Information Security: Federal Reserve Needs to Address Treasury  
Auction Systems (30-AUG-06, GAO-06-659).			 
                                                                 
The Federal Reserve System's Federal Reserve Banks (FRB) serve as
fiscal agents of the U.S. government when they are directed to do
so by the Secretary of the Treasury. In this capacity, the FRBs  
operate and maintain several mainframe and distributed-based	 
systems--including the systems that support the Department of the
Treasury's auctions of marketable securities--on behalf of the	 
department's Bureau of the Public Debt (BPD). Effective security 
controls over these systems are essential to ensure that	 
sensitive and financial information is adequately protected from 
inadvertent or deliberate misuse, disclosure, or destruction. In 
support of its audit of BPD's fiscal year 2005 Schedule of	 
Federal Debt, GAO assessed the effectiveness of information	 
system controls in protecting financial and sensitive auction	 
information on key mainframe and distributed-based systems that  
the FRBs maintain and operate for BPD. To do this, GAO observed  
and tested FRBs' security controls.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-659 					        
    ACCNO:   A60004						        
  TITLE:     Information Security: Federal Reserve Needs to Address   
Treasury Auction Systems					 
     DATE:   08/30/2006 
  SUBJECT:   Computer security					 
	     Data encryption					 
	     Federal reserve banks				 
	     Financial management systems			 
	     Information security				 
	     Internal controls					 
	     Management information systems			 
	     US Treasury securities				 
	     Information security management			 
	     Bureau of the Public Debt Schedule of		 
	     Federal Debt					 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-659

     

     * Report to the Chairman, Board of Governors of the Federal Reserve
       System
          * August 2006
     * INFORMATION SECURITY
          * Federal Reserve Needs to Address Treasury Auction Systems
     * Contents
          * Results in Brief
          * Background
               * Structure of the Federal Reserve System
               * The FRBs Serve as Treasury Fiscal Agents
          * Objective, Scope, and Methodology
          * Security of Treasury Auction Systems Needs to Be Addressed
               * Mainframe Control Environment
               * Distributed-Based Systems and Supporting Network Environment
                    * Identification and Authentication
                    * Authorization
                    * Boundary Protection
                    * Cryptography
                    * Logging, Auditing, and Monitoring
                    * Configuration Management and Assurance
               * Certain Information Security Practices Not Implemented
                    * Effective Management Structure Not Established
                    * Test Environment for Auction Systems Lacking
          * Conclusions
          * Recommendations for Executive Action
          * Agency Comments
     * Comments from the Federal Reserve
     * GAO Contacts and Staff Acknowledgments

Report to the Chairman, Board of Governors of the Federal Reserve System

August 2006

INFORMATION SECURITY

Federal Reserve Needs to Address Treasury Auction Systems

Contents

Figure

August 30, 2006Letter

The Honorable Ben Bernanke Chairman, Board of Governors of the Federal
Reserve System

Dear Mr. Bernanke:

As the central bank of the United States, the Federal Reserve System has
an important role in ensuring the safety and soundness of the nation's
banking and financial system. The Federal Reserve System's Federal Reserve
Banks (FRB) serve as fiscal agents of the U.S. government when directed to
do so by the Secretary of the Treasury. In this capacity, the FRBs operate
and maintain several mainframe and distributed-based systems1 on behalf of
the Department of Treasury's Bureau of the Public Debt (BPD). Effective
controls2 over these information systems are essential to ensuring that
sensitive and financial information is adequately protected from
inadvertent or deliberate misuse, disclosure, or destruction.

As you know, Treasury is authorized by Congress to borrow money on the
credit of the United States to pay off maturing debt and raise the cash
needed to operate the federal government. Within Treasury, BPD is the
organizational entity designated to carry out this responsibility.3 It
does so by selling securities at auctions conducted electronically through
one of its internal offices and through the FRBs and their branches. BPD
has delegated the responsibility for processing auction transactions to
the FRBs. Acting in this capacity, various FRB information technology (IT)
support organizations maintain and operate automated auction systems on
BPD's behalf. These systems receive bids, calculate the auction results,
and generate notices and receipts of electronic tenders and awarded bids.

