Office of Inspector General
Security Control Review of the Aon Hewitt Employee Benefits System
To evaluate the security controls and techniques of the information systems of the Board of Governors of the Federal Reserve System (Board), the Office of Inspector General reviews controls over Board applications on an ongoing basis. Consistent with the requirements of the Federal Information Security Management Act of 2002 (FISMA), we conducted a security control review of the Aon Hewitt Employee Benefits System (Aon Hewitt system). The Aon Hewitt system provides Board and Federal Reserve Bank staff with the ability to view and manage their employee benefits information through the Internet, and it stores sensitive personally identifiable, health, and financial information. The Aon Hewitt system is listed on the Board’s FISMA inventory as a contractor-operated system, and the Board’s Management Division has overall responsibility for ensuring that Board data in the system meet FISMA requirements.
Our audit objective was to evaluate the adequacy of selected security controls for protecting Board data in the Aon Hewitt system from unauthorized access, modification, destruction, or disclosure. To accomplish this objective, we used a control assessment review program based on the security controls defined in National Institute of Standards and Technology Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems. This document provides a baseline of managerial, operational, and technical security controls for organizations to use in protecting their information systems.
Overall, our review found that a number of actions have been taken to secure the Aon Hewitt system. However, we found that improvements are needed to ensure that the requirements of the Board’s Information Security Program are met. In comments to our draft report, the Chief Operating Officer and Director of the Management Division agreed that the report recommendations represent best information security practices that are consistent with the Board’s Information Security Program, and he outlined actions that have been taken, are underway, and are planned to strengthen security controls for the Aon Hewitt system. We will follow up on the implementation of these recommendations as part of our future FISMA-related audit activities. Given the sensitivity of information security review work, our reports in this area are generally restricted. Such is the case for this audit report.