Security Control Reviews of Two Federal Reserve Bank of Boston Applications

To evaluate security controls and techniques of the Board's information systems, the Office of Inspector General (OIG) reviews controls over Board applications on an ongoing basis. Consistent with the Federal Information Security Management Act's (FISMA) requirements, we evaluate the adequacy of control techniques for protecting the data in the Board's systems from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we have developed a control assessment tool based on the security controls defined in the National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The controls are divided into "families" (such as access control, risk assessment, and personnel security) and include controls that can be categorized as system-specific or common (that is, applicable across agency systems).  

The Federal Reserve Bank of Boston (FRB Boston) maintains two systems that have been classified as a General Support System and a major third-party application, respectively, on the Board's FISMA application inventory for the Division of Banking Supervision and Regulation (BS&R):  the Supervision and Regulation (S&R) Infrastructure, and Notes Applications. The S&R Infrastructure consists of various hardware and software components configured to provide information technology tools and support for FRB Boston's Supervision, Regulation, and Credit Group operations. The Notes Applications is a bundle of two database applications used to support bank examinations.

Overall, the S&R Infrastructure and Notes Applications generally met control objectives for nine of the seventeen families we reviewed, and nothing came to our attention regarding deficiencies in the design or implementation of the controls for these families. However, our testing did not include all controls within every family, and our fieldwork was based on information available at the time of our review. For those control families where control objectives were not met, we identified the aspect of the control that needs improvement and highlighted the recommended action. The Directors of BS&R and the Division of Information Technology generally agreed with our recommendations and indicated that corrective action has either been taken or is under way to enhance the specific controls highlighted in the report. Given the sensitivity of information security review work, our reports in this area are generally restricted.