J;trrllilry I!)!)0 ELECTRONIC FUNDS TRANSFER Oversight of Critical Banking Systems Should Be Strengthened (;A(),, IM’l’lS( :-W-I 4 United States General Accounting Offke Washington, D.C. 20648 Information Management and Technology Division B-233685 January 4,1QQ0 The Honorable Edward J. Markey Chairman, Subcommittee on Telecommunications and Finance Committee on Energy and Commerce House of Representatives / Dear Mr. Chairman: This report is in further response to your December 14, 1988, request for information concerning the adequacy of our nation’s regulatory structure to oversee the security afforded to the FEDWIRE system, oper- ated by the Federal Reserve System, the Clearing House Interbank Pay- ments System (CHIPS), operated by the New York Clearing House Association, and the S.W.I.F.T. telecommunications system, operated by the Society for Worldwide Interbank Financial Telecommunication S.C. On February 1,1989, we provided you with (1) descriptions of each banking system, (2) information on the federal regulatory agencies pro- viding oversight over these systems, and (3) documentation on generic risks in using electronic funds transfer systems.’ This report includes our assessment of the security measures in place to protect these sys- tems from misuse and provides updated information from the regula- tory agencies on their authority to oversee each system. National and international wholesale electronic funds transfers” are car- Regults in Brief ried out by two SySbXtU-FEDWIRE and CHIPS, which transfer over 1 tril- lion dollars daily. A third system, s.w.I.F.T., is a major international message processing system that is used by banking institutions to initi- ate electronic funds transfers. These systems connect thousands of financial institutions located worldwide and support a number of finan- cial activities including cash management, securities trading, corporate funds transfers, foreign exchange, U.S. dollar clearing, and international banking transactions. There have not been any reported incidents of fraudulent electronic funds transfers over these systems by the employees who operate or ’ Electronic Funds Transfer: Information on Three Critical Banking Systems (GAO/IMTEC-89-2,5BR Feb. 1, 1989). ‘Wholesale electronic funds transfer generally refers to a funds transfer used to satisfy an immedi- ate, high-dollar obligation, or to enable the recipient to make immediate use of the funds. Page 1 GAO/EWEC-90-14 Strengthen Oversight of Critical Banking Systems E&233686 oversee them. However, the results of our review of the security meas- ures in place to protect these systems from misuse have not been satis- fying. Given that these systems have become the foundation for international and domestic funds movements, they should have strin- gent security provisions and effective regulatory oversight. We did not, however, always find these levels of security and oversight. Although these systems, to varying degrees, have safeguards in place to facilitate the timely and secure processing of financial transactions, we found instances of computer control weaknesses and other management weak- nesses that, if exploited, increase the risks to these systems of a disrup- tion or degradation of services or the unauthorized use, modification, destruction, or disclosure of data. With FEDWIRE, for example, we found weaknesses in the management of software that controls access to the system, and additional weaknesses involving physical security, computer operations, and other areas. With CHIPS, the weaknesses included inadequacies within security administra- tion and quality assurance that increased the risk of unauthorized use, modification, or destruction of data. With s.w.I.F.T., we found a potential computer capacity problem with the existing system, and system devel- opment problems with a planned replacement system. With both CHIPS and s.w.I.F.T., we found weaknesses that adversely impact on the inde- pendence of the internal audit functions. Officials who manage these systems have generally agreed that the weaknesses we identified pose increased risks to their operations and have taken or plan to take steps to improve controls over these systems. In particular, officials managing FEDWIRE and CHIPS have moved quickly to correct identified weaknesses, which demonstrates a strong commit- ment to providing for secure and reliable operations. We believe the S.W.I.F.T. organization is equally committed to providing secure and reli- able services, but their weaknesses are generally more complicated and require continued management attention to satisfactorily resolve. We also found that the oversight over these systems was uneven. For example, the Federal Reserve Board does not require periodic external security reviews of FEDWIRE even though the last such review conducted in 1983 disclosed a number of security weaknesses. The regulatory agencies believe, and we concur, that they have the authority to oversee CHIPS, and these agencies regularly review CHIPS operations on a joint basis. CHIPS, however, does not recognize this authority. Its position is that these reviews are done on an invitational basis. No examinations Page 2 GAO/IMTEC-SO-14 Strengthen Oversight of Critical Banking Systems have been carried out on the S.W.I.F.T. system, and the regulatory agen- ties are uncertain as to whether they have this authority. This report includes recommendations to federal regulators to strengthen the oversight of FEDWIRE and CHIPS and to work with the international banking community to assign responsibility for ensuring effective oversight and regulation of the S.W.I.F.T. system. We conducted a risk assessment of the security of the FEDWIRE and CHIPS Scopeand systems that included 16 critical organizational functions considered to Methodology be essential to the secure processing of electronic funds transfers. Our assessment was based on provisions within federal standards and guide- lines and audit guidelines of the Federal Reserve Board and related banking groups. We were unable to conduct a complete assessment of the S.W.I.F.T. system because the organization that operates it, a Belgian cooperative society, limited our access to information and supporting system documentation. As agreed with your office, we did not review the level of security provided by depository institutions-such as com- mercial banks-over the operation of their terminals connected to these systems. We also obtained written opinions from and interviewed offi- cials of the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Federal Reserve Board on their authority to examine the CHIPS and S.W.I.F.T. systems. Details of our scope limitation on the S.W.I.F.T. system and our objectives, scope, and method- ology are included in appendix I. FEDWIRE has been in existence in some form since 1918, and is the Background nation’s primary wholesale electronic funds transfer system used by the banking community to handle the payments banks make to each other on behalf of themselves and their customers within the United States. It is also used to transfer US. government and federal agency securities in book-entry form.:$ In 1988, FEDWIRE served over 11,000 depository insti- tutions and government agencies and processed 66 million transfers val- ued at $253 trillion. CHIPS has been in existence since 1970 and is the primary wholesale elec- tronic funds transfer system that supports the international transfer of “A book-entry security generally is not available in physical form. Rather, it exists as an entry on the books of the obligor or its agency. FEDWIRE is used to transfer these securities between depository institutions. Page 3 GAO/IMTEC-SO-14 Strengthen Oversight of Critical Banking Systems B-233686 funds between United States and international banks. This private sec- tor system electronically links depository institutions and branch offices of foreign banks, all of which are located in New York City, and serves as a conduit for moving dollar transactions including letters of credit, collections, reimbursements, foreign exchange transactions, and the sale of short-term Eurodollar funds. In 1988, CHIPS served 139 national and international depository institutions and processed about 34 million transfers valued at $165 trillion. The S.W.I.F.T. telecommunications system, operational since 1977, is owned and operated by a Belgian cooperative society. It is a major inter- national message processing system used by banking institutions world- wide to transmit information that is critical to initiating international electronic funds transfers through CHIPS and FEDWIRE.~ As of December 1988, the system provided more than 70 types of messages including international payments, statements, and other transactions associated with international finance. Also, the S.W.I.F.T. organization has recently developed new message types to allow for the international trading of securities. During 1988, 24 brokers, exchanges, and settlement institu- tions from the securities markets in New York, Tokyo, and London were approved as S.W.I.F.T. participants. In 1988, S.W.I.F.T. served 2,537 finan- cial participants and processed 255 million messages. Statistics on the messages’ value are not maintained. There have not been any reported incidents of fraudulent electronic Computer Control and funds transfers over the FEDWIRE, CHIPS, and S.W.I.F.T. systems by the Other Management employees who operate or oversee them. However, during our review WeaknessesIdentified we have identified a number of weaknesses that could adversely affect their operations. Officials who manage these systems have generally at: FEDWIRE, CHIPS, agreed that identified weaknesses pose increased risks and have taken atid S.W.I.F.T. or plan to take steps to improve the controls over these systems. FEDWIRE Control Our risk assessments of FEDWIRE identified a total of 17 control weak- Weaknesses nesses at the four Federal Reserve banks we visited, and two sys- temwide weaknesses that, if exploited, could adversely affect the smooth functioning of portions of the FEDWIRE system. Table 1 shows the 10 functional areas where certain specific weaknesses were identified. Y ‘The S.W.I.F.T. system is one of a limited number of systems that is growing in importance within the international banking community and the global securities marketplace for providing critical elec- tronic message processing services. Page 4 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems I B-233685 Table at Fe deral Reserve Banks Federal Reserve Banks San Functional--..