In support of our audit of BPD's fiscal year 2005 Schedule of Federal
Debt,4 we assessed the effectiveness of information system controls over
key financial systems that the FRBs maintain and operate on behalf of BPD.
These systems included mainframe applications that support Treasury
auctions and financial reporting, distributed-based systems that support
Treasury auctions,  and networks that interconnect those systems. In
forming an opinion on BPD's internal control relevant to the Schedule of
Federal Debt, we considered the results of our review of information
security controls at BPD and the FRBs relevant to the Schedule of Federal
Debt.5 Our review also considered applicable compensating and management
reconciliation controls at BPD.

This report discusses the effectiveness of information system controls in
ensuring the confidentiality, integrity, and availability of Treasury's
financial and sensitive auction information on mainframe and
distributed-based systems that the FRBs maintain and operate on behalf of
BPD and that are relevant to the Schedule of Federal Debt.

Results in Brief

The FRBs had generally implemented effective controls over their mainframe
applications that they maintain and operate on behalf of BPD in support of
Treasury's financial reporting. However, the FRBs had not effectively
implemented information system controls to protect the confidentiality,
integrity, and availability of sensitive data and computing resources for
the distributed-based systems and the supporting network environment
relevant to Treasury auctions. Specifically, the FRBs did not consistently
(1) identify and authenticate users to prevent unauthorized access; (2)
enforce the principle of least privilege to ensure that authorized access
was necessary and appropriate; (3) implement adequate boundary protections
to limit connectivity to systems that process BPD business; (4) apply
strong encryption technologies to protect sensitive data in storage and on
its networks; (5) log, audit, or monitor security-related events; and (6)
maintain secure configurations on servers and workstations.

As a result, auction information and computing resources for key
distributed-based auction systems that the FRBs maintain and operate on
behalf of BPD are at an increased risk of unauthorized and possibly
undetected use, modification, destruction, and disclosure. Furthermore,
other FRB applications that share common network resources with the
distributed-based systems may face similar risks.

These information system control weaknesses existed, in part, because the
FRBs did not have (1) an effective management structure for coordinating,
communicating, and overseeing information security activities across bank
organizational boundaries and (2) an adequate environment in which to
sufficiently test the auction applications.

We are making recommendations to you to establish an effective management
structure for implementing key information security activities and a test
environment for auction systems.

We are also making additional recommendations in a separate report with
limited distribution. These recommendations address actions needed to
correct the specific information security weaknesses in the
distributed-based systems and network infrastructure.

In providing written comments on a draft of this report (reprinted in app.
I), the Director, Division of Reserve Bank Operations and Payment Systems
of the Federal Reserve System, described completed, ongoing, and planned
corrective actions to address the weaknesses identified in the report.

Background

For any organization that depends on information systems to carry out its
mission, protecting those systems that support critical operations and
infrastructures is of paramount importance. Without proper safeguards, the
speed and accessibility that create the enormous benefits of the computer
age may allow individuals and groups with malicious intent to gain
unauthorized access to systems and use this access to obtain sensitive
information, commit fraud, disrupt operations, or launch attacks against
other sites.

Concerns about attacks from individuals and groups, including terrorists,
are well founded for a number of reasons, including the dramatic increase
in reports of security incidents, the ease of obtaining and using hacking
tools, the steady advance in the sophistication and effectiveness of
attack technology, and the dire warnings of new and more destructive
attacks to come. Given these threats, the security of computer-supported
federal operations are at risk and place a variety of critical operations
at risk of disruption, fraud, and inappropriate disclosure. We have
designated information security as a governmentwide high-risk area since
19976-a designation that remains today.7

To address these concerns, Congress enacted the Federal Information
Security Management Act of 20028 to strengthen the security of information
collected or maintained and information systems used or operated by
federal agencies, or by a contractor or other organization on behalf of a
federal agency. The act provides a comprehensive framework for ensuring
the effectiveness of information security controls over information
resources that support federal operations and assets. The act requires
each agency to develop, document, and implement an agencywide information
security program for the information and systems that support the
operations of the agency as well as information systems used or operated
by an agency or by a contractor of an agency or other organization on
behalf of an agency.

Structure of the Federal Reserve System

Established by the Federal Reserve Act of 1913, the Federal Reserve System
consists of a 7-member Board of Governors with headquarters in Washington,
D.C.; 12 Reserve Districts, each with its own FRB located in a major city
in the United States; and 25 bank branches. The Federal Reserve System
differs from other entities established to carry out public purposes in
that it is part public and part private. Although the Board is a
government agency, the banks are not. Also, the Federal Reserve System
structure does not follow the familiar "top-down" hierarchy, with all
policymaking authorities centralized in Washington, D.C. The Board and the
FRBs have shared responsibilities and policymaking authority in many areas
of operation.

