The Bureau of Public Debt, an organization within the Fiscal Service of the Treasury Department, recently received a passing grade on the nuts and bolts of its financial reporting, but fell slightly short in the area of information security.

A recent Government Accountability Office report says BPD's IT deficiencies aren't "significant," but the problems do "warrant BPD management's attention and action." Financial reporting systems are not at significant risk, despite deficiencies, because they have been mitigated by physical security measures and compensating controls designed to detect potential misstatements in the Schedule of Federal Debt, said the report.

GAO's audit for 2009 identified seven new general information security control deficiencies, including five control deficiencies related to logical access controls and two control deficiencies related to configuration management.

BPD's financial reporting system is complex. It depends on several interconnected financial systems and electronic data, securities and money processing. Federal Reserve Banks are part of that electronic-transaction network and while the recent GAO audit looked at some of the controls handled by FRBs on behalf of BPD, the audit committee will be issuing another report to the Board of Governors of the Federal Reserve System on the results of a more focused investigation on FRBs.

"BPD has made significant progress in addressing open information security control" says the GAO report, "and while actions are still needed in three control areas, it has corrective actions underway or planned."

For more:
- read the GAO report (.pdf)

Related Articles:
IRS cybersecurity weak
GAO: DoD loses track of 72,000 combat records
GAO: Cybersecurity flaws at Los Alamos lab