Board Report: August 8, 2012
The Federal Reserve Bank of Richmond's (FRB Richmond's) Lotus Notes systems support the Board's Banking Supervision and Regulation Division (BS&R). FRB Richmond's Lotus Notes systems are classified as third-party applications, and they are components of a general support system that is listed on the Board's Federal Information Security Management Act (FISMA) application inventory under BS&R. The Lotus Notes systems are used by FRB Richmond to support supervision and examination activities. Our objective was to evaluate the adequacy of selected security controls for protecting data in the Lotus Notes systems from unauthorized access, modification, destruction, or disclosure.
Overall, our review found that a number of actions have been taken to secure the Lotus Notes systems and that associated controls are adequately designed and implemented. We identified opportunities, however, to strengthen information security controls to help ensure that sensitive bank supervision and examination information is protected and that the Lotus Notes systems meet FISMA requirements. In comments on a draft of our report, the Directors of BS&R and the Division of Information Technology generally agreed with our recommendations and outlined corrective actions already taken or underway. We will follow up on the implementation of these recommendations as part of our future FISMA-related audit activities. Given the sensitivity of information security review work, our reports in this area are generally restricted.
