Reserve System structure does not follow the familiar "top-down"
hierarchy, with all policymaking authorities centralized in Washington,
D.C. The Board and the FRBs have shared responsibilities and
policymaking authority in many areas of operation.
The FRBs Serve as Treasury Fiscal Agents:
The FRBs play a significant role in the processing of marketable
Treasury securities. As fiscal agents of Treasury, the FRBs receive
bids, issue securities to awarded bidders, collect payments on behalf
of Treasury, and make interest and redemption payments from Treasury's
account to the accounts of security holders. During fiscal year 2005,
the FRBs processed debt held by the public of about $4.5 trillion in
issuances, about $4.2 trillion in redemptions, and about $128 billion
in interest payments. Certain FRBs also provide IT services in support
of Treasury auctions, operating and maintaining the Treasury mainframe
auction application in which bid submissions are recorded and the
auction results calculated.
In addition to the Treasury mainframe auction application, the FRBs
also operate and maintain two Treasury distributed-based auction
applications. These applications provide the user interface to the
mainframe auction application through the Federal Reserve networks. One
of the distributed-based auction applications serves approximately 670
users, allowing them to participate in public (primarily
noncompetitive) auctions via the Internet. The other distributed-based
auction application serves 22 primary broker/dealers[Footnote 9] for
competitive auctions who connect to it via workstations installed in
the dealers' offices by the FRBs. One nonprimary broker/dealer is
allowed to access this distributed-based auction application via the
Internet on a trial basis. These distributed-based auction applications
transmit information on the tenders/bids, including the name of the
submitter, the par amount of securities being tendered or awarded, the
discount rate being tendered or awarded, and the clearing bank.
Multiple Federal Reserve organizations are involved in the operation
and maintenance of these applications, including the Federal Reserve
Information Technology (FRIT)--the organization that provides
entitywide IT support services for the Federal Reserve System.
Other systems supporting Treasury financial reporting are mainframe-
based applications and are used to record securities purchased by
financial institutions, provide an automated system for investors to
buy securities directly from Treasury and manage their Treasury
securities portfolios, and monitor and track all cash received and
disbursed for debt transactions that the FRBs process.
Objective, Scope, and Methodology:
The objective of our review was to assess the effectiveness of
information system controls in ensuring the confidentiality, integrity,
and availability of Treasury's financial and sensitive auction
information on key mainframe and distributed-based systems that the
FRBs maintain and operate on behalf of BPD and that are relevant to the
Schedule of Federal Debt. Our assessment included a review of the
supporting network infrastructure that interconnects the mainframe and
distributed-based systems.
To accomplish this objective, we used elements of our Federal
Information System Controls Audit Manual[Footnote 10] to evaluate
information system controls within the FRB control environment. We
concentrated our efforts primarily on the evaluation of logical access
controls over the FRBs' distributed-based auction applications because
of their recent implementation and the Federal Reserve network
infrastructure that supports these applications. To evaluate these
applications, we reviewed information system controls over network
resources used by the applications and focused on the following control
domain areas: identification and authentication; authorization;
boundary protection; cryptography; logging, auditing, and monitoring;
and configuration management and assurance. Our review included
observations of Treasury auction operations and an examination of:
* automated programs related to the auction process;
* system data collected by FRB employees in our presence and at our
direction;
* system and infrastructure documentation;
* source code for the distributed-based auction applications; and:
* configuration files of firewalls, routers, and switches.
We also examined policy and procedural documentation for the FRBs'
distributed computing security and network security, interviewed
information technology managers and staff, and familiarized ourselves
with the operations of the general auditors and with the results of
their recent work applicable to our audit.
In addition, we performed limited application controls testing over the
Treasury mainframe auction application and other key mainframe
applications that support Treasury's financial reporting. Specifically,
we evaluated application controls associated with access (segregation
of duties, least privilege, and identification and authentication);
controls over master data; transaction data input (data validation and
edit checks); transaction data processing (data integrity and logs);
and transaction data output (output reconciliation and review). To
evaluate the effectiveness of these controls, we obtained system
configuration information using GAO-prepared analytical tools run by
FRB IT staff, and verified critical operating system logging and access
control information for relevant system configurations. Also, using GAO-
prepared scripts, we obtained information on operating system utilities
with assistance from FRB IT staff.
