Over recent months, there has been a spike in lost and stolen laptops from various business organizations and government agencies in the U.S. Even with heightened awareness and stricter security regulations, the number of these incidents continues to grow, and the Federal Reserve System (Federal Reserve) remains dedicated to ensuring the highest level of information security. This article will outline the information security infrastructure employed by the Federal Reserve to protect its extremely sensitive and confidential information from being compromised.
Section 501b of the Graham-Leach-Bliley Act requires financial institutions to establish appropriate standards for administrative, technical, and physical safeguards for customer records and information. The Federal Reserve employs a comprehensive security program, which is detailed below.
Our information security program begins with employee education. All Federal Reserve employees are required to complete an annual information security awareness session to ensure that they are familiar with all policies and procedures. Security reminders are sent to employees periodically throughout the year in order to remind them of the importance of information security.
All software used throughout the Federal Reserve must go through a risk management assessment process. During this process, any potential weaknesses are identified, and necessary mitigating controls are implemented prior to the software being pushed into the production environment. Also, new hardware must go through a similar process to minimize the risk exposure.
While these processes ensure that information is secure at the user and equipment levels, additional processes and technologies are in place for virus protection and unauthorized access prevention. The Federal Reserve has a standard process to classify information for both digital and physical formats, and data must be handled according to their classification. A complex technical security architecture is in place to safeguard Federal Reserve digital assets. All computers are protected with antivirus software, and because all viruses contain a unique signature, the signature file is updated frequently to protect against the latest threats. Finally, an automated process is utilized to distribute the updates to all computers on a weekly basis.
The Federal Reserve also requires that a personal firewall be installed on all laptop computers. A firewall, which acts as a barrier to prevent unauthorized access to a computer or network, can be software, hardware, or a combination of both. Firewalls at the Federal Reserve are "locked down" to ensure that none of the settings can be changed and, most importantly, that they cannot be disabled.
Aside from the threat of stolen property, unauthorized access and hacking are also major threats to data security. To safeguard the data stored on a laptop's hard disk, the Federal Reserve utilizes hard disk encryption, which uses a 256-bit triple DES encryption key, making it virtually impossible for anyone to break in and access data. More importantly, the entire disk is encrypted, so users are ensured that all data saved to the disk are protected. Finally, our hard disk encryption solution uses dual factor authentication to start the operating system and to provide access to the data.
Data transfer and remote access are also sensitive areas in information security. The Federal Reserve currently uses a dual factor authentication process for remote access through a virtual private network (vpn). A vpn is a private, secure network that leverages the public telecommunications network, while securing data only to those with authorized access to the private network. To further increase secure access to its systems, the Federal Reserve is moving to a dual factor authentication process for all users who want to access the operating system and network.
This layered approach provides the highest level of information security, and it is enacted throughout the Federal Reserve. Our infrastructure begins with a comprehensive information security program that specifies policies, procedures, and user awareness. A complex technical security architecture comprised of hardware and software-and combined with secure data transfer-broadens our efforts to preserve the confidentiality of the sensitive information we process and manage daily.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.