The FRBs Serve as Treasury Fiscal Agents

The FRBs play a significant role in the processing of marketable Treasury
securities. As fiscal agents of Treasury, the FRBs receive bids, issue
securities to awarded bidders, collect payments on behalf of Treasury, and
make interest and redemption payments from Treasury's account to the
accounts of security holders. During fiscal year 2005, the FRBs processed
debt held by the public of about $4.5 trillion in issuances, about $4.2
trillion in redemptions, and about $128 billion in interest payments.
Certain FRBs also provide IT services in support of Treasury auctions,
operating and maintaining the Treasury mainframe auction application in
which bid submissions are recorded and the auction results calculated.

In addition to the Treasury mainframe auction application, the FRBs also
operate and maintain two Treasury distributed-based auction applications.
These applications provide the user interface to the mainframe auction
application through the Federal Reserve networks. One of the
distributed-based auction applications serves approximately 670 users,
allowing them to participate in public (primarily noncompetitive) auctions
via the Internet. The other distributed-based auction application serves
22 primary broker/dealers9 for competitive auctions who connect to it via
workstations installed in the dealers' offices by the FRBs. One nonprimary
broker/dealer is allowed to access this distributed-based auction
application via the Internet on a trial basis. These distributed-based
auction applications transmit information on the tenders/bids, including
the name of the submitter, the par amount of securities being tendered or
awarded, the discount rate being tendered or awarded, and the clearing
bank. Multiple Federal Reserve organizations are involved in the operation
and maintenance of these applications, including the Federal Reserve
Information Technology (FRIT)-the organization that provides entitywide IT
support services for the Federal Reserve System.

Other systems supporting Treasury financial reporting are mainframe-based
applications and are used to record securities purchased by financial
institutions, provide an automated system for investors to buy securities
directly from Treasury and manage their Treasury securities portfolios,
and monitor and track all cash received and disbursed for debt
transactions that the FRBs process.

Objective, Scope, and Methodology

The objective of our review was to assess the effectiveness of information
system controls in ensuring the confidentiality, integrity, and
availability of Treasury's financial and sensitive auction information on
key mainframe and distributed-based systems that the FRBs maintain and
operate on behalf of BPD and that are relevant to the Schedule of Federal
Debt. Our assessment included a review of the supporting network
infrastructure that interconnects the mainframe and distributed-based
systems.

To accomplish this objective, we used elements of our Federal Information
System Controls Audit Manual10 to evaluate information system controls
within the FRB control environment. We concentrated our efforts primarily
on the evaluation of logical access controls over the FRBs'
distributed-based auction applications because of their recent
implementation and the Federal Reserve network infrastructure that
supports these applications. To evaluate these applications, we reviewed
information system controls over network resources used by the
applications and focused on the following control domain areas:
identification and authentication; authorization; boundary protection;
cryptography; logging, auditing, and monitoring; and configuration
management and assurance. Our review included observations of Treasury
auction operations and an examination of

o automated programs related to the auction process;

o system data collected by FRB employees in our presence and at our
direction;

o system and infrastructure documentation;

o source code for the distributed-based auction applications; and

o configuration files of firewalls, routers, and switches.

We also examined policy and procedural documentation for the FRBs'
distributed computing security and network security, interviewed
information technology managers and staff, and familiarized ourselves with
the operations of the general auditors and with the results of their
recent work applicable to our audit.

In addition, we performed limited application controls testing over the
Treasury mainframe auction application and other key mainframe
applications that support Treasury's financial reporting. Specifically, we
evaluated application controls associated with access (segregation of
duties, least privilege, and identification and authentication); controls
over master data; transaction data input (data validation and edit
checks); transaction data processing (data integrity and logs); and
transaction data output (output reconciliation and review). To evaluate
the effectiveness of these controls, we obtained system configuration
information using GAO-prepared analytical tools run by FRB IT staff, and
verified critical operating system logging and access control information
for relevant system configurations. Also, using GAO-prepared scripts, we
obtained information on operating system utilities with assistance from
FRB IT staff.

