Certain Public Affairs and CLO staff did not handle the FOMC minutes in accordance with the Program for Security of FOMC Information. Before being given access to confidential FOMC information, including the FOMC minutes, Board staff members agree to abide by the Program for Security of FOMC Information, which incorporates the Board's Information Classification and Handling Standard. While the Board provides and requires annual training that covers the Board's Information Classification and Handling Standard, it does not provide or require training on FOMC-specific handling requirements. Ensuring that Board employees with access to confidential FOMC information receive comprehensive training on the FOMC-specific requirements of the Program for Security of FOMC Information may reduce the risk of noncompliance.
Neither the Public Affairs assistant nor the Special Assistant to the Board in the CLO handled the FOMC minutes in accordance with the Program for Security of FOMC Information. On April 9, 2013, the FOMC Secretariat notified via e-mail certain Office of Board Members staff, including the Public Affairs assistant but not the Special Assistant to the Board in the CLO, that the FOMC minutes were ready to be downloaded from the publication system. This e-mail notification included the required indicator that the FOMC minutes were Class I FOMC - Restricted Controlled (FR) information until their scheduled public release.
After receiving the e-mail from the FOMC Secretariat, the Public Affairs assistant sent an e-mail containing the March 19-20, 2013, FOMC minutes to the Special Assistant to the Board in the CLO. We noted that the e-mail sent by the Public Affairs assistant did not include the proper indicators in the body of the message that the attached FOMC minutes were Class I FOMC -Restricted Controlled (FR). Board officials stated that they were aware that the Special Assistant to the Board in the CLO was providing the published FOMC minutes to individuals outside the Board. However, the Acting Section Chief of the FOMC Secretariat stated that the Special Assistant to the Board in the CLO did not have "explicit permission" to receive the FOMC minutes prior to public release and had not been given access to the publication system. After receiving the FOMC minutes from the Public Affairs assistant, the Special Assistant to the Board in the CLO sent the minutes to the CLO contact list prior to their public release.
As stated in the Program for Security of FOMC Information, the FOMC minutes are to be handled at least as securely as Restricted-Controlled FR information at the Board. The Board's Information Classification and Handling Standard requires that (1) any e-mail transmissions that contain the information include indicators in the message body noting that either the message or the message and any attachments contain Restricted-Controlled FR information and (2) the information be shared only with authorized users. Therefore, the Public Affairs assistant and the Special Assistant to the Board in the CLO did not handle the FOMC minutes in accordance with the Program for Security of FOMC Information and may have benefitted from a comprehensive training program.
We recommend that the Director of the Division of Monetary Affairs
The Director of the Division of Monetary Affairs agreed with our recommendation. In his response, the Director acknowledged the benefits of developing and implementing a training program on the Program for Security of FOMC Information in addition to the current integrated training program that covers all Board information security policies. The Director noted that, prior to this audit, the Board engaged an outside firm to perform a review of FOMC information security practices at the Board and, at the conclusion of the review, began developing an online training program that would specifically focus on the Program for Security of FOMC Information, including proper handling of FOMC minutes. The Director stated that the training program is expected to be completed and ready for use before the end of 2013.
In our opinion, the response of the Director of the Division of Monetary Affairs addresses our recommendation. We plan to follow up on the division's actions to ensure that the recommendation is fully addressed.