We discussed with officials from the staff of the Board of Governors
and key Federal Reserve information security representatives and
officials whether information security controls were in place,
adequately designed, and operating effectively. We also discussed with
these individuals the results of our review.
We performed our work at the FRBs that operate and maintain the
mainframe and distributed-based financial reporting and auction
applications we selected for review. We performed our work from March
2005 through May 2006 in accordance with generally accepted government
auditing standards.
Security of Treasury Auction Systems Needs to Be Addressed:
Although the FRBs established and implemented many controls to protect
the mainframe applications that they maintain and operate on behalf of
BPD, they did not consistently implement controls to prevent, limit, or
detect unauthorized access to sensitive data and computing resources
for the distributed-based systems and network environment that support
Treasury auctions. As a result, increased risk exists that unauthorized
and possibly undetected use, modification, destruction, and disclosure
of certain sensitive auction information could occur. Furthermore,
other FRB applications that share common network resources may also
face increased risk.
These information system control weaknesses existed, in part, because
the FRBs did not have (1) an effective management structure for
coordinating, communicating, and overseeing information security
activities across bank organizational boundaries and (2) an environment
to sufficiently test the auction applications.
Mainframe Control Environment:
The FRBs had generally implemented effective information system
controls for the mainframe applications that they operate and maintain
on behalf of BPD in support of Treasury's auctions and financial
reporting. Examples of these controls include multiple layers of
procedural and technical controls over mainframe systems, effective
isolation of mainframe systems having different control requirements,
and continuous independent auditing of mainframe technical controls. In
addition, FRIT upgrades the software for the mainframe systems on an
annual schedule. Each year, a new logical partition of the mainframe is
created with the upgraded operating system and vendor-supplied
software. This logical partition is then tested in a defined process,
which is subject to an annual audit, and there is continuous monitoring
of the production logical partitions.
Distributed-Based Systems and Supporting Network Environment:
Although the mainframe control environment was generally effective, the
FRBs had not effectively implemented information system controls for
the distributed-based systems and supporting network environment
relevant to Treasury auctions. More specifically, the FRBs did not
consistently (1) identify and authenticate users to prevent
unauthorized access; (2) enforce the principle of least privilege to
ensure that authorized access was necessary and appropriate; (3)
implement adequate boundary protections to limit connectivity to
systems that process BPD business; (4) apply strong encryption
technologies to protect sensitive data in storage and on the Federal
Reserve networks; (5) log, audit, or monitor security-related events;
and (6) maintain secure configurations on servers and workstations.
Identification and Authentication:
A computer system must be able to identify and differentiate among
users so that activities on the system can be linked to specific
individuals. When an organization assigns unique user accounts to
specific users, the system distinguishes one user from another--a
process called identification. The system also must establish the
validity of a user's claimed identity through some means of
authentication, such as a password, that is known only to its owner.
The combination of identification and authentication--such as user
account/password combinations--provides the basis for establishing
individual accountability and for controlling access to the system. The
National Institute of Standards and Technology states that information
systems should employ multifactor authentication, such as a combination
of passwords, tokens, and biometrics.
The FRBs did not adequately identify and authenticate users. For
example, due to the weak design of password reset functionality for one
of the distributed-based auction applications, anyone on the Internet
could potentially change the password for a user in the application by
having only his or her userID. Recognizing the severity of this
vulnerability, the FRBs took steps to immediately correct this
weakness.
The FRBs also designed and implemented the distributed-based auction
applications to only rely on one means of authentication, rather than a
combination of authentication factors for controlling access.
Furthermore, the FRBs did not replace a well-known vendor-supplied
password on one of their systems, thereby increasing the risk that an
unauthorized individual could guess the password and gain access to the
system.
Authorization:
Authorization is the process of granting or denying access rights and
privileges to a protected resource, such as a network, system,
application, function, or file. A key component of granting or denying
access rights is the concept of "least privilege." Least privilege is a
basic underlying principle for securing computer resources and data.
The term means that users are granted only those access rights and
permissions that they need to perform their official duties. To
restrict legitimate users' access to only those programs and files that
they need to do their work, organizations establish access rights and
permissions. User rights are allowable actions that can be assigned to
users or to groups of users. File and directory permissions are rules
that are associated with a particular file or directory and regulate
which users can access them and the extent of that access. To avoid
unintentionally giving users unnecessary access to sensitive files and
directories, an organization must give careful consideration to its
assignment of rights and permissions.