We discussed with officials from the staff of the Board of Governors and
key Federal Reserve information security representatives and officials
whether information security controls were in place, adequately designed,
and operating effectively. We also discussed with these individuals the
results of our review.

We performed our work at the FRBs that operate and maintain the mainframe
and distributed-based financial reporting and auction applications we
selected for review. We performed our work from March 2005 through May
2006 in accordance with generally accepted government auditing standards.

Security of Treasury Auction Systems Needs to Be Addressed

Although the FRBs established and implemented many controls to protect the
mainframe applications that they maintain and operate on behalf of BPD,
they did not consistently implement controls to prevent, limit, or detect
unauthorized access to sensitive data and computing resources for the
distributed-based systems and network environment that support Treasury
auctions. As a result, increased risk exists that unauthorized and
possibly undetected use, modification, destruction, and disclosure of
certain sensitive auction information could occur. Furthermore, other FRB
applications that share common network resources may also face increased
risk.

These information system control weaknesses existed, in part, because the
FRBs did not have (1) an effective management structure for coordinating,
communicating, and overseeing information security activities across bank
organizational boundaries and (2) an environment to sufficiently test the
auction applications.

Mainframe Control Environment

The FRBs had generally implemented effective information system controls
for the mainframe applications that they operate and maintain on behalf of
BPD in support of Treasury's auctions and financial reporting. Examples of
these controls include multiple layers of procedural and technical
controls over mainframe systems, effective isolation of mainframe systems
having different control requirements, and continuous independent auditing
of mainframe technical controls. In addition, FRIT upgrades the software
for the mainframe systems on an annual schedule. Each year, a new logical
partition of the mainframe is created with the upgraded operating system
and vendor-supplied software. This logical partition is then tested in a
defined process, which is subject to an annual audit, and there is
continuous monitoring of the production logical partitions.

Distributed-Based Systems and Supporting Network Environment

Although the mainframe control environment was generally effective, the
FRBs had not effectively implemented information system controls for the
distributed-based systems and supporting network environment relevant to
Treasury auctions. More specifically, the FRBs did not consistently (1)
identify and authenticate users to prevent unauthorized access; (2)
enforce the principle of least privilege to ensure that authorized access
was necessary and appropriate; (3) implement adequate boundary protections
to limit connectivity to systems that process BPD business; (4) apply
strong encryption technologies to protect sensitive data in storage and on
the Federal Reserve networks; (5) log, audit, or monitor security-related
events; and (6) maintain secure configurations on servers and
workstations.

Identification and Authentication

A computer system must be able to identify and differentiate among users
so that activities on the system can be linked to specific individuals.
When an organization assigns unique user accounts to specific users, the
system distinguishes one user from another-a process called
identification. The system also must establish the validity of a user's
claimed identity through some means of authentication, such as a password,
that is known only to its owner. The combination of identification and
authentication-such as user account/password combinations-provides the
basis for establishing individual accountability and for controlling
access to the system. The National Institute of Standards and Technology
states that information systems should employ multifactor authentication,
such as a combination of passwords, tokens, and biometrics.

The FRBs did not adequately identify and authenticate users. For example,
due to the weak design of password reset functionality for one of the
distributed-based auction applications, anyone on the Internet could
potentially change the password for a user in the application by having
only his or her userID. Recognizing the severity of this vulnerability,
the FRBs took steps to immediately correct this weakness.

The FRBs also designed and implemented the distributed-based auction
applications to only rely on one means of authentication, rather than a
combination of authentication factors for controlling access. Furthermore,
the FRBs did not replace a well-known vendor-supplied password on one of
their systems, thereby increasing the risk that an unauthorized individual
could guess the password and gain access to the system.

Authorization

Authorization is the process of granting or denying access rights and
privileges to a protected resource, such as a network, system,
application, function, or file. A key component of granting or denying
access rights is the concept of "least privilege." Least privilege is a
basic underlying principle for securing computer resources and data. The
term means that users are granted only those access rights and permissions
that they need to perform their official duties. To restrict legitimate
users' access to only those programs and files that they need to do their
work, organizations establish access rights and permissions. User rights
are allowable actions that can be assigned to users or to groups of users.
File and directory permissions are rules that are associated with a
particular file or directory and regulate which users can access them and
the extent of that access. To avoid unintentionally giving users
unnecessary access to sensitive files and directories, an organization
must give careful consideration to its assignment of rights and
permissions.

