OIG: Audit of Management and Accountability of Mobile Computing Devices

If you are seeing this message, Javascript is disabled. Disclaimer for all external links found on this page: The Office of Inspector General (OIG) for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau does not necessarily endorse the views expressed or the facts presented on the external sites. The OIG does not endorse any commercial products that may be advertised or on the external sites. The OIG's privacy policy does not apply on the external sites. Please check the site for its privacy notice.

Skip to Navigation

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report: October 1, 2009

The Board manages a large amount of sensitive data, most of which is created electronically and stored on increasingly smaller devices, such as laptops, Blackberrys, and Universal Serial Bus (USB) flash drives. The portability of these devices increases their risk of loss or theft and the potential for a compromise of sensitive information. We began this audit as a follow-on to previous audit work related to the Board's management of fixed assets, as well as in response to interest by the Board and across the government in reducing the risk, loss, or theft of mobile devices and the potential for a compromise of sensitive information stored on the devices. Our objective was to evaluate controls over the processes for securing, receiving, tracking, and disposing of selected mobile computing devices. Specifically, we selected laptops, BlackBerrys, and USB flash drives for review.

To accomplish our objective, we identified and examined policies, procedures, and guidance governing the management and accountability of the Board's mobile computing devices. We performed tests to determine whether laptops and USB flash drives were encrypted and to ensure that devices were properly sanitized and disposed of. We interviewed representatives from selected Board divisions to discuss their internal property management and inventory tracking processes for mobile devices. In addition, we benchmarked the Board's mobile devices policies and practices against three Reserve Banks and one other financial regulatory agency.

Overall, we found that the Board's controls for securing, receiving, tracking, and disposing of laptops, BlackBerrys, and USB flash drives were generally adequate. During our audit, the information technology (IT) division implemented a number of improvements, which included updating the Information Classification and Handling Guide and the Hard Disk Encryption policy. Furthermore, the IT division issued the Media Sanitization and Disposal policy. Because of the proactive changes made by the IT division, we did not issue any formal recommendations. However, we identified process and control enhancements for laptops and USB flash drives that could provide additional safeguards. We issued a management letter that included three suggestions for enhancing (1) policies and procedures for encrypting laptops and USB flash drives, (2) segregation of duties for the custody and record-keeping of mobile devices, and (3) confirmation of sanitization and disposal of laptop hard drives.

HOTLINE

IN THIS SECTION

Audit of Management and Accountability of Mobile Computing Devices

available formats

Report Summary

LINKS TO THE BOARD AND THE CFPB

HOTLINE

IN THIS SECTION

SHARE THIS PAGE

STAY CONNECTED

Audit of Management and Accountability of Mobile Computing Devices

available formats

Report Summary

LINKS TO THE BOARD AND THE CFPB

RELATED SITES AND RESOURCES