Board Report: June 2, 2008
To evaluate security controls and techniques of the Board's information systems, the Office of Inspector General (OIG) reviews controls over Board applications on an ongoing basis. Consistent with the Federal Information Security Management Act's (FISMA) requirements, we evaluate the adequacy of control techniques for protecting the data in the Board's systems from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we have developed a control assessment tool based on the security controls defined in the National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The controls are divided into "families" (such as access control, risk assessment, and personnel security) and include controls that can be categorized as system-specific or common (that is, applicable across agency systems).
COS is listed as a major application on the Board's Federal Information Security Management Act application inventory for the Division of Reserve Bank Operations and Payment Systems (RBOPS), and it includes two subsystems: Carrier Billing Online (CBO) and Special Shipments. These subsystems share a common operating environment, but perform different functions. Specifically, COS enables users from the Board, the Bureau of Engraving and Printing (BEP) of the U.S. Department of the Treasury, and the Federal Reserve Banks to monitor and control the production, inventory, and distribution of new currency throughout the United States. CBO is designed to streamline and automate the billing process between the Board and the armored carrier companies that ship currency from BEP to the Federal Reserve Banks and branches. Special Shipments is designed to maintain and track shipments that are transported from one Federal Reserve Bank to another.
Overall, COS and its subsystems generally met control objectives for four of the ten families we reviewed, and nothing came to our attention regarding deficiencies in the design or implementation of the controls for these families. However, our testing did not include all controls within every family, and our fieldwork was based on information available at the time of our review. For those control families where control objectives were not met, we identified the aspect of the control that needs improvement, is missing, or is deficient, and highlighted the recommended action. The Director of RBOPS generally agreed with our recommendations and indicated that corrective action has either been taken or is under way to enhance the specific controls highlighted in the report. Given the sensitivity of information security review work, our reports in this area are generally restricted.