The FRBs did not implement sufficient authorization controls to limit
user access to distributed-based computer resources. The distributed-
based auction applications had excessive database privileges that were
granted explicitly as well as inherited through permissions given to
all users. As a result, malicious users could use these excessive
privileges to exploit other vulnerabilities in the applications. In
addition, the FRBs had granted users administrative privileges on their
workstations, even though most users did not require this level of
access. Granting unnecessary access privileges increases the risk that
a workstation could be successfully compromised and then used to attack
other FRB resources. As a result, the unnecessary level of access
granted to computer resources provides opportunities for individuals to
circumvent security controls to deliberately or inadvertently read,
modify, or delete critical or sensitive information.
Boundary Protection:
Boundary protections demarcate a logical or physical boundary between
protected information and systems and unknown users. Organizations
physically allocate publicly accessible information system components
to subnetworks with separate, physical network interfaces, and prevent
public access into their internal networks, except as authorized.
Unnecessary connectivity to an organization's network not only
increases the number of access paths that must be managed and the
complexity of the task, but increases the risk in a shared environment.
The FRBs did not consistently implement adequate boundary protections
to limit connectivity to applications in the shared network
environment. These applications include those that the FRBs operate and
maintain on behalf of BPD and other FRB internal applications and
systems that serve a variety of business areas with differing security
requirements. In addition, the internal network was not segregated to
restrict access to internal systems, and management of network devices
and applications was conducted "in-band."[Footnote 11] These practices
increase the risk that individuals could disrupt or gain unauthorized
access to sensitive auction data and other Federal Reserve computing
resources.
In some cases, the FRBs implemented effective boundary protection
controls. For example, the remote access system used Federal
Information Processing Standard compliant tokens for authentication and
enforced a restriction that prevented simultaneous communication with
the internal Federal Reserve network and the Internet.
Cryptography:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information.
Encryption--one type of cryptography--is the process of converting
readable or plaintext information into unreadable or ciphertext
information using a special value known as a key and a mathematical
process known as an algorithm. The strength of a key and an algorithm
is determined by their length and complexity--the longer and more
complex they are, the stronger they are.
The FRBs did not appropriately apply strong encryption technologies to
sensitive data and network traffic. Weak encryption algorithms, such as
the user's session information and application configuration files,
were used to protect sensitive data in one of the distributed-based
auction applications. Also, a weak encryption format was used to store
and transmit certain passwords. These weaknesses could allow an
attacker to view data and use that knowledge to gain access to
sensitive information, including auction data.
Logging, Auditing, and Monitoring:
Determining what, when, and by whom specific actions were taken on a
system is crucial to establishing individual accountability,
investigating security violations, and monitoring compliance with
security policies. Organizations accomplish this by implementing system
or security software that provides an audit trail for determining the
source of a transaction or attempted transaction and for monitoring
users' activities.
How organizations configure the system or security software determines
what system activity data are recorded into system logs and the nature
and extent of the audit trail information that results. Without
sufficient auditing and monitoring, organizations increase the risk
that they may not detect unauthorized activities or policy violations.
Furthermore, the National Institute of Standards and Technology
guidance states that organizations should deploy centralized servers
and configure devices to send duplicates of their log entries to the
centralized servers.
The FRBs did not sufficiently log, audit, or monitor events related to
the distributed-based auction application process. For example, the
intrusion detection system had not been customized to detect any
abnormal communication among application components that might indicate
an attack was in progress. In addition, no centralized logging was
performed for certain servers we examined. As a result, there was a
higher risk that unauthorized system activity would not be detected in
a timely manner.
Configuration Management and Assurance:
To protect an organization's information, it is important to ensure
that only authorized application programs are placed in operation. This
process, known as configuration management, is accomplished by
instituting policies, procedures, and techniques to help ensure that
all programs and program modifications are properly authorized, tested,
and approved.
