Board Report: 2013-IT-B-009 July 19, 2013
The Federal Information Security Management Act of 2002 (FISMA) requires the Office of Inspector General to evaluate the effectiveness of the information security controls and techniques for a subset of the Board of Governors of the Federal Reserve System's (Board's) information systems, including those provided or managed by another agency, a contractor, or another organization. To meet FISMA requirements, we reviewed the information system security controls for the National Examination Database (NED) system.
Our audit objective was to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure, as well as the system's compliance with FISMA and the information security policies, procedures, standards, and guidelines of the Board.
NED is the database within the National Information Center that is specifically designed to support bank supervision. NED is listed as a major application on the Board's FISMA inventory for the Division of Banking Supervision and Regulation.
Our review found that, in general, controls for NED are adequately designed and implemented. However, we found that improvements are needed to ensure that the requirements of FISMA and the Board Information Security Program are met. Our report includes four recommendations for NED management to strengthen security controls for the system. Our report also includes a matter for management's consideration.
In comments to our draft report, the Director of the Division of Banking Supervision and Regulation concurred with our recommendations and outlined actions that have been taken, are underway, and are planned to address our recommendations. We believe that the actions outlined by the Director are responsive to our recommendations. We will follow up on the implementation of each recommendation in this report as part of our future audit activities related to the Board's continuing implementation of FISMA.
Given the sensitivity of information security review work, our reports in this area are generally restricted. Such is the case for this audit report.