---- Area New York Francisco Chicago Dallas Security Software Management X X X X Physical Security X X X Computer Operations X --___ ~~ --~~ . . X System Software Manaaement X X Capacity Planning X Contingency Planning X Quality Assurance X Communications Management X Network Management X Wire Room Operations X Specific weaknesses we identified at two or more reserve banks are briefly discussed below: l At all four banks the software that allows access to FEDWIHE was not properly controlled by the security administration function in accord- ance with Federal Reserve System policies in that the receipt, testing, modification, and installation of the security software was being per- formed by systems programmers. This reduces the level of control over this software and increases the risks of unauthorized access and changes to sensitive software or data. l At three banks there were inadequate physical security provisions including surveillance devices such as cameras or motion sensors to monitor the activities within critical processing areas. At one of these banks the electronic card key device that records when employees exit from the computer center was inoperable. This weakens the banks’ abil- ity to monitor activities of computer center staff. l At two banks there were computer operations weaknesses, including the lack of a back-up power supply at one bank, to support operations dur- ing short-term and long-term power outages. Also, the ability to access critical computer commands at another bank was not limited to opera- tions personnel. This increases the risk of a disruption in services and unauthorized disclosure of information. l At two banks system software which, among other things, operates and controls the FEDWIRE system, was not being properly reviewed by the data security administration group or certain employees had excessive access privileges. Both of these circumstances increase the banks’ sus- ceptibility to unauthorized use or modification of FEDWIRE resources. Page 5 GAO/IMTEC-90-14 Strengthen Overnight of Critical Banking Systems B-233685 Additional weaknesses found at only one reserve bank included (1) operation of the central processor of FEDWIRE at excessive utilization levels, (2) an incomplete disaster recovery manual and the discontinu- ance of disaster recovery planning and testing, and (3) the need to enhance the protection of code words used to verify funds transfer instructions within a funds transfer wire room. Operation of FEDWIRE hardware at excessive utilization levels could cause degraded service including transaction processing delays and software problems. By not maintaining currency in its contingency planning, testing, and documen- tation, one bank increases the potential for prolonged service disrup- tions from earthquakes, power outages, etc., that could disable its primary processing center. Insufficient procedures for safeguarding funds transfer code words increase another bank’s risk of the unautho- rized disclosure of data or the initiation of a fraudulent funds transfer. Officials who manage FEDWIRE generally agreed that the above control weaknesses pose increased risks to their operations, and have taken or plan to take corrective action. Details of these weaknesses and the sta- tus of corrective actions are discussed in appendix II. The two systemwide weaknesses that limit the effectiveness of the con- trols environment over FEDWIRE involve (1) the lack of a requirement to conduct periodic external system security reviews and (2) incomplete use of recommended telecommunications security controls to protect against the unauthorized disclosure and modification of FEDWIRE trans- actions. The lack of periodic external security reviews could enhance the likelihood of not detecting control weaknesses. The last external review, conducted by a consulting firm in 1983, proposed a large number of safeguards to improve FEDWIRE security and overall operations. For example, this review identified the need for the following additional telecommunications security controls: (1) encryption to protect FEnwIRE transactions against unauthorized disclosure, and (2) message authenti- cation to ensure that transactions have not been altered during transmission. Officials who manage FEDWIRE also generally agreed that these sys- temwide weaknesses pose some risk to their system. Although the Fed- eral Reserve Board places a high degree of confidence in its own reviews, it agreed to consider conducting periodic external security reviews. With regard to the telecommunications security controls sug- gested in the 1983 external review, encryption is being used to prevent disclosure of information during transmission between Federal Reserve banks and the depository institutions they serve, and the Board is Page 6 GAO/IMTEGSO-14 Strengthen Overnight of Critical Banking Systems . I B-233685 studying proposals to encrypt transmissions between Federal Reserve banks. Message authentication is also being used between the Depart- ment of the Treasury and the Federal Reserve Bank of New York, and the Federal Reserve is prototyping the use of message authentication devices at four of its banks. It expects to complete the prototyping exer- cises in December 1989. Conkns With CHIPS The CHIPS controls environment was relatively strong; however, our risk Controls assessment of the CHIPS system identified three weaknesses that require corrective actions. As discussed below, these weaknesses involved the performance of incompatible duties within CHIPS’ quality control group, a lack of an independent internal audit function, and a lack of complete external audit coverage. l The CHIPS quality control group performs incompatible duties related to (1) testing, approving, and installing new computer programs; (2) administering system passwords; and (3) reviewing and investigating security violation reports, Combining duties such as these within one organizational function is contrary to generally accepted practices. To reduce the risk of unauthorized modification or destruction of data, dif- ferent organizational units should be responsible for testing software and administering security. l The placement of the internal auditor within the CHIPS’ organizational structure could adversely affect the auditor’s independence. CHIPS’ poli- cies require an independent audit function. Although the CHIPS internal auditor officially reports to an office outside of the data processing department (1) on a day-to-day basis the auditor reports to the Senior Vice President of Data Processing, (2) the Senior Vice President of Data Processing participates in preparing the internal auditor’s annual per- formance appraisal, and (3) the auditor’s salary is paid from the data processing department’s budget. Such practices can weaken the independence and objectivity of the internal audit function. . Although limited scope external reviews have been conducted about once every 2 years, CHIPS data processing operations have not been sub- ject to a complete external review that includes an opinion on the rea- sonableness of CHIPS controls. As a result, system weaknesses could go undetected or not be corrected in a timely manner. Senior CHIPS officials agreed that these weaknesses increased risk to their system. In this regard, they have recently established a security administration function to, among other things, administer system pass- words and review security violation reports. In addition, they have Page 7 GAO/IMTEiGL)O-14 Strengthen Overnight of Critical Banking Systems B-233685 implemented a set of controls to properly control testing, approving, and installing computer software. Officials also plan to take action to comply with the CHIPS policy requiring an independent audit function and intend, for example, to separate the internal auditor’s salary from the data processing department’s budget. These officials also plan to con- tract for a comprehensive external review. S.\;rlT.I.F.T.Intern .a1Control We were unable to conduct a complete assessment of the level of secur- We/aknessesand Other ity afforded to the S.W.I.F.T. system. However, our limited risk assessment disclosed three areas of concern involving (1) the independence of the Co*cerns organization’s internal audit function, (2) potential computer capacity problems with the existing system, and (3) system development prob- lems with a planned replacement system. Specifically: . Although the S.W.I.F.T. system is subjected to regular external security reviews, its internal audit function is not independent. Specifically, this function is responsible for both (1) the performance of audits of the sys- tem on a periodic basis to ensure that messages transmitted are secure, accurate, and timely; and (2) the design and installation of security fea- tures on the S,W.I.F.T. system. Since the same individuals have both audit and security responsibilities within the same organization, independent assessments of security policies and practices cannot be performed. . The S.W.I.F.T. organization has taken a series of steps to increase the capability of the existing system to process increasing transaction volumes. However, because of continued growth in work load, the sys- tem is expected to reach its capacity in 1991. In addition, given design limitations, the capability of the system to continue to accommodate expected traffic increases has been questioned by the organization’s external auditors. System performance problems associated with over- loading systems like S.W.I.F.T. include degradation of service levels that could significantly increase the time required to process transactions in portions of the system. As a result, the S.W.I.F.T. system could encounter sporadic instances where transactions are delayed or it may be unable to accommodate new business. Such events could necessitate adjust- ments in cash management practices of international banks and con- strain services provided by the international banking community. . The S.W.I.F.T. organization is in the process of developing an enhanced system referred to as S.W.I.F.T. II. This replacement project is currently 2 3 years behind schedule because of several factors including (1) soft- ware development problems, (2) organizational and management prob- lems, and (3) security concerns. Concerns raised in the most recent Page 8 GAO/EWEC-SO-14 Strengthen Oversight of Critical Banking Systems external audit report on the replacement system included