OIG: Security Control Review of the Electronic Security System

If you are seeing this message, Javascript is disabled. Disclaimer for all external links found on this page: The Office of Inspector General (OIG) for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau does not necessarily endorse the views expressed or the facts presented on the external sites. The OIG does not endorse any commercial products that may be advertised or on the external sites. The OIG's privacy policy does not apply on the external sites. Please check the site for its privacy notice.

Skip to Navigation

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report: June 1, 2009

To evaluate security controls and techniques of the Board's information systems, the Office of Inspector General (OIG) reviews controls over Board applications on an ongoing basis. Consistent with Federal Information Security Management Act (FISMA) requirements, we evaluated the adequacy of controls in a bundle of subsystems referred to as the Electronic Security System (ESS). Our objective was to evaluate the adequacy of selected security controls for protecting ESS from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we developed a control assessment methodology based on the security controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems (SP 800-53). SP 800-53 provides a baseline of management, operational, and technical security controls for use by organizations in protecting their information systems. We tested selected SP 800-53 controls through observation and analysis of policies, procedures, and other control-related documentation.

Overall, for ten of the seventeen control families we evaluated, ESS generally met control objectives, based on information available at the time of our review. However, our testing was based on a judgmental sample of controls within each family. For those control families where control objectives were not met, we identified the deficient aspect of the control, suggested where improvements can be made, and highlighted the recommended action. The Director of the Management Division generally agreed with our recommendations and indicated that corrective action has either been taken or is under way to enhance the specific controls highlighted in the report. We will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board's continuing implementation of FISMA. Given the sensitivity of information security review work, our reports in this area are generally restricted.

HOTLINE

IN THIS SECTION

Security Control Review of the Electronic Security System

available formats

Report Summary

LINKS TO THE BOARD AND THE CFPB

HOTLINE

IN THIS SECTION

SHARE THIS PAGE

STAY CONNECTED

Security Control Review of the Electronic Security System

available formats

Report Summary

LINKS TO THE BOARD AND THE CFPB

RELATED SITES AND RESOURCES