Patch management, a component of configuration management, is an
important element in mitigating the risks associated with software
vulnerabilities. When a software vulnerability is discovered, the
software vendor may develop and distribute a patch or work-around to
mitigate the vulnerability. Up-to-date patch installation can help
mitigate vulnerabilities associated with flaws in software code that
could be exploited to cause significant damage, ranging from Web-site
defacement to the loss of control of entire systems, thereby enabling
malicious individuals to read, modify, or delete sensitive information;
disrupt operations; or launch attacks against other organizations'
systems. Configuration assurance is the process of verifying the
correctness of the security settings on hosts, applications, and
networks and maintaining operations in a secure fashion.
The FRBs did not maintain secure configurations on the distributed-
based auction application servers and workstations we reviewed. Key
servers and FRB workstations were missing patches that could prevent an
attacker from gaining remote access. In addition, the FRBs were running
a database management system and network devices that were no longer
supported by the vendor. Unsupported products greatly increase the risk
of security breaches, since the vendor often does not provide patches
for known vulnerabilities. As a result of these weaknesses, the risk is
increased of a successful attack and compromise of the related auction
process.
Certain Information Security Practices Not Implemented:
The previously mentioned information system control weaknesses existed,
in part, because the FRBs did not have (1) an effective management
structure for coordinating, communicating, and overseeing information
security activities across bank organizational boundaries and (2) an
environment to sufficiently test the auction applications.
Effective Management Structure Not Established:
Implementing effective information security management practices across
the enterprise is essential to ensuring that controls over information
and information systems work effectively on a continuing basis, as
described in our May 1998 study of security management best
practices.[Footnote 12] An important factor in implementing effective
practices is linking them in a cycle of activity that helps to ensure
that information security policies address current risks on an ongoing
basis. An effective management structure is the starting point for
coordinating and communicating the continuous cycle of information
security activities, while providing guidance and oversight for the
security of the entity as a whole. One mechanism organizations can
adopt to achieve effective coordination and communication, particularly
in organizations where information security management is
decentralized, is to establish a central security management office or
group to serve as a facilitator to individual business units and senior
management. A central security group serves as a locus of knowledge and
expertise on information security and coordinates agencywide security-
related activities. This group is also accessible to security
specialists at the various organizational elements within the agency.
Such a management structure is especially important to manage the
inherent risks associated with a highly distributed, interconnected
network-based computing environment and to help ensure that weaknesses
in one system do not place the entire entity's information assets at
undue risk. In addition, as part of this management structure, clearly
defined roles and responsibilities for all security staff should be
established and coordination of responsibilities among individual
security staff should be developed and communicated to ensure that,
collectively, information security activities are effective.
The FRBs did not have an effective management structure for
coordinating, communicating, and overseeing their decentralized
information security management activities that support Treasury
auction systems and the supporting network infrastructure. Each bank
operates independently and autonomously of one another, yet they share
many of the same systems and computing resources. Because the FRBs did
not have an effective information security management structure over
the distributed-based systems, information security activities were not
adequately coordinated among the banks and with the various IT groups
involved in providing IT support services, including FRIT--the
organization that provides entitywide IT support services. For example,
information management activities associated with one of the
distributed-based auction systems was divided among 10 IT groups, as
shown in figure 1.
Figure 1: One FRB System Managed by Multiple Information Technology
Groups:
[See PDF for image]
Source: GAO analysis of Federal Reserve data.
[End of figure]
In addition, no IT group was responsible for coordinating and
communicating enterprisewide security operations support or oversight
services. Consequently, the various organizations responsible for
implementing information security did not have a good understanding or
adequate visibility of the activities that other groups performed, nor
did they always make appropriate decisions about information security
for the network environment as a whole. As a result, there was no
enterprisewide view of information security, and decisions regarding
information security activities were not always optimal or based on a
full understanding of the shared network environment supporting the
Treasury auction process. For example,
* one IT group responsible for database operations made information
security decisions regarding the distributed-based auction applications
on the concept that they were operating in a "trusted network," which
resulted in the omission of controls that should have been in place;
* one IT group made decisions about the operations and maintenance of
the distributed-based auction applications without full or accurate
knowledge of the relevant computing environment;
* no IT group had responsibility for making a decision to upgrade the
distributed-based auction database product, although all concerned
agreed that an upgrade was needed; and:
* servers that support the distributed-based auction applications were
supposed to be identical to ensure real-time continuity of operations,
but our testing showed that, as implemented, they were not identical.