system per- formance problems including system availability and functionality shortfalls, and a lack of formalized system testing procedures. S.W.I.F.T. officials believe that significant strides have been made to correct sys- tem development problems, but to ensure safe and reliable message processing, December 1989 plans to begin operating the new system were delayed. With continued system development problems, capacity concerns associated with overloading the existing system are heightened, officials agreed that its internal audit function was not indepen- S.W.I.F.T. dent, but believed that the regular external security reviews mitigated this weakness. These officials also acknowledged that, as the S.W.I.F.T. system expands in the future, the organization may have to establish an independent audit function. These officials also agreed with us that the current system will reach its capacity limits in 1991, but believed that the new system will be operational before then. The Federal Reserve System has the dual responsibility of providing Legal Framework and electronic funds transfer services through FEDWIRE and regulating and Oversight of examining funds transfers and other activities of Federal Reserve Electronic Funds banks, branch offices, and member depository financial institutions. Oversight of FEDWJRE is conducted by the Federal Reserve Board primar- Transfer Systems ily through annual financial examinations and operations reviews of a bank’s activities at least once every 3 years. Overall results of the exam- inations and reviews of the FEDWIRE system have generally disclosed that it has a good performance record, and that comprehensive stan- dards, policies, and procedures governing critical processing activities have been adopted. The Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have specific regulatory and oversight responsibilities over U.S. banks. These banking agencies point to section 7(c) of the Bank Service Corporation Act, as amended, 12 U.S.C. section 1867(c), as the primary basis for them to regulate and examine the performance of certain traditional banking services (e.g., clerical, bookkeeping, accounting, statistical, or similar services) that are provided to a regulated bank by another entity or organization. Y Two of the banking agencies also referred to section 8(b) of the Federal Deposit Insurance Act, as amended, 12 U.S.C. section 1818(b), as another basis on which they could correct problems regarding services Page 9 GAO/IMTECSO-14 Strengthen Overnight of Critical Banking Systems . provided to regulated banks. Under this section, the banking agencies may prohibit a regulated bank from engaging in any unsafe or unsound practices and procedures. This could be accomplished either through “cease-and-desist” proceedings against a bank or through regulation. On the basis of these acts, the banking agencies generally believe, and we concur, that proper authority exists for the regulation and examina- tion of CHIPS operations and activities. For example, the Federal Reserve Board states that the primary services offered through the system are traditional banking functions, as set forth in the Bank Service Corpora- tion Act. In addition, the Board believes that funds transfers over the system have a substantial effect on bank balance sheets and have the potential to pose significant risk to a bank using the system should prob- lems develop. The Office of the Comptroller of the Currency also believes that CHIPS activities may reasonably be classified as “clerical, bookkeeping, accounting, statistical, or similar functions” within the meaning of the Bank Service Corporation Act. Because the clearing function provided by the New York Clearing House Association-the operators of CHIPS- is not specifically identified in these acts, officials of the Association do not agree that the acts author- ize any federal banking agency to regulate or examine CHIPS. Neverthe- less, the Association allows examinations of the system to be conducted on an invitation basis. Examinations are conducted jointly about every 18 months by a team of examiners from the Federal Reserve Bank of New York, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. Since the Association has cooperated with the banking agencies, there has been no need to resolve this ques- tion to date. In their examinations, the regulators have reported that CHIPS generally adheres to high computer security standards. We agree with the consensus of the banking agencies regarding their regulatory and examination authority over CHIPS operations and activi- ties, essentially for the same reasons the agencies have stated. The ser- vices that CHIPS provides regulated banks appear to us to fall within the types of banking services covered in the Bank Service Corporation Act (e.g., clerical, bookkeeping, accounting, statistical, or similar services). The banking agencies have never regulated or examined the S.W.I.F.T. Y system. However, the agencies generally agree that while it is somewhat less clear, a reasonable case can be made that the Bank Service Corpora- tion Act authorizes them to review S.W.I.F.T. operations. Specifically, the Page 10 GAO/IhTTEC-90-14 Strengthen Overnight of Critical Banking Systems B-233685 Office of the Comptroller of the Currency believes that the act autho- rizes the regulation and examination of the system’s operations and activities. The Federal Deposit Insurance Corporation and the Federal Reserve Board are somewhat less affirmative. The Federal Deposit Insurance Corporation, for example, states that the services provided by the system seem a step removed from the concept of core banking func- tions, but are closely related to traditional banking functions and have potential significance for bank safety and soundness. The Corporation therefore believes that it is plausible to argue that S.W.I.F.T. services fall within the purview of the act. The Board states that the S.W.I.F.T. system provides primarily a communi- cations service and that while its messages form the basis for payment transactions, the system does not directly transfer funds between banks, and therefore, does not present the same risks as CHIPS transfers. The Board also pointed out that the S.W.I.F.T. system can be viewed as a tele- communications system dedicated to communicating financial informa- tion, and that telecommunications services provided to banks historically have not been examined by the banking agencies. In addi- tion, the Board believes that any review of the system would be compli- cated since its headquarters is in Belgium, and the majority of its members are foreign banks whose foreign offices are not subject to examination by U.S. bank regulatory agencies. Nevertheless, the Board did recognize that S.W.I.F.T.'S close relationship to payment activities may necessitate the need for examinations at some point in the future. In discussing these matters with a senior S.W.I.F.T. official, we were told that, notwithstanding the above uncertainties, S.W.I.F.T. management would cooperate with regulatory authorities to resolve any concerns they may have over the security and reliability of its systems. As an example of the S.W.I.F.T. organization’s participation in the past in resolv- ing issues involving international coordination, the official stated that the S.W.I.F.T. organization has met with the Bank for International Settle- ments to discuss developments in international banking and to exchange information to resolve important and sensitive banking issues.L w “The Bank for International Settlements is a prominent international organization, located in Switzerland, that has served as a major forum for central bank governors to meet to address jointly many international financial and economic issues. The United States and 11 other nations participate in regular meetings at the Bank for International Settlements. The United States’ representatives include officials from the Federal Reserve Board and the Federal Reserve Bank of New York. Page 11 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems I E-233685 National and international wholesale electronic funds transfers, and Conclusions and messages resulting in such transfers, are accomplished through the R&ommendations FEDWIRE, CHIPS, and S.W.I.F.T. systems. The banking community has grown to rely on these systems as critical channels for the efficient and safe execution of financial and other business transactions. However, the results of our review of the security measures in place to protect these systems from misuse have not been satisfying. The control and manage- ment weaknesses we found place these systems at a higher risk than their importance would suggest is acceptable. The nature and extent of oversight of these systems has also varied significantly and the banking agencies’ authority over the CIIII’Sand S.W.I.F.T. systems is uncertain. Although officials who manage FEDWIRE, CHIPS, and S.W.I.F.T. have gener- ally taken or are taking actions to correct identified weaknesses, over- sight needs to be strengthened to ensure the integrity of these systems that are so critical to the smooth functioning of national and interna- tional electronic funds transfers. The operations and security of the FEDWIRE and CHIPS systems are being regularly evaluated by the banking agencies and we believe such over- sight activities are essential elements towards ensuring efficient, safe, and reliable services. However, given each system’s importance and the extent of control weaknesses we found during our review, we believe that such oversight efforts should be intensified. For example, neither system has had the benefit of full scope external reviews designed to assess system security controls and to render opinions on their reasona- bleness. We believe that such reviews would help to ensure that these systems have stringent internal controls and that the controls are in place and operating as intended. The banking agencies have never regulated or examined the S.W.I.F.T. sys- tem and such oversight would be complicated since the organization is headquartered in Belgium and the majority of the members of the sys- tem are foreign banks whose foreign offices are not subject to examina- tion by United States bank regulatory agencies. While complicated, this system transfers essential messages that form the basis for payment transactions within the United States, and as such, plays an important role in ensuring the safety and soundness of our banking system. Given