August 16, 2013 To: Steve A. Linick, Inspector General From: Richard Parker, Director, Office of Policy, Oversight, and Review (OPOR) Subject: Fannie Mae’s Compliance with FHFA Email Retention Requirements (Evaluation Report No. EVL-2013-011) __________________________________________ Summary In November 2011, while conducting an investigation, OIG special agents learned that although Fannie Mae permanently retained the email of most employees in sensitive positions, it automatically deleted the unsaved email of other employees after 60 days.a Consequently, email records that the special agents expected to be maintained were determined to be unavailable. An OIG representative advised Fannie Mae’s counsel and senior managers that the Enterprise’s email deletion practices could have a negative impact upon OIG’s ability to perform its mission, especially its ability to conduct thorough investigations. Fannie Mae, however, did not alter its automatic deletion practices. In August 2012, the Principal Deputy Inspector General brought OIG’s concerns in this regard to the attention of FHFA’s Acting Director. Thereafter, on October 22, 2012, the Deputy Director for Enterprise Regulation directed Fannie Mae to: Immediately begin saving all employee email records; Establish a corporate 5-year email retention policy; Develop a project plan to ensure that Fannie Mae’s systems and technology support the revised email retention policy; and a Fannie Mae IT staff estimated that the “other employees” portion of Fannie Mae’s staff consists of 13,000 users who have mailboxes on the Enterprise’s email system. Approximately 6,000 of the users are Fannie Mae employees. The rest of the mailboxes are assigned to contractors or specific business areas. Develop an internal audit plan under which to review this area during the 2013 audit cycle. In response to FHFA’s directive, Fannie Mae began retaining all of its employee and contractor email, including deleted messages, for a period of five years.b Further, it took steps to ensure that its information technology systems could support the new email retention requirement. Fannie Mae Internal Audit staff performed compliance testing of Fannie Mae’s implementation of the FHFA directive during a scheduled information technology audit.c The internal auditors concluded that Fannie Mae was in full compliance with FHFA’s directive. In order to independently verify Fannie Mae’s compliance with the directive, members of the OPOR staff reviewed the internal auditors’ work papers and the records of the compliance testing they performed. OPOR staff members also interviewed Fannie Mae IT personnel and obtained additional evidence regarding back-up tape retention. At the close of its review, the OPOR team concurred with the Fannie Mae internal auditors’ conclusion that the Enterprise now captures and stores all email activity, including deleted emails, as required by FHFA’s directive.d Conclusion OIG’s involvement in this situation, coupled with FHFA’s directive, has caused Fannie Mae to put into place a basic email retention system, thereby enabling OIG and others to conduct more comprehensive investigations into matters that involve email sent and received by Fannie Mae employees. This development represents a marked improvement over the situation that existed during the time that Fannie Mae destroyed most employee emails after 60 days. OIG will continue to monitor FHFA’s oversight of Fannie Mae’s and Freddie Mac’s email retention practices and records management policies to ensure that they fulfill their intended purposes. b Fannie Mae has retained back-up tapes of employee email from August 6, 2012, forward; however, the tapes do not capture deleted messages. The expanded technology solution implemented in January 2013, as a result of FHFA’s directive, captures all email, including deleted messages. c Fannie Mae’s internal auditors reviewed and tested the technical capabilities of Windows Exchange servers that support the five-year email retention requirement. They also recommended that Fannie Mae management enhance the Backup and Recovery Service Level Requirements and Procedures. Finally, the auditors said that during the 2013 Data Center Operations Audit they would continue to review back-up and recovery procedures for the overall technology infrastructure, including retention of email. d OIG determined that Fannie Mae has expanded its existing retention processes to include all user accounts and set the retention period to five years. 2
Fannie Mae's Compliance with FHFA Email Retention Requirements
Published by the Federal Housing Finance Agency, Office of Inspector General on 2013-08-16.
Below is a raw (and likely hideous) rendition of the original report. (PDF)