The FRBs did not implement sufficient authorization controls to limit user
access to distributed-based computer resources. The distributed-based
auction applications had excessive database privileges that were granted
explicitly as well as inherited through permissions given to all users. As
a result, malicious users could use these excessive privileges to exploit
other vulnerabilities in the applications. In addition, the FRBs had
granted users administrative privileges on their workstations, even though
most users did not require this level of access. Granting unnecessary
access privileges increases the risk that a workstation could be
successfully compromised and then used to attack other FRB resources. As a
result, the unnecessary level of access granted to computer resources
provides opportunities for individuals to circumvent security controls to
deliberately or inadvertently read, modify, or delete critical or
sensitive information.

Boundary Protection

Boundary protections demarcate a logical or physical boundary between
protected information and systems and unknown users. Organizations
physically allocate publicly accessible information system components to
subnetworks with separate, physical network interfaces, and prevent public
access into their internal networks, except as authorized. Unnecessary
connectivity to an organization's network not only increases the number of
access paths that must be managed and the complexity of the task, but
increases the risk in a shared environment.

The FRBs did not consistently implement adequate boundary protections to
limit connectivity to applications in the shared network environment.
These applications include those that the FRBs operate and maintain on
behalf of BPD and other FRB internal applications and systems that serve a
variety of business areas with differing security requirements. In
addition, the internal network was not segregated to restrict access to
internal systems, and management of network devices and applications was
conducted "in-band."11 These practices increase the risk that individuals
could disrupt or gain unauthorized access to sensitive auction data and
other Federal Reserve computing resources.

In some cases, the FRBs implemented effective boundary protection
controls. For example, the remote access system used Federal Information
Processing Standard compliant tokens for authentication and enforced a
restriction that prevented simultaneous communication with the internal
Federal Reserve network and the Internet.

Cryptography

Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information.
Encryption-one type of cryptography-is the process of converting readable
or plaintext information into unreadable or ciphertext information using a
special value known as a key and a mathematical process known as an
algorithm. The strength of a key and an algorithm is determined by their
length and complexity-the longer and more complex they are, the stronger
they are.

The FRBs did not appropriately apply strong encryption technologies to
sensitive data and network traffic. Weak encryption algorithms, such as
the user's session information and application configuration files, were
used to protect sensitive data in one of the distributed-based auction
applications. Also, a weak encryption format was used to store and
transmit certain passwords. These weaknesses could allow an attacker to
view data and use that knowledge to gain access to sensitive information,
including auction data.

Logging, Auditing, and Monitoring

Determining what, when, and by whom specific actions were taken on a
system is crucial to establishing individual accountability, investigating
security violations, and monitoring compliance with security policies.
Organizations accomplish this by implementing system or security software
that provides an audit trail for determining the source of a transaction
or attempted transaction and for monitoring users' activities.

How organizations configure the system or security software determines
what system activity data are recorded into system logs and the nature and
extent of the audit trail information that results. Without sufficient
auditing and monitoring, organizations increase the risk that they may not
detect unauthorized activities or policy violations. Furthermore, the
National Institute of Standards and Technology guidance states that
organizations should deploy centralized servers and configure devices to
send duplicates of their log entries to the centralized servers.

The FRBs did not sufficiently log, audit, or monitor events related to the
distributed-based auction application process. For example, the intrusion
detection system had not been customized to detect any abnormal
communication among application components that might indicate an attack
was in progress. In addition, no centralized logging was performed for
certain servers we examined. As a result, there was a higher risk that
unauthorized system activity would not be detected in a timely manner.

Configuration Management and Assurance

To protect an organization's information, it is important to ensure that
only authorized application programs are placed in operation. This
process, known as configuration management, is accomplished by instituting
policies, procedures, and techniques to help ensure that all programs and
program modifications are properly authorized, tested, and approved.

Patch management, a component of configuration management, is an important
element in mitigating the risks associated with software vulnerabilities.
When a software vulnerability is discovered, the software vendor may
develop and distribute a patch or work-around to mitigate the
vulnerability. Up-to-date patch installation can help mitigate
vulnerabilities associated with flaws in software code that could be
exploited to cause significant damage, ranging from Web-site defacement to
the loss of control of entire systems, thereby enabling malicious
individuals to read, modify, or delete sensitive information; disrupt
operations; or launch attacks against other organizations' systems.
Configuration assurance is the process of verifying the correctness of the
security settings on hosts, applications, and networks and maintaining
operations in a secure fashion.