the internal control weaknesses and other concerns identified in this report, we believe efforts should be undertaken to enhance the oversight and regulation of the system. We also do not share the position of S.W.I.F.T. management that use of external auditors mitigates the need for Page 12 GAO/IMTEC-SO-14 Strengthen Oversight of Critical Banking Systems B-233686 an independent internal audit function, and we encourage the organiza- tion to establish such a function. We therefore recommend that: . The Federal Reserve Board (1) ensure that FEDWIRE control weaknesses identified in appendix II in this report have been satisfactorily cor- rected; (2) determine whether similar weaknesses exist at other Federal Reserve banks and correct those found; and (3) require annual external reviews of FEDWIRE to help ensure that the system maintains reliable and secure operations. The Federal Reserve Board, the Office of the Comptroller of the Cur- rency, and the Federal Deposit Insurance Corporation should exercise their existing authorities to ensure the effectiveness of actions taken by the New York Clearing House Association to (1) develop procedures for the separation of duties for testing, approving, and installing new com- puter programs, (2) establish and maintain a reporting structure that allows for an independent internal audit function, and (3) utilize exter- nal auditors on an annual basis to provide for more comprehensive audit coverage of CHIPS. The Federal Reserve Board should work with other central banks and bank supervisory authorities through, for example, the Bank for Inter- national Settlements to ensure effective oversight and regulation of the S.W.I.F.T. system and similar systems that serve the international banking community. We discussed the contents of this report with senior officials of the Fed- eral Reserve System, the New York Clearing House Association, and the Society for Worldwide Interbank Financial Telecommunication SC. and have incorporated their views where appropriate. In accordance with 31 U.S.C. 718(a), the Federal Reserve System requested an opportunity to officially comment on this report, Its comments are included in appendix III. As arranged with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until Jan- uary 31, 1990. Page 13 GAO/IMTEGDO-14 Strengthen Oversight of Critical Banking Systems --- - B-233685 This work was performed under the direction of Howard G. Rhile, Direc- tor, General Government Information Systems, who can be reached at (202) 275-3455. Other major contributors are listed in appendix IV. Sincerely yours, Ralph V. Carlone Assistant Comptroller General Page 14 GAO/IMTEG9O-14 Strengthen Oversight of Critical Banking Systems * Page 15 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking System I Cbntents Appendix I 18 Objectives, Scope,and M+thodology Appendix II 21 S@curityWeaknesses Identified at Four Fdderal Reserve Banks Abpendix III Comments From the Federal Reserve System Appendix IV 39 Major Contributors to This Report Table Table 1: Control Weaknesses Identified at Federal Reserve 5 Banks Abbreviations CIIIPS Clearing House Interbank Payments System FEDWIRE Federal Reserve Communications System GAO General Accounting Office IM?‘EC Information Management and Technology Division S.W.I.F.T. Society for Worldwide Interbank Financial Telecommunication S.C. Page 16 GAO/IMTEG90-14 Strengthen Oversight of Critical Banking Systems Page 17 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking System Appendix I C)bjectives,Scope,and Methodology Our objectives were to provide information on (1) the reasonableness of security measures in place to help prevent illegal acts against the FEDWIRE, CHIPS, and S.W.I.F.T. systems, and (2) the existing regulatory and legal framework under which these systems are operated and moni- tored. As agreed with your office, we did not review the level of security provided by depository institutions over the operation of their terminals connected to these systems. To provide information on the reasonableness of security measures in place to help prevent illegal acts against these systems, we conducted risk assessments of the FEDWIRE, CHIPS, and S.W.I.F.T. systems. Our assess- ment of FEDWIRE was conducted at the Federal Reserve Board, and the Federal Reserve banks of New York, Chicago, Dallas, and San Francisco. These Federal Reserve banks were selected because they had critical network management, application software development, and sys- temwide security responsibilities. In addition, these Federal Reserve banks were responsible for processing about 70 percent of the dollar value of electronic funds transfers over FEDWIRE in calendar year 1988. Our assessment of CHIPS was conducted at its data center in New York City. Our S.W.I.F.T. assessment was conducted at the organization’s head- quarters in LaHulpe, Belgium, and an operating center in the Netherlands. The risk assessments at these organizations included a review of the susceptibility of the organizations to loss or unauthorized use of system resources, errors in information, and illegal or unethical acts. The risk assessments addressed 16 organizational functions considered to be essential to the secure processing of electronic funds transfers. The functions were (1) security software management, (2) hardware and software management, (3) capacity planning, (4) contingency planning and testing, (5) computer operations, (6) message security, (7) system software management, (8) communications management, (9) network management, (10) quality assurance, (11) data security administration, (12) security awareness, (13) physical security, (14) personnel hiring practices, (15) wire room operations, and (16) internal and external audit reviews. This risk assessment document incorporated questions and control tests from GAO'S Control and Risk Evaluation audit method- ology, federal standards and guidance within Federal Information Processing Standards Publications of the National Institute of Standards and Technology, and related audit guidelines provided by the Federal Page 18 GAO/IMTECSO-14 Strengthen Oversight of Critical Banking Systems 2.---i I Appendix I Objectives, Scope, and Methodology Financial Institutions Examination Council, the Federal Reserve Board, and the American Bankers Association1 To document the existing regulatory and legal framework under which these systems are operated and monitored, we reviewed pertinent docu- mentation on the responsibilities, power, and authority of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. We also obtained federal reg- ulations and other related information from officials in each of the orga- nizations and documented actions taken by the organizations to provide regulatory oversight over FEDWIRE and CHIPS. This included obtaining legal opinions from the General Counsels of the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comp- troller of the Currency on their legal authority to regulate and examine the CHIPS and S.W.I.F.T. systems. We also reviewed pertinent sections of the Bank Service Corporation Act of 1962 as amended (12 U.S.C. (1867)), which describes federal regulatory oversight responsibilities over bank service corporations. We also obtained information from senior officials within each organiza- tion on whether fraudulent acts have been reported against the FEDWIRE:, CHIPS, and S.W.I.F.T. telecommunications systems. In addition, we inter- viewed senior officials and analyzed data provided by the Federal Bureau of Investigation, Department of Justice, U.S. Secret Service, Fed- eral Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. Specifically, this review documented whether fraudulent acts were committed by employees within the Federal Reserve System, the New York Clearing House Association, and the Society for World- wide Interbank Financial Telecommunication S.C. We attempted to obtain information on the number of reported instances of wholesale electronic funds transfer crimes committed by employees or customers of financial institutions that use the FEDWIRE, CHIPS, and s.w.I.F.T. systems. IIowever, information of this nature was not specifically available from law enforcement organizations. The Society for Worldwide Interbank Financial Telecommunication S.C. limited our access privileges to their operations. In this regard, we were able to discuss technical security features of the S.W.I.F.T. systems with ‘The Federal Financial Institutions Examination Council was established in 1978 to develop uniform w examination and supervision practices for all depository institutions’ regulatory agencies. Members of the Council include the Federal Reserve Systems, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Federal Borne Loan Bank Board, and the National Credit Union Administration. Page 19 GAO/lMTEWO-14 Strengthen Oversight of Critical Banking Systems - -I Appendix I Objectives, Scope, and Methodology -..-I representatives of the organization’s Office of Chief Inspector, and reviewed available audit reports prepared by this organization. How- ever, we were not granted access to systems programmers, quality assurance operations, capacity planning staff, contingency planning staff, system software management practices, or external auditors retained by the Society. In addition, we were not able to assess the security afforded to the S.W.I.F.T. operations center located in the United States and we were not provided access to details of the design, develop- ment, and testing of the replacement S.W.I.F.T. system. Except for the access limitations imposed by the Society for Worldwide Interbank Financial Telecommunication S.C., our work was performed in accordance with generally accepted government auditing standards and was conducted between February 1989 and October 1989. Y Page 20 GAO/IMTEG!JO-14 Strengthen Oversight of Critical BankingSystems Appendix II iS$mrity WeaknessesIdentified at Four Federal Reserve Baylks At the Federal Reserve banks in Chicago, Dallas, New York, and San Francisco we found security weaknesses that increase the vulnerability associated with FEDWIRE electronic funds transfers. We identified 17 security weaknesses in 10 functional areas at these banks. In most cases, each of the Federal Reserve banks have moved swiftly to correct identi- fied security weaknesses. Details of each security weakness and the sta- tus of corrective action follows. 