Fannie Mae 2004 Annual Report Download - page 174

Download and view the complete annual report

Please find page 174 of the 2004 Fannie Mae annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 358

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358

Our security infrastructure is designed for the protection of sensitive information assets, and includes
sophisticated network defenses and software designed to prevent hackers, spam, virus, phishing and other
types of cyber attack, while our information security practices are intended to minimize risks due to process
failure or misuse. We employ several firms specializing in information security assessment to uncover control
gaps and risks to our information assets. We acknowledge the constant need to update and improve our
defenses in response to changes in the threat environment.
We continue to work to improve our information security program, with the implementation of additional
controls to protect our confidential data. These have included increased information security and privacy
assessment and monitoring within our business units, a multi-year effort to improve access management,
encryption of data on our employees’ computers, as well as improved tools to monitor and block information
loss from within our network, email and other communication systems.
Business Continuity and Crisis Management
Our Operational Risk Oversight function has established business continuity and crisis management policies
and programs, with execution of these programs implemented by our technology, operations, human resources
and facilities functions in concert with the business units that are responsible for the affected processes and
business applications. These policies and programs are designed to ensure that our critical business functions
continue to operate under emergency conditions.
We have installed redundant systems within each business critical system, as well as redundant systems in two
geographically separate data centers. These redundant systems are designed to provide continuity of operations
for up to one week without significant loss of service to constituents or significant loss of revenue. We also
have developed longer-term recovery plans. In addition, we have implemented strategies for access to critical
business systems by employees and staff, such as alternate work facilities in geographically diverse locations
for our back office and wire transfer functions. We have also established redundant communications systems
for external partners and customers. For staff functions that are considered most critical, such as cash wire
operations and securities settlements, we have instituted multi-site, simultaneous operations from three separate
locations. Dual-site market room activities are conducted on a quarterly basis for front office functions. We
recently successfully completed a disaster recovery test of critical operations using a recently constructed
alternate data center.
To enable recovery from large-scale, catastrophic events, we copy all production data to backup media on a
real-time or nightly basis. The data is transported and stored in multiple locations, including an offsite storage
facility located out of the region. In addition, a limited tertiary operating site is available out of the region.
The tertiary site complies with the sound practices established by the Federal Reserve Board, Office of the
Comptroller of the Currency, and the SEC for resiliency of key U.S. financial institutions, and is designed to
enable us to fulfill our critical obligations until automated processing is able to resume.
Our business continuity program is subject to regulatory review by OFHEO.
LIQUIDITY AND CAPITAL MANAGEMENT
Liquidity is essential to our business. We actively manage our liquidity and capital position with the objective
of preserving stable, reliable and cost-effective sources of cash to meet all of our current and future operating
financial commitments and regulatory capital requirements. We obtain the funds we need to operate our
business primarily from the proceeds we receive from the issuance of debt. We seek to maintain sufficient
excess liquidity in the event that factors, whether internal or external to our business, temporarily prevent us
from issuing debt in the capital markets.
Liquidity
Liquidity Risk Management
Liquidity risk is the risk to our earnings and capital that would arise from an inability to meet our cash
obligations in a timely manner. Because liquidity is essential to our business, we have adopted a comprehen-
sive liquidity risk policy that is designed to provide us with sufficient flexibility to address both liquidity
169