Board Report: October 1, 2009
The Board manages a large amount of sensitive data, most of which is created electronically and stored on increasingly smaller devices, such as laptops, Blackberrys, and Universal Serial Bus (USB) flash drives. The portability of these devices increases their risk of loss or theft and the potential for a compromise of sensitive information. We began this audit as a follow-on to previous audit work related to the Board's management of fixed assets, as well as in response to interest by the Board and across the government in reducing the risk, loss, or theft of mobile devices and the potential for a compromise of sensitive information stored on the devices. Our objective was to evaluate controls over the processes for securing, receiving, tracking, and disposing of selected mobile computing devices. Specifically, we selected laptops, BlackBerrys, and USB flash drives for review.
To accomplish our objective, we identified and examined policies, procedures, and guidance governing the management and accountability of the Board's mobile computing devices. We performed tests to determine whether laptops and USB flash drives were encrypted and to ensure that devices were properly sanitized and disposed of. We interviewed representatives from selected Board divisions to discuss their internal property management and inventory tracking processes for mobile devices. In addition, we benchmarked the Board's mobile devices policies and practices against three Reserve Banks and one other financial regulatory agency.
Overall, we found that the Board's controls for securing, receiving, tracking, and disposing of laptops, BlackBerrys, and USB flash drives were generally adequate. During our audit, the information technology (IT) division implemented a number of improvements, which included updating the Information Classification and Handling Guide and the Hard Disk Encryption policy. Furthermore, the IT division issued the Media Sanitization and Disposal policy. Because of the proactive changes made by the IT division, we did not issue any formal recommendations. However, we identified process and control enhancements for laptops and USB flash drives that could provide additional safeguards. We issued a management letter that included three suggestions for enhancing (1) policies and procedures for encrypting laptops and USB flash drives, (2) segregation of duties for the custody and record-keeping of mobile devices, and (3) confirmation of sanitization and disposal of laptop hard drives.