2024 Audit of the Board's Information Security Program

View Report

Date Issued

Thursday, October 31, 2024

Submitting OIG

Federal Reserve Board & CFPB OIG

Other Participating OIGs

Federal Reserve Board & CFPB OIG

Agencies Reviewed/Investigated

Board of Governors of the Federal Reserve System

Report Number

2024-IT-B-020

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 9 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
Develop a supply chain risk management strategy that includes (a) a supply chain risk appetite and tolerance, (b) an enterprise supply chain risk management governance structure, and (c) supply chain risk assessment processes that include migration strategies or controls.
2	No	$0	$0
Document and implement a baseline review and escalation process for data loss prevention alerts.
3	No	$0	$0
Reinforce the requirements for identifying and documenting system interconnections as part of the Board’s training on its cyber risk management application and require all relevant individuals to take the training.
4	No	$0	$0
Evaluate and implement options to enforce the agency’s existing guidance related to identifying and documenting system interconnections.
5	No	$0	$0
Develop and implement a mobile application scanning program that includes a vulnerability scanning solution and process to identify and remediate vulnerabilities.
6	No	$0	$0
Ensure that the Board’s Incident Notification and Breach Response Plan is reviewed, tested and approved annually.
7	No	$0	$0
Develop and implement a role-based privacy training program.
8	No	$0	$0
Incorporate targeted phishing exercises into the Board’s security awareness and training program and processes.
9	No	$0	$0
Update the Board’s standard contract language in cloud service provider contracts to ensure that it is consistent with Federal Risk and Authorization Management Program’s Incident Communications Procedures incident reporting requirements.