The FRBs did not maintain secure configurations on the distributed-based
auction application servers and workstations we reviewed. Key servers and
FRB workstations were missing patches that could prevent an attacker from
gaining remote access. In addition, the FRBs were running a database
management system and network devices that were no longer supported by the
vendor. Unsupported products greatly increase the risk of security
breaches, since the vendor often does not provide patches for known
vulnerabilities. As a result of these weaknesses, the risk is increased of
a successful attack and compromise of the related auction process.

Certain Information Security Practices Not Implemented

The previously mentioned information system control weaknesses existed, in
part, because the FRBs did not have (1) an effective management structure
for coordinating, communicating, and overseeing information security
activities across bank organizational boundaries and (2) an environment to
sufficiently test the auction applications.

Effective Management Structure Not Established

Implementing effective information security management practices across
the enterprise is essential to ensuring that controls over information and
information systems work effectively on a continuing basis, as described
in our May 1998 study of security management best practices.12 An
important factor in implementing effective practices is linking them in a
cycle of activity that helps to ensure that information security policies
address current risks on an ongoing basis. An effective management
structure is the starting point for coordinating and communicating the
continuous cycle of information security activities, while providing
guidance and oversight for the security of the entity as a whole. One
mechanism organizations can adopt to achieve effective coordination and
communication, particularly in organizations where information security
management is decentralized, is to establish a central security management
office or group to serve as a facilitator to individual business units and
senior management. A central security group serves as a locus of knowledge
and expertise on information security and coordinates agencywide
security-related activities. This group is also accessible to security
specialists at the various organizational elements within the agency.

Such a management structure is especially important to manage the inherent
risks associated with a highly distributed, interconnected network-based
computing environment and to help ensure that weaknesses in one system do
not place the entire entity's information assets at undue risk. In
addition, as part of this management structure, clearly defined roles and
responsibilities for all security staff should be established and
coordination of responsibilities among individual security staff should be
developed and communicated to ensure that, collectively, information
security activities are effective.

The FRBs did not have an effective management structure for coordinating,
communicating, and overseeing their decentralized information security
management activities that support Treasury auction systems and the
supporting network infrastructure. Each bank operates independently and
autonomously of one another, yet they share many of the same systems and
computing resources. Because the FRBs did not have an effective
information security management structure over the distributed-based
systems, information security activities were not adequately coordinated
among the banks and with the various IT groups involved in providing IT
support services, including FRIT-the organization that provides entitywide
IT support services. For example, information management activities
associated with one of the distributed-based auction systems was divided
among 10 IT groups, as shown in figure 1.

Figure 1: One FRB System Managed by Multiple Information Technology Groups

In addition, no IT group was responsible for coordinating and
communicating enterprisewide security operations support or oversight
services. Consequently, the various organizations responsible for
implementing information security did not have a good understanding or
adequate visibility of the activities that other groups performed, nor did
they always make appropriate decisions about information security for the
network environment as a whole. As a result, there was no enterprisewide
view of information security, and decisions regarding information security
activities were not always optimal or based on a full understanding of the
shared network environment supporting the Treasury auction process. For
example,

o one IT group responsible for database operations made information
security decisions regarding the distributed-based auction applications on
the concept that they were operating in a "trusted network," which
resulted in the omission of controls that should have been in place;

o one IT group made decisions about the operations and maintenance of the
distributed-based auction applications without full or accurate knowledge
of the relevant computing environment;

o no IT group had responsibility for making a decision to upgrade the
distributed-based auction database product, although all concerned agreed
that an upgrade was needed; and

o servers that support the distributed-based auction applications were
supposed to be identical to ensure real-time continuity of operations, but
our testing showed that, as implemented, they were not identical.

The Federal Reserve recognizes that a need exists for comprehensive
approaches to managing information security, and that the management
structure and processes that served its mainframe-centric environment in
the past are not adequate for the distributed, interconnected environment
supporting its various lines of business today. The Federal Reserve has an
initiative under way to establish an information security architecture
framework that is intended to integrate enterprise security activities,
including enterprise access management, domain boundary, data security,
configuration management, and information assurance. If effectively
implemented, this initiative could provide the FRBs with an enterprisewide
operational and technological view of its computing environment, including
the interdependencies and interrelationships across the entity's business
operations and underlying IT infrastructure and applications that support
these operations.