The Federal Reserve recognizes that a need exists for comprehensive
approaches to managing information security, and that the management
structure and processes that served its mainframe-centric environment
in the past are not adequate for the distributed, interconnected
environment supporting its various lines of business today. The Federal
Reserve has an initiative under way to establish an information
security architecture framework that is intended to integrate
enterprise security activities, including enterprise access management,
domain boundary, data security, configuration management, and
information assurance. If effectively implemented, this initiative
could provide the FRBs with an enterprisewide operational and
technological view of its computing environment, including the
interdependencies and interrelationships across the entity's business
operations and underlying IT infrastructure and applications that
support these operations.
However, until a more comprehensive and enterprisewide approach to
security management is adopted, the FRB organizations that support
Treasury auction systems will be limited in their ability to ensure the
confidentiality, integrity, and availability of certain sensitive
auction information and other resources for systems that they maintain
and operate.
Test Environment for Auction Systems Lacking:
The FRBs did not have a test environment to evaluate system changes and
enhancements to the distributed-based auction applications, which
limited the rigor of the testing that could be performed. A separate
test environment that models the production environment is critical to
ensuring that systems and system enhancements are adequately tested and
do not adversely affect production.[Footnote 13] However, the FRBs did
not have an isolated testing area that was functionally separate from
the production network infrastructure and other FRB business
applications. As a result, some application security testing was
performed during very limited scheduled outages of the production
systems involved, and some test procedures were never performed because
the risk to production systems could not be effectively mitigated.
Conclusions:
Although the FRBs have implemented many controls to protect the
mainframe information systems that they maintain on behalf of BPD
relevant to the Schedule of Federal Debt, information security control
weaknesses related to the distributed-based auction systems and
supporting network environment exist at the Federal Reserve that place
certain sensitive auction information at risk. The weaknesses in
identification and authentication; authorization; boundary protection;
cryptography; logging, auditing, and monitoring; and configuration
management and assurance affect not only the distributed-based auction
systems but also could affect other FRB systems residing in the shared
network environment. With control over and responsibility for
Treasury's auction information systems spread across the FRBs, an
effective management structure for coordinating, communicating, and
overseeing information security activities across bank organizational
boundaries becomes even more important. In addition, more robust
testing of security controls over the auction applications is
imperative to help provide more timely detection of vulnerabilities.
Until the Federal Reserve takes steps to mitigate these weaknesses, it
has increased risk that sensitive auction data would not be adequately
protected against unauthorized disclosure, modification, or
destruction.
Recommendations for Executive Action:
To help strengthen the FRBs' information security over key distributed-
based auction systems, we recommend that you take the following two
steps:
* establish a management structure that ensures decentralized
information security activities are effective and:
* implement an application test environment for the auction systems.
We are also making additional recommendations in a separate report with
limited distribution. These recommendations consist of actions to be
taken to correct the specific information security weaknesses we
identified that are related to identification and authentication;
authorization; boundary protection; cryptography; logging, auditing,
and monitoring; and configuration management and assurance.
Agency Comments:
In providing written comments on a draft of this report (reprinted in
app. I), the Director, Division of Reserve Bank Operations and Payment
Systems of the Federal Reserve System, generally agreed with the
contents of the draft report and stated that the Federal Reserve has
already taken corrective actions to remedy many of the reported
findings and will continue to apply its risk-based assessment framework
to determine appropriate information security controls or compensating
measures to address the remaining findings. The director also described
completed, ongoing, and planned actions to address systemic and
organizational issues that contributed to the report's findings,
including actions to improve the Federal Reserve's ability to
coordinate and oversee its operational and technical environments and
to replace its existing auction applications and operational
infrastructure. In addition, the director commented that the Federal
Reserve and Treasury plan to validate the integrity of the new
application and infrastructure at several points during the development
of the application; a key aspect of this validation is to ensure that
the findings in this report are addressed.
