Board Report: December 17, 2010
The Internet Electronic Submission system (IESub) was developed and is managed by the Federal Reserve Bank of New York (FRBNY) Statistics Function. IESub is a major third-party application on the Board's Federal Information Security Management Act (FISMA) application inventory under the Division of Monetary Affairs. It provides an interface to the respondents for regulatory and statistical reports to submit their data via the internet. Our objective was to evaluate the adequacy of selected infrastructure controls for IESub that were provided by the FRBNY Technical Services Group. To accomplish this objective, we used a control assessment review program based on the security controls defined in SP 800-53. The security controls are divided into "families" (such as access controls, risk assessment, and personnel security) and are categorized as system-specific or common (that is, applicable across all systems within a given infrastructure). The scope of our audit included 4 of the 17 control families.
Our audit identified opportunities to strengthen information security controls in the control families that we evaluated. For those control families that were deficient or where improvements could be made, we highlighted recommended actions. The Directors of the Divisions of Monetary Affairs and IT stated that the divisions would work together, along with the FRBNY Technical Services Group when necessary, to address the recommendations in our report and identified that corrective actions have either been implemented or are planned. We will follow up on the implementation of these recommendations as part of our future FISMA related audit activities. Given the sensitivity of information security review work, our reports in this area are generally restricted.