However, until a more comprehensive and enterprisewide approach to
security management is adopted, the FRB organizations that support
Treasury auction systems will be limited in their ability to ensure the
confidentiality, integrity, and availability of certain sensitive auction
information and other resources for systems that they maintain and
operate.

Test Environment for Auction Systems Lacking

The FRBs did not have a test environment to evaluate system changes and
enhancements to the distributed-based auction applications, which limited
the rigor of the testing that could be performed. A separate test
environment that models the production environment is critical to ensuring
that systems and system enhancements are adequately tested and do not

adversely affect production.13 However, the FRBs did not have an isolated
testing area that was functionally separate from the production network
infrastructure and other FRB business applications. As a result, some
application security testing was performed during very limited scheduled
outages of the production systems involved, and some test procedures were
never performed because the risk to production systems could not be
effectively mitigated.

Conclusions

Although the FRBs have implemented many controls to protect the mainframe
information systems that they maintain on behalf of BPD relevant to the
Schedule of Federal Debt, information security control weaknesses related
to the distributed-based auction systems and supporting network
environment exist at the Federal Reserve that place certain sensitive
auction information at risk. The weaknesses in identification and
authentication; authorization; boundary protection; cryptography; logging,
auditing, and monitoring; and configuration management and assurance
affect not only the distributed-based auction systems but also could
affect other FRB systems residing in the shared network environment. With
control over and responsibility for Treasury's auction information systems
spread across the FRBs, an effective management structure for
coordinating, communicating, and overseeing information security
activities across bank organizational boundaries becomes even more
important. In addition, more robust testing of security controls over the
auction applications is imperative to help provide more timely detection
of vulnerabilities. Until the Federal Reserve takes steps to mitigate
these weaknesses, it has increased risk that sensitive auction data would
not be adequately protected against unauthorized disclosure, modification,
or destruction.

Recommendations for Executive Action

To help strengthen the FRBs' information security over key
distributed-based auction systems, we recommend that you take the
following two steps:

o establish a management structure that ensures decentralized information
security activities are effective and

o implement an application test environment for the auction systems.

We are also making additional recommendations in a separate report with
limited distribution. These recommendations consist of actions to be taken
to correct the specific information security weaknesses we identified that
are related to identification and authentication; authorization; boundary
protection; cryptography; logging, auditing, and monitoring; and
configuration management and assurance.

Agency Comments

In providing written comments on a draft of this report (reprinted in app.
I), the Director, Division of Reserve Bank Operations and Payment Systems
of the Federal Reserve System, generally agreed with the contents of the
draft report and stated that the Federal Reserve has already taken
corrective actions to remedy many of the reported findings and will
continue to apply its risk-based assessment framework to determine
appropriate information security controls or compensating measures to
address the remaining findings. The director also described completed,
ongoing, and planned actions to address systemic and organizational issues
that contributed to the report's findings, including actions to improve
the Federal Reserve's ability to coordinate and oversee its operational
and technical environments and to replace its existing auction
applications and operational infrastructure. In addition, the director
commented that the Federal Reserve and Treasury plan to validate the
integrity of the new application and infrastructure at several points
during the development of the application; a key aspect of this validation
is to ensure that the findings in this report are addressed.

This report contains recommendations to you. As you know, 31 U.S.C. 720
requires that the head of a federal agency submit a written statement of
the actions taken on our recommendations to the Senate Committee on
Homeland Security and Governmental Affairs and to the House Committee on
Government Reform not later than 60 days from the date of the report and
to the House and Senate Committees on Appropriations with the agency's
first request for appropriations made more than 60 days after the date of
this report. Because agency personnel serve as the primary source of
information on the status of recommendations, GAO requests that the agency
also provide us with a copy of your agency's statement of action to serve
as preliminary information on the status of open recommendations.