This report contains recommendations to you. As you know, 31 U.S.C. 720
requires that the head of a federal agency submit a written statement
of the actions taken on our recommendations to the Senate Committee on
Homeland Security and Governmental Affairs and to the House Committee
on Government Reform not later than 60 days from the date of the report
and to the House and Senate Committees on Appropriations with the
agency's first request for appropriations made more than 60 days after
the date of this report. Because agency personnel serve as the primary
source of information on the status of recommendations, GAO requests
that the agency also provide us with a copy of your agency's statement
of action to serve as preliminary information on the status of open
recommendations.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate Committee on Homeland Security and
Governmental Affairs; the Subcommittee on Federal Financial Management,
Government Information, and International Security, Senate Committee on
Homeland Security and Governmental Affairs; and the Chairmen and
Ranking Minority Members of the House Committee on Government Reform
and the Subcommittee on Government Management, Finance, and
Accountability, House Committee on Government Reform. In addition, we
are sending copies to the Fiscal Assistant Secretary of the Treasury
and the Deputy Director for Management of OMB. We will also make copies
available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at [Hyperlink,
http://www.gao.gov] .
If you or your staff have any questions about this report, please
contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov,
Keith A. Rhodes at (202) 512-6412 or rhodesk@gao.gov, or Gary T. Engel
at (202) 512-8815 or engelg@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix II.
Sincerely yours,
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Keith A. Rhodes:
Chief Technologist:
Signed by:
Gary T. Engel:
Director, Financial Management and Assurance:
[End of section]
Appendix I: Comments from the Federal Reserve:
Board Of Governors Of The Federal Reserve System:
Washington. D.C. 20551:
Louise L. Roseman:
Director Division Of Reserve Bank Operations And Payment Systems:
August 10, 2006:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Wilshusen:
On behalf of Chairman Bernanke, thank you for the opportunity to
comment on the GAO's report titled Information Security: Federal
Reserve Needs to Address Treasury Auction Systems. The GAO's audit of
the Treasury auction systems was conducted as part of its review of the
Bureau of the Public Debt's FY 2005 Schedules of Federal Debt. The
report identified a number of weaknesses in Reserve Bank computer-based
information security control environments in the distributed computing
and network environments that support the Treasury auction processes.
We have already taken corrective actions to remediate many of the
findings in the report, and we will continue to apply our risk-based
assessment framework to determine appropriate information security
controls or compensating measures to address remaining findings.
The Reserve Banks are taking action to address systemic and
organizational issues that contributed to the report's findings. We met
with the GAO review team several times to discuss our plans to further
strengthen our information security architecture and to correct the
root causes of the findings so that we avoid recurring weakness in
controls. The report recognizes that successful implementation of the
strengthened architecture could improve our ability to manage our
information security operational and technical environments. We have
also taken actions to improve our ability to coordinate and oversee our
complex IT systems effectively. The Reserve Banks recently realigned
their information security governance structure and designated the
Director of the Reserve Banks' Federal Reserve Information Technology
organization (FRIT) as the focal point for enterprise-wide information
security. All operational units within the Federal Reserve Banks are
responsible for confirming compliance with established information
security operational practices and information security policies and
standards with the Director of FRIT. As part of this realignment, FRIT
established a new function, National Information Security Assurance
(VISA), which is responsible for monitoring end-to-end information
security compliance with security standards, including software
currency, across the Federal Reserve. Further, NISA will maintain an
aggregate view of information security risk across all risk management
programs, including internal audit and external sources, such as the
GAO.
The Treasury auction applications reviewed in this report were
developed starting in 1998 when web technology, tools, and development
practices were substantially less evolved than those available today.
While security methods for web-based applications have improved, so has
the sophistication of criminals attempting to compromise them.
The Treasury and the Federal Reserve are currently undertaking a
significant development initiative to replace the existing applications
and operational infrastructure by year-end 2007. The design of the new
application and infrastructure is based on current sound practices that
will ensure a well managed and well-controlled operating environment.
The Federal Reserve and Treasury plan to validate the integrity of the
application and infrastructure at several points in the project using
internal and external technical resources. A key aspect of this
validation is ensuring the GAO's findings are addressed. The new
auction applications will be operated within the Federal Reserve's
strengthened information security architecture, and information
security compliance will be monitored through our improved information
security governance structure.