1. Software Management Security Weakness: The software that restricts access to FEDWIRE is not properly controlled. At the four Federal Reserve banks, the system software that restricts access to FEDWIRE was improperly controlled. Specifically, the software was received, tested, modified, and installed on the FEDWIRE system by systems programmers. The Federal Reserve’s Data Security Manual states that the data security administration groups at Federal Reserve banks should be responsible for the administration of the security software. IJse of systems programmers to control the receipt and installation of FEDWIRE’S access control software instead of data security administra- tion groups reduces the level of control over this software in that sys- tems programmers could, with less chance of detection, make unauthorized software changes. Such changes could cause damage or allow unauthorized access to sensitive information and could result in the destruction of data or the disruption of services. As a result of this observation, senior officials at the four Federal Reserve banks told us that they have taken steps to strengthen the con- trols over the administration of the security software. In addition, the Federal Reserve Board incorporated within its financial examination procedures a requirement to determine the adequacy of controls over the installation and use of the F-EDWIHE’S security software program on a systemwide basis. 2. Physical Security Weakness: Inadequate physical security controls reduce the level of nrotection afforded critical information and equipment. A. At the Federal Reserve Bank of Dallas physical security practices were weakened because: Page 21 GAO/IMTEG!W14 Strengthen Oversight of Critical Banking System , Appendix II Security Weaknesses Identified at Four Federal Resewe Banks . Critical areas of the data center were not well controlled. Specifically, video cameras or motion sensors were not installed in unmanned areas of the computer center that contained critical computer equipment, including devices that allow direct access to stored data and a communi- cations processor that links the Bank to the Federal Reserve Communi- cations System. This increases the data center’s vulnerability to undetected access and destruction of critical equipment. Communications lines that link the Bank to the Federal Reserve Commu- nications System are exposed on a wall in the computer center. This increases the vulnerability to data communications disruptions. The computer room card key lock system that controls access to and from the facility was inoperable and permitted individuals to exit the room without insertion of their card keys. This weakens the ability of staff to monitor computer center activities. Federal Reserve bank guards cannot visually monitor access into the computer center’s tape library. A camera in that room is focused on tape drive equipment rather than on the entrance to the room. As a result, a person could enter the tape library and cause damage or remove tapes without being detected. B. At the Federal Reserve Bank of San Francisco, physical security prac- tices were weakened because: There were no cameras or motion detectors in the computer center or in adjoining rooms that contain critical equipment such as the processor that connects the Bank with the Federal Reserve Communications Sys- tem. This increases the data center’s vulnerability to undetected access and destruction of critical equipment. An alternate master console that could be used to access the FEDWIRE was located in an unmanned area in the computer room. This increases the risk of destruction of data or disruption of services. Access to the computer equipment was not well controlled in that ven- dors, systems programmers, and others were authorized to access the computer room. In addition, multiple rooms were connected to the center and access to and from these rooms was uncontrolled. These weaknesses hamper the monitoring of computer center staff activities. C. At the Federal Reserve Bank of New York, we observed the lack of cameras in the data center to monitor unmanned areas that contain criti- cal equipment. The lack of cameras raises the risk to the data center of undetected access and destruction of critical equipment. Page 22 GAO/IMTJZC-SO-14Strengthen Oversight of Critical Banking Systems Appendix II Security Weaknesses Identified at Four Federal Reserve Ranks Federal guidance suggests that there should be adequate physical pro- tection and access control to critical data processing areas including the computer room, data control and conversion area, and data file storage area. Senior Federal Reserve Bank of Dallas officials informed us that they have re-positioned a camera located in the tape library so that entry to and exiting from the library is visible to guards. They also are replacing the card key access system. Bank officials also plan to promptly install additional cameras in unmanned areas of the computer room and enclose the exposed communications lines. Senior Federal Reserve Bank of San Francisco officials informed us that they are taking steps to place cameras within the computer center. The alternate master console was removed from the computer room. In addi- tion, the Bank has initiated a review of the personnel who have access privileges to the computer center and plan to take appropriate actions. Senior Federal Reserve Bank of New:York officials informed us that the Bank had budgeted for the additional cameras prior to our visit and that they have now been installed. 3a. Computer Operations Security Weakness: FEDWIRE processing can be disrupted because there is no provision for alternate back-up electrical power. The Federal Reserve Bank of Dallas did not have a generator to provide back-up power during long-term power outages. In addition, it did not have back-up power capability to (1) maintain operations during short- term outages and (2) reduce the adverse effects of power fluctuations. The Bank experienced two power outages during 1988 that disrupted FEDWIRE operations for periods exceeding 30 minutes. The Federal Reserve’s Data Security Manual requires each Federal Reserve bank to have a generating unit of sufficient capacity to support critical operating functions during times of power outages. The manual also suggests that banks obtain a short-term power supply. The lack of back-up power places the Federal Reserve Bank of Dallas at the risk of not being able to continue critical operations during power Y outages. Senior Federal Reserve Bank of Dallas officials had budgeted for a system prior to our review and have installed a system that reduces the risk of short-term power outages and electrical surges. In Page 23 GAO/IMTEG90-14 Strengthen Oversight of Critical Banking Systems t, Appendix II Security Weaknesses Identified at Four Federal Reserve Banks addition, the Bank plans to purchase and install a generating unit in 1990. 3b. Computer Operations Security Weakness: Controls over the number and type of personnel who have access to FEDWIRE are weak. A November 1988 Federal Reserve Board financial examination dis- closed that 87 San Francisco Federal Reserve Bank employees had access to critical FEDWIRE computer commands and recommended that the Bank reduce the number of individuals with these access privileges. Although the bank responded to the Board’s examination, we found that the Bank continued to authorize 48 individuals, including 10 systems programmers, access to critical commands. In addition, we found that master console commands could be issued from multiple computer ter- minals located outside of the computer room. The Federal Reserve’s Data Security Manual states that authorization to access critical computer commands should be limited to computer opera- tors. The manual also suggests that master console commands should be restricted to one master computer terminal. Because the Federal Reserve Bank of San Francisco did not adequately restrict the (1) number of personnel with authorization to access critical computer commands and (2) master console commands to one computer terminal, the Bank was more vulnerable to unauthorized data modifica- tion and disruption of services. Senior Federal Reserve Bank of San Francisco officials agreed with our observations and have reduced access to the system from 48 individuals to only nine computer operators. The officials also have taken steps to correct the master console command weakness. 4a. System Software Security Weakness: Changes to software that con- trols and operates FEDWIRE are not examined from a security perspective.’ ‘System software consists of a set of programs including the operating system, its associated utilities and program products, that allows a computer system to manage its own resources. Page 24 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems Appendix II Security Weaknesses Identified at Four Federal Reserve Bauka Neither the data security administration group nor any other group at the Federal Reserve Bank of New York reviewed the security implica- tions of changes to system software. The Federal Reserve’s Data Secur- ity Manual assigns responsibility for reviewing the security implications of system software changes to the data security administration group. Since no review was being conducted, the FEDWIRE system was more vul- nerable to, among other things, unauthorized use of or access to elec- tronic data processing resources. Senior Federal Reserve Bank of New York officials informed us that the Bank’s security control group will review new system software changes to determine whether the software changes could create vulnerabilities to FEDWIRE’S operating environment. 4b. System Software Security Weakness: Access to software that moni- tors and operates FEDWIRE was not properly restricted. The Federal Reserve Bank of San Francisco did not properly restrict access to system software, in that a systems programmer and the data security administrator had the same level of access and privileges to (1) advanced features of online/real-time system performance monitoring software and (2) FEDWIRE’S security software. In order to provide for the segregation of duties between systems pro- grammers and the data security administrator, no systems programmer should be authorized to independently access advanced features of online/real-time system performance monitoring software. As a result of the segregation of duties weakness, the programmer has the capabil- ity to allow unauthorized access and changes to sensitive FEDWIRE infor- mation without detection. Senior Federal Reserve Bank of San Francisco officials told us that they have corrected this situation by (1) removing the systems programmers’ access privilege to FEDWIRE’S security control software, and (2) imple- menting a procedure to control the systems programmers’ access to the advanced features of the system performance monitoring software. 6. Capacity Planning Security Weakness: A computer system was oper- ating at levels that could have a negative impact on the timely process- ing of funds transfers. Page 26 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems Appendix XI Security Weaknesses Identified at Four Federal Reserve Banks The computer system that operates FEDWIRE at the Federal Reserve Bank of Chicago was operating at levels approaching 100 percent of utiliza- tion during peak periods. Although, in March 1988, capacity planning staff at the Federal Reserve Bank of Chicago documented utilization levels exceeding 90 percent, the staff did not recommend that Bank management acquire a new system until September 1988. The Federal Reserve System does not have a formal policy regarding system utilization levels, but a senior Federal Reserve Board official told us that when a Federal Reserve bank’s computer system reaches 80 per- cent utilization, steps should be initiated to upgrade or replace the system. Operating the system at excessive utilization levels could cause transac- tion processing delays and computer processing irregularities that could result in service delays or disruptions. A Federal Reserve Bank of Chicago official told us that a more powerful computer system has been installed that provides a significant increase in the Bank’s computer processing capabilities. 6. Contingency Planning Security Weakness: A Federal Reserve bank may not have been able to resume operations efficiently because it stopped testing with its primary back-up site and did not have a current recovery plan. The Federal Reserve Bank of San Francisco stopped disaster recovery, contingency planning, and testing at the Federal Reserve System’s pri- mary back-up location in September 1988 and was relying on a new location for its disaster recovery and contingency planning before this new site became operational. Also, the Bank’s disaster recovery manual was not current and did not include all information needed to re-estab- lish service in the event of a long-term system outage. The Federal Reserve’s Data Security Manual states that each Federal Reserve bank must develop a comprehensive and detailed contingency plan that should be reviewed periodically to account for changes in the status of critical applications. Federal guidance also points out that peri- odic contingency testing and resolution of problems is necessary to Y ensure that the contingency plan is adequate and personnel are profi- cient in responding to emergencies. Page 26 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems Appendix II Security Weaknesses Identifled at Four Federal Reserve Banks By ceasing contingency testing and not maintaining a current contin- gency manual, the Bank risked not being able to carry out its disaster recovery and contingency plan in a timely manner. According to senior officials from the Federal Reserve Bank of San Francisco, the new disaster recovery site became operational in Septem- ber 1989. In addition, the Bank has prepared an updated disaster recov- ery manual and has resumed full testing at its new disaster recovery site. 7. Quality Assurance Security Weakness: Improper quality assurance testing weakens internal controls. The Federal Reserve Bank of Dallas did not properly separate duties within its systems development function. Specifically, a systems analyst was performing both software testing and product acceptance functions. While the Bank did have a quality assurance function, it was primarily involved with developing software standards and procedures-not test- ing software. The Federal Reserve’s Data Security Manual states that software testing and product acceptance functions should be performed by different indi- viduals when possible. In addition, federal guidance suggests that an independent review of software changes be conducted to ensure that the changes do not permit unauthorized modifications, By using a systems analyst to perform functions normally conducted by quality assurance staff, the risk of unauthorized software modifications is increased. Federal Reserve Bank of Dallas senior officials informed us that soft- ware acceptance testing is now performed by the quality assurance group. In addition, Bank officials stated that its Production Control Group is now used to move all new programs from the test environment to the operating environment. 8. Communications Management Security Weakness: Communications personnel were performing duties normally assigned to computer opera- tions and systems programmers. Communications personnel at the Federal Reserve Bank of San Fran- cisco, in addition to performing their traditional responsibilities, per- formed functions usually assigned to systems programmers and Page 27 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking System - Appendix II Security Weaknesses Identified at Four Federal Reserve Banks computer operators. For example, communications personnel had con- trol of a software product that allowed them to issue master console commands that control system operations. These responsibilities are normally assigned to computer operators. The communications person- nel also had the ability to use a software product that provides online/ real-time system performance monitoring and the capability of altering memory. These responsibilities are normally assigned to systems programmers. According to federal guidance, a separation of duties should exist within computer operations, systems programming, and communications func- tions. By not properly separating these functions, the Bank does not have in place key checks and balances to protect against unauthorized access and modification of FEDWIRE data. Bank officials told us that they will examine the alignment of responsi- bilities between the computer operations and systems programming functions to eliminate the potential for unauthorized access and modifi- cation of FEDWIRE data. In addition, we were told that the Bank has reas- signed access so that the communications personnel no longer have access to advanced features of a specialized software product. The Bank does not plan to separate its communications and computer operations functions in the computer room. The Bank’s decision to combine these areas was made consistent with the System’s efforts to automate com- puter and network operations. We continue to believe that the blurring of duties performed by the Bank’s communications and computer opera- tions personnel increases the Bank’s vulnerability to alteration of data and unauthorized access to FEDWIRE. 9. Network Management Security Weakness: Network management weaknesses leave FEDWIRE more vulnerable to service failures. The Federal Reserve Communications System, which electronically links all Federal Reserve district banks, did not have totally redundant net- work nodal processors.2 We found that while the nodal processors did provide significant inherent backup capabilities, the memory within the processors is not redundant. Without redundant common memory, these nodal processors have a single point of failure and if a nodal processor becomes inoperable the Federal Reserve Communications System runs 2A nodal processor is a device that provides connectivity between Federal Reserve banks and the Federal Reserve Communications System. Page 28 GAO/IMTRCSO-14 Strengthen Oversight of Critical Banking Systems . Appendix II Security Weaknesses Identlfkd at Four Federal Reserve Banks the risk of not being able to transmit electronic funds transfer data between Federal Reserve banks in its traditional secure fashion. In addition computer center staff performed incompatible duties includ- ing responsibilities associated with software development and manage- ment of the network. As a result, network management staff had the ability to make changes to sensitive FEDWIRE communications software utilized by the FEDWIRE application, We also observed that System Com- munications Center staff were not using state-of-the-art monitoring tools to manage the network and it appeared that they were using hard-copy reports to monitor the system rather than information on real-time dis- play terminals. Events such as these can place the Center at a higher risk of not responding in a timely manner to network management emer- gencies that require expedient actions. Federal Reserve Bank of Chicago senior officials informed us that (1) all new processors added to the network contain redundant components as well as redundant memory, (2) controls have been put into place to ensure that network management staff cannot make changes to sensi- tive FEDWIRE information, and (3) real-time terminal displays have been enhanced. 10. Wire Room Operations Security Weakness: Code words used to authorize FEDWIRE transfers were printed and could have been used to initiate a fraudulent funds transfer. Within the Federal Reserve Bank of New York’s wire room, code words were used to verify telephone funds transfer instructions from financial depository institutions. The code words were printed in a hard copy for- mat that increased the capability to compromise their integrity. In order to prevent fraudulent fund transfers, employees of Federal Reserve banks should not have the ability to view code words. At other Federal Reserve bank locations we found improved controls over code words in that they were stored in an unreadable format within an auto- mated system. Since code words could be more easily compromised, the Bank was vul- nerable to unauthorized disclosure of information that could result in the initiation of a fraudulent funds transfer. Federal Reserve Bank of New York senior officials told us that code words are now being con- trolled by a computer system. Page 29 GAO/IMTEG90-14 Strengthen Oversight of Critical Banking Systems I 7 Apbndix III r C,ymmentsFrom the Federal ReserveSystem BOARD OF GOVERNORS OF 7uc FEOERAL RESERVE SYSTEM WASHINGTON, 0. C. 20551 November 9, 1989 Mr. Ralph V. Carlone Assistant Comptroller General United States General Accounting Office Washington D.C. 20548 Dear Mr. Carlone: The Board of Governors of the Federal Reserve System appreciates the opportunity to comment on the draft report of the General Accounting Office (GAO) titled EJectr& Fun& ersiaht of Critical agnklna Svz&.@ms should Be To support the effort to develop a timely assessment of electronic data security on the Fedwire aystem, the Board has expedited its review of the GAO's draft report. Our response should be read in the context of a highly abbreviated comment period providing less than two weeks for staff analysis and Board review. The Board's response to the portions of the Fy;;ts report related to Fedwire is divided into four parts. we provide a general overview of the Fedwire data securit; architecture. Second, we discuss the GAO's specific findings at the four Reserve Banks visited. Third, we address the GAO's recommendation that the Federal Reserve contract to obtain external review of Fedwire security. Finally, we address the GAO’s concern regarding the lack of encryption on the llbackbonell communications network linking the Reserve Banks and the need for message authentication. The Federal Reserve is strongly committed to providing the most secure electronic payments services possible. As noted in the GAO’s draft report, the Syetem hau in place a comprehensive program designed to identify orcurity requirements, develop and implement technical solutions to those requirements, and, finally, to monitor the ongoing effectiveness of security administration. We believe the security architecture for Fedwire is fundamentally Bound, and Page 30 GAO/IMTEC-90-14 Strengthen Oversight of Critical Banking Systems Appendix III Comments Prom the Federal Reserve System -! -2- we also believe that the GAO's findings will further strengthen the safeguards surrounding Fedwire. The Federal Re0ervet8 commitment to data security for Fedwire is reflected by our receptiveness to information and guidance from various sourcea that may help ensure excellent security. It is in this context that we welcome the GAO's suggestions for improvement to Fedwire security. Ovarvi~w of tha Fedwin Data 8oourity Arohit~oture The Federal Reserve System has implemented a comprehensive security architecture designed to provide secure and reliable electronic payment servioee. Thir architecture incorporates a wide range of safeguards, including physical 8eourity, controlled access to computer systems, and protection of the confidentiality and integrity of data. These c;;;rmz:; apply to software implementation, computer operations, communications, and contingency. The System eetablishes and documenta its control standards in a Data Security Manual containing over 100 safeguards relating to these areas. The GAO's findings need to be considered in the context of the Federal Reserve's overall security architecture and program. A summary of how these controls provide a secure environment for Fedwire is provided below. The first level of safeguard in place to protect Fedwire includes physical security that limits access to sensitive data and operations areas to those individuals who require access to perform their duties. Guards, card key access devices, and surveillance equipment are used to prevent and detect unauthorized physical access. Moreover, all employees working in sensitive areas undergo extensive background checks. Further, legal agreements with vendors provide for clearance, nondisclosure, and other appropriate security considerations. Reserve Banks have procedures for reporting, tracking, and resolving computer system problems as well as procedures for reporting suspected security violations. Each Reserve Bank has a complete audit trail for attempted breaches of access controls and the Security Administrator investigates any attempted breach. Where relevant, this information is shared among Federal Reserve Banks. To safeguard the Fedwire system, access control software and code words identify and permit access to authorized users prior to processing any transfer of funds. The Fedwire system acknowledges successful receipt of messages between system components. To protect confidentiality of messagea, transmissions between depository institutions and Reserve Banks are encrypted. Page 31 GAO/IMTJ3G9O-14 Strengthen Overnight of Critical Banking Systems - Appendix III Comments FTO~ the Federal Reserve System - -3- Additional controls, based on separation of duties, restrict access to sensitive data and programs. For example, each Reserve Sank maintains separate processing environments for test and critical production systems and restricts access to these systems. Extensive change control mechanisms are in place to ensure that only tested and approved application software changes are implemented in the production environment. The GAO's interest in security extends to capacity planning and contingency processing arrangements. To ensure that adequate capacity is available, Reserve Banks develop annual automation and capacity plans that fit into a long-range planning process. The Fedwire system also has been designed to provide for local backup of key computing and communications components. Further, to ensure that Fedwire operations continue with minimum disruption, even after a disaster, the Reserve Banks maintain several remote sites and test comprehensive contingency plans at least semi-annually. These plans include relocation of computer operations, as well as data backup procedures to ensure that databases can be reconstructed after an outage. An example of the resiliency of the Fedwire system was the ability of the Federal Reserve Bank of San Francisco to continue full payments operations following the October 17, 1989, earthquake. The Bank operated on emergency power, restored its computer systems in two and one half hours and resumed processing to meet critical nighttime deadlines, and was open and ready for Fedwire business as usual at 9:00 a.m. Eastern Time the following day. Simultaneously, the Reserve Bank's remote processing site was prepared to 8erve as backup in the event that critical operations could not resume in San Francisco. A reflection of the effectiveness of regular production and emergency backup arrangements is the high reliability of the Fedwire applications and the @lbackbone" communications network connecting the Reserve Banks, called FRCS-80. Availability of Fedwire applications during the critical hours of 5:00 p.m. to closing was 99.60 percent for 1988 and 99.79 percent for 1989 through the third quarter. Availability of Fedwire applications for full-day operations was 99.59 percent for 1988 and 99.77 percent for 1989 through the third quarter. The backbone communications network has also performed well. In over seven years of operations, the FRCS-80 network has maintained availability in excess of 99.99 percent. Planning is also underway for the successor network. Page 32 GAO/IMTEG!Wl4 Strengthen Oversight of Critical Banking Systems . I Appendix III Comments From the Federal Reserve System -4- Speaifia Reserve Bank Findings The GAO has identified a number of specific control weaknesses at the four Reserve Banks where it conducted on-site reviews. In general, these Reserve Banks have either already taken corrective action with respect to these findings or plan to take corrective action in the near future. The Board disagrees with the GAO's position, however, with respect to one of its findings. The draft report indicates that there should be a complete separation of function between computer and network operators. Based on analysis of both the risk potential and emerging industry trends to automate and consolidate computer and network operations, the Board believes that combining these functions has no detrimental effect on security. A leading industry expert that was consulted ak; staff concurs with this assessment. Staff comments on this certain other findings are appended to this letter. The Board is currently taking steps to determine whether control weaknesses similar to those cited by the GAO exist at any other Reserve Banks. If such weaknesses are found at other Reserve Banks, the Board ensures that prompt corrective action will be taken. Ext8rnal Review of Fedwire Security The Federal Reserve's security program includes multiple layers of review, both internal and external. Several organizations within the System play an active role in ensuring consistent compliance with the Federal Reserve's security standards. These oversight groups include a national Security Steering Group, comprised of Reserve Bank and Board staff, the Banks' internal auditors, and the Board's Division of Federal Reserve Bank Operations. Each organization addresses a different aspect of the data security program. At the System level, the Security Steering Group manages and coordinates the development and implementation of the data security design and addresses System-level data and communications matters. The individual Reserve Banks' internal audit staffs participate in the system development life cycle process, regularly reviewing compliance with security procedures and performing audits of operating and data processing areas. The Reserve Banks' General Auditors report directly to the Banks' boards of directors. The internal audit departments at Reserve Banks also assure that corrective actions are taken in response to recommendations made by the Board's review groups. Y Page 33 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems Appendix III Comments From the Federal Reserve System - 5 - A critical component of the Federal Reeerve's security program is review and oversight by the Board of Governore, through its staff. The Board exercises, by law, general oversight of Reserve Bank activities. To discharge thie responsibility, the Board has established a highly qualified operational and technical staff that review8 the Reserve Banks' implementation of System security standards. The Board's staff ie institutionally independent of the Reserve Bank management structure, reporting directly to the Board. The Board's Division of Federal Reserve Bank Operations reviews Reserve Bank security as an integral part of several of its functions. Through its broad scope operations review of the Reserve Banks' data processing functions, the review program monitors compliance with System policies and identifies actual or potential security concerns. Separate operations reviews of the different functional areas of the Reserve Banks, such as the Fedwire funds transfer and book-entry securities transfer operations, also assess the adequacy of the controls in these functions. The Board's financial examiners also review security as an integral part of the annual financial examination process at each Reserve Bank and asses8 specifically the effectiveness of electronic access control8 for operating systems, networks, and application and environmental software. The examiners' focus also includes a review of the adequacy of administrative and managerial controls related to data security awareness training, personal computers, and local area networks. To augment this multi-layered data security review program, the Board believes it is useful to engage the services of a consultant from time-to-time to assist its staff in assessing security issues. In fact, the System has a history of employing outside technical assistance. The Board retains an independent accounting firm to review annually its operations review and financial examination oversight functions, including oversight of Fedwire security. We agree that the additional insight from outside parties may be helpful in identifying additional security enhancements. Accordingly, the Board will continue to seek outside expertise to enhance its Fedwire security program. We have found that such reviews are most helpful during major systems changes and will seek outside assistance when we believe that the circumstances warrant such input. Page 34 GAO/IMTEE90-14 Strengthen Oversight of Critical Banking Systems Appendix III Comments From the Federal Reserve System - 6 - Enaryption and Meeeaqe Authentiaation The Federal Reserve is taking steps to address the GAO's concerns regarding the risk of unauthorized disclosure and modification of Fedwire transactions during transmission between Federal Reserve Banks. To understand these actions, a brief description of the "backbone" Federal Reserve Communications System (FRCS-80) is in order. Implemented in 1982, FRCS-80 ie a high-speed, dedicated communications network connecting Reserve Banks, the Board, contingency sites, and the U.S. Treasury. FRCS-8 0 employs packet switching technology, which breaks messages apart during transmission and reassembles them at their destination. Both the high speed of the backbone communica- tions network and the packet switching technology make penetration of the network difficult. Nonetheless, we believe it is important to take steps to secure the network further. Accordingly, in September 1989, the Federal Reserve issued a request for proposal to encrypt the FRCS-80 backbone network. Vendor responses are currently being reviewed and encryption will be implemented in the first half of 1990. The encryption of the FRCS-00 backbone network is in addition to the encryption of transmissions between depository institutions and Federal Reserve Banks, which currently exists. The draft report also discusses authentication as a measure to enhance message integrity. Message authentication is a process of deriving a code based on the contents of the message and appending the code to the message for later authentication by the authorized receiver using a secret key shared with the originator. While certain features of the Fedwire network, such as the packet switching technology of the backbone network and the encryption of messages between depository institutions and Reserve Banks, protect the confidentiality of payment information and reduce the likelihood that messages could be altered, the Federal Reserve has been reviewing message authentication technology to determine how to best implement this security feature. The Federal Reserve has determined that any message authentication technique that is adopted must be consistent with American National Standards Institute (ANSI) Standards 9.9 and 9.17. The technique must also be consistent with Treasury Directive 16-02, which requires the authentication of funds transfers transacted between the Reserve Banks and Treasury Financial Centers. Based upon an understanding with Treasury, the message authentication process currently used for funds transfers conducted with Treasury satisfies this directive. Further, the technique should be commercially available to and cost effective for the depository institutions that are part of the Fedwire network. Page 36 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems , Appendix III Comments From the Federal Reserve System -7- The Reserve Banks are testing the feasibility of implementing message authentication with technology that meets national standards, especially regarding key management, across the Fedwire environment of more than 11,000 endpoints. The feasibility of making message authentication broadly available must account for not only the large number of endpoints but also their diverse size. The majority of the endpoints connected to Fedwire are small depository institutions that are very sensitive to costs. The results and recommendations of the Federal Reserve's feasibility study will be presented to the System's senior management in January 1990. The Board is optimistic that the System's efforts will result in a viable approach to message authentication for Fedwire. Concluding Remarks In conclusion, the Board is sympathetic with the thrust of the GAO's recommendations and with a number of its particular findings. Most of the GAO's specific findings have been addressed or are in the process of being addressed. Further, the Board is taking steps to ensure that the conditions leading to the findings do not exist at other Reserve Banks. To enhance its Fedwire security program, the Board will continue to seek outside expertise at times when such assistance would be helpful. The FRCS-80 backbone communications network will be encrypted in the first half of 1990 and recommendations from the message authentication feasibility study will be presented to Federal Reserve senior management in January 1990. The Board of Governors generally believes that the recommendations contained in the GAO's draft report will assist the Federal Reserve in its continuing efforts to ensure a high level of Fedwire security. We appreciate this opportunity to comment on the draft findings. Sincerely yours, Associate 4iiziz!*+g Secretary of the Board Enclosure Page 36 GAO/IMTEGBO-14 Strengthen Oversight of Critical Banking Systems Appendix III Cvmmc?nte From the Federal Reserve System -8- ENCLOSURE D STAFF COMMENTS ON THE DRAFT GAO REPORT - SYSTEMS SHOULD BE STRENGTHENED The following discussion addresses areas that the staff believes require further clarification and areas with which the staff takes exception. 8. Communications Manaaement Security Weakness: 1~ aesiuned to comnuter ooerations and svstems wammers. The Federal Reserve Bank of San Francisco does not plan to separate its telecommunications and computer operations functions in the computer room. Operators do not have the ability to modify applications programs or data. The decision to combine these areas was made consistent with the System's efforts to automate computer and network operations. Discussions with an outside consultant with expertise in automated operations have confirmed that there is no additional security risk associated with combining these two functions and that the Bank's decision is consistent with emerging industry trends. However, regarding the GAOle concern about the separation of duties between operations and system8 programming, the Bank will reexamine the alignment of responsibilities between these functions to eliminate any potential unauthorized access and modification to Fedwire data. Further, to address the GAO's concern that the communications personnel had the capability to alter memory, the Bank has reassigned access so that the communications personnel no longer have access to the special password for the eoftware that provides thia function. Page37 GAO/IMTECQO-14 StrengthenOveraightofCriticalBankingSystema Appendix III Comments From the Federal Reserve System -9- 9. Netwment Securitv Weas. . Net?&x,& rable QJ service fd.lures. The GAO notes that 1) the Federal Reserve Communications network does not have totally redundant backup, 2) computer center staff performed duties associated with software development and management of the network and 3) monitoring of the network appeared to be accomplished by using hard-copy reports rather than using the information on real-time display terminals. Clarification is provided for all these statements. Regarding the issue of totally redundant backup, all new processors added to the network contain redundant components a8 well as redundant memory. With respect to the risk of not being able to transmit electronic funds transfer data between Federal Reserve bank8 if nodal processors become inoperable, the System Communicationa Center (SCC) maintains back-up equipment that provides recovery for all nodes on the network. In the event of a failure, the backup node is loaded with an image of the failed node software and the site is connected to the back-up node through high speed dial connections. These backup and recovery procedures are tested quarterly with each site and have been used successfully in production when required. The reliability of the network and the adequacy of its backup can be demonstrated by the availability statistics. In over seven years of operations, the FRCS-SO network has maintained an availability in exces8 of 99.99 percent uptime. In addition, the Federal Reserve System is analyzing alternatives to a successor network. The GAO notes that the network management staff had the ability to make changes to sensitive Fedwire information. Controls have been put into place to ensure that network management staff cannot make such changes. Finally, real-time terminal displays are and have always been used to monitor the FRCS-SO network, and recently have been enhanced further. Hardcopy reports are used for archival purposes, not for network monitoring. Page 38 GAO/IMTEC-SO-14 Strengthen Oversight of Critical Banking Systems Apgendix IV kfajor Contributors to This Report Richard J. Hillman, Assistant Director Information William D. Hadesty, Technical Specialist Mbagement and Gregory P. Carroll, Evaluator Tebhnology Division, ce of the General nsel, Washington, Bernard D. Rashes, Evaluator-in-Charge NebvYork Regional Richard G. Schlitt, Supervisor Office Leslie K. Black, Evaluator David J. Deivert, Evaluator (610434) Page 39 GAO/IMTEGSO-14 Strengthen Oversight of Critical Banking Systems
Electronic Funds Transfer: Oversight of Critical Banking Systems Should Be Strengthened
Published by the Government Accountability Office on 1990-01-04.
Below is a raw (and likely hideous) rendition of the original report. (PDF)