We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Homeland Security and Governmental
Affairs; the Subcommittee on Federal Financial Management, Government
Information, and International Security, Senate Committee on Homeland
Security and Governmental Affairs; and the Chairmen and Ranking Minority
Members of the House Committee on Government Reform and the Subcommittee
on Government Management, Finance, and Accountability, House Committee on
Government Reform. In addition, we are sending copies to the Fiscal
Assistant Secretary of the Treasury and the Deputy Director for Management
of OMB. We will also make copies available to others upon request. In
addition, this report will be available at no charge on the GAO Web site
at http://www.gao.gov.

If you or your staff have any questions about this report, please contact
Gregory C. Wilshusen at (202) 512-6244 or w  [email protected], Keith A.
Rhodes at (202) 512-6412 or r  [email protected], or Gary T. Engel at (202)
512-8815 or [email protected] . Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. GAO staff who made major contributions to this report are
listed in appendix II.

Sincerely yours,

Gregory C. Wilshusen Director, Information Security Issues

Keith A. Rhodes Chief Technologist

Gary T. Engel Director, Financial Management and Assurance

Appendix I

Comments from the Federal Reserve

Appendix II

GAO Contacts and Staff Acknowledgments

GAO Contacts

Gregory C. Wilshusen, Director, Information Security Issues, (202)
512-6244

Keith A. Rhodes, Chief Technologist, (202) 512-6412

Gary T. Engel, Director, Financial Management and Assurance, (202)
512-8815

Staff Acknowledgments

In addition to the individuals named above, Ed Alexander, Lon Chin, Edward
Glagola, David Hayes, Hal Lewis, Duc Ngo, Dawn Simpson, and Jenniffer
Wilson, Assistant Directors, and Mark Canter, Dean Carpenter, Jason
Carroll, West Coile, Debra Conner, Neil Doherty, Nancy Glover, Sharon
Kittrell, Eugene Stevens, Henry Sutanto, Amos Tevelow, and Chris Warweg
made key contributions to this report.

(310575)

www.gao.gov/cgi-bin/getrpt? GAO-06-659 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or
[email protected].

Highlights of GAO-06-659 , a report to the Chairman, Board of Governors of
the Federal Reserve System

August 2006

INFORMATION SECURITY

Federal Reserve Needs to Address Treasury Auction Systems

The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal
agents of the U.S. government when they are directed to do so by the
Secretary of the Treasury. In this capacity, the FRBs operate and maintain
several mainframe and distributed-based systems-including the systems that
support the Department of the Treasury's auctions of marketable
securities-on behalf of the department's Bureau of the Public Debt (BPD).
Effective security controls over these systems are essential to ensure
that sensitive and financial information is adequately protected from
inadvertent or deliberate misuse, disclosure, or destruction.

In support of its audit of BPD's fiscal year 2005 Schedule of Federal
Debt, GAO assessed the effectiveness of information system controls in
protecting financial and sensitive auction information on key mainframe
and distributed-based systems that the FRBs maintain and operate for BPD.
To do this, GAO observed and tested FRBs' security controls.

What GAO Recommends

GAO is recommending that the Chairman, Board of Governors, establish an
effective management structure for information security activities and a
test environment for auction systems. In written comments on a draft of
this report, the Federal Reserve generally agreed with the report and
described actions to correct the identified weaknesses.

In general, the FRBs had implemented effective information system controls
over the mainframe applications they maintain and operate for BPD in
support of Treasury's auctions and financial reporting. On the
distributed-based systems and supporting network environment used for
Treasury auctions, however, they had not fully implemented information
system controls to protect the confidentiality, integrity, and
availability of sensitive and financial information. The FRBs did not
consistently (1) identify and authenticate users to prevent unauthorized
access; (2) enforce the principle of least privilege to ensure that access
was authorized only when necessary and appropriate; (3) implement adequate
boundary protections to limit connectivity to systems that process BPD
business; (4) apply strong encryption technologies to protect sensitive
data both in storage and on its networks; (5) log, audit, or monitor
security-related events; and (6) maintain secure configurations on servers
and workstations.

Without consistent application of these controls, the auction information
and computing resources for key distributed-based auction systems remain
at increased risk of unauthorized and possibly undetected use,
modification, destruction, and disclosure. Other FRB applications that
share common network resources may also be at increased risk.

Contributing to these weaknesses in information system controls were the
Federal Reserve's lack of (1) an effective management structure for
coordinating, communicating, and overseeing information security
activities across bank organizational boundaries and (2) an adequate
environment in which to sufficiently test the security of its auction
applications.
*** End of document. ***