As your report notes, this review specifically focused on information
security controls in the distributed computing and network environments
supporting the Treasury auction process. The GAO's review did not
consider the end-to-end risk control environment that would include
management and business operational controls. This additional layer of
control is critical to ensuring the integrity of the Schedules of
Federal Debt. The information security vulnerabilities the GAO
identified did not affect its opinion in its report titled Financial
Audit: Bureau of the Public Debt's Fiscal Years 2004 and 2005 Schedules
of Federal Debt. That report noted that effective internal controls
over financial reporting and compliance with applicable laws and
regulations were maintained. Although we consider the information
security control vulnerabilities identified in the Treasury auction
system report significant and warranting our serious attention, they
should not be construed as allowing successful circumvention of
Treasury auction management and business operational controls.
We appreciate the quality of the GAO technical review and the time
taken by the review team to brief Federal Reserve and Treasury staff
thoroughly on the results of the review. The GAO team has also
contributed to our remediation efforts by consulting with various
Federal Reserve technical and management staff on the technical details
underlying the findings in the report.
Sincerely,
Signed by:
Louise L. Roseman:
[End of section]
Appendix II: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gregory C. Wilshusen, Director, Information Security Issues, (202) 512-
6244:
Keith A. Rhodes, Chief Technologist, (202) 512-6412:
Gary T. Engel, Director, Financial Management and Assurance, (202) 512-
8815:
Staff Acknowledgments:
In addition to the individuals named above, Ed Alexander, Lon Chin,
Edward Glagola, David Hayes, Hal Lewis, Duc Ngo, Dawn Simpson, and
Jenniffer Wilson, Assistant Directors, and Mark Canter, Dean Carpenter,
Jason Carroll, West Coile, Debra Conner, Neil Doherty, Nancy Glover,
Sharon Kittrell, Eugene Stevens, Henry Sutanto, Amos Tevelow, and Chris
Warweg made key contributions to this report.
(310575):
FOOTNOTES
[1] Distributed-based systems consist of a number of components, which
are themselves computer systems. The components are connected by a
communications medium, usually a sophisticated network. Applications
execute by using a number of processes in different component systems.
These processes communicate and interact to achieve productive work
within the application.
[2] Information system controls include general and application
controls. Both general and application controls must be effective to
help ensure the confidentiality, integrity, and availability of
critical or sensitive automated information. General controls affect
the overall effectiveness of the security of computer operations as
opposed to being unique to any specific computer application. These
controls include logical access controls, specifically, those controls
that prevent or detect unauthorized access to sensitive data and
programs that are stored, processed, and transmitted electronically.
Application controls relate directly to individual computer
applications that are used to perform specific functions or process
transactions.
[3] BPD's responsibility includes issuing and redeeming debt
instruments, paying interest to investors, and accounting for the
resulting debt.
[4] GAO, Financial Audit: Bureau of the Public Debt's Fiscal Years 2005
and 2004 Schedules of Federal Debt, GAO-06-169 (Washington, D.C.: Nov.
7, 2005).
[5] In that review, we opined that BPD maintained, in all material
respects, effective internal control relevant to the Schedule of
Federal Debt related to financial reporting and compliance with
applicable laws and regulations, as of September 30, 2005. We found
matters involving information security controls that did not adversely
affect the audit opinion on internal control. BPD mitigates the
potential effect of such issues with physical security measures, with a
program of monitoring user and system activity on systems that BPD
operates and maintains, and by compensating management and
reconciliation controls.
[6] GAO, High-Risk Series: Information Management and Technology, GAO/
HR-97-9 (Washington, D.C.: February 1997).
[7] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[8] Enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-
347, 166 Stat. 2946 (Dec. 17, 2002).
[9] As of January 2006, there were 22 primary broker/dealers who serve
as trading counterparties for the Federal Reserve in the Treasury
securities market, designated by FRB New York on the basis of their
ability to (1) make reasonably good markets in their trading
relationships with the Federal Reserve trading desk; (2) participate
meaningfully in Treasury auctions; and (3) market information and
analysis that may be useful to the Federal Reserve in the formulation
and implementation of monetary policy.
[10] GAO, Federal Information System Controls Audit Manual, GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999).
[11] "In-band management" refers to using the same logical and physical
network as normal applications and user communications instead of
separating this traffic.
[12] GAO, Executive Guide: Information Security Management-Learning
from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May
1998).
[13] Dustin, Elfriede. Effective Software Testing (Boston, MA: Addison-
Wesley, Pearson-Education, Inc., 2003).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: