Fannie Mae 2005 Annual Report Download - page 153

Download and view the complete annual report

Please find page 153 of the 2005 Fannie Mae annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 324

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324

Information Security
Recognizing the importance and sensitivity of our information assets, we have established an information
security program designed to protect the security and privacy of confidential information, including non-public
personal information and sensitive business data. Our current information security program was launched in
late 2003 to address acknowledged industry-wide security concerns in areas such as access management,
change management, secure application development and system monitoring.
Our security infrastructure is designed for the protection of sensitive information assets, and includes
sophisticated network defenses and software designed to prevent hackers, spam, virus, phishing and other
types of cyber attack, while our information security practices are intended to minimize risks due to process
failure or misuse. We employ several firms specializing in information security assessment to uncover control
gaps and risks to our information assets. We acknowledge the constant need to update and improve our
defenses in response to changes in the threat environment.
We continue to work to improve our information security program, with the implementation of additional
controls to protect our confidential data. These have included increased information security and privacy
assessment and monitoring within our business units, a multi-year effort to improve access management,
encryption of data on our employees’ computers, as well as improved tools to monitor and block information
loss from within our network, email and other communication systems.
Business Continuity and Crisis Management
Our ORO function has established business continuity and crisis management policies and programs, with
execution of these programs implemented by our technology, operations, human resources and facilities
functions in concert with the business units that are responsible for the affected processes and business
applications. These policies and programs are designed to ensure that our critical business functions continue
to operate under emergency conditions. Our business continuity program is subject to regulatory review by
OFHEO.
We have installed redundant systems within each business critical system, as well as redundant systems in two
geographically separate data centers. These redundant systems are designed to provide continuity of operations
for up to one week without significant loss of service to constituents or significant loss of revenue. We also
have developed longer-term recovery plans. In addition, we have implemented strategies for access to critical
business systems by employees and staff, such as alternate work facilities in geographically diverse locations
for our back office and wire transfer functions. We have also established redundant communications systems
for external partners and customers. For staff functions that are considered most critical, such as cash wire
operations and securities settlements, we have instituted multi-site, simultaneous operations from three separate
locations. Dual-site market room activities are conducted on a quarterly basis for front office functions. We
recently successfully completed a disaster recovery test of critical operations using a recently constructed
alternate data center.
To enable recovery from large-scale, catastrophic events, we copy all production data to backup media on a
real-time or nightly basis. The data is transported and stored in multiple locations, including an offsite storage
facility located out of the region. In addition, a limited tertiary operating site is available out of the region.
The tertiary site complies with the sound practices established by the Federal Reserve Board, Office of the
Comptroller of the Currency, and the SEC for resiliency of key U.S. financial institutions, and is designed to
enable us to fulfill our critical obligations until automated processing is able to resume.
LIQUIDITY AND CAPITAL MANAGEMENT
Liquidity is essential to our business. We actively manage our liquidity and capital position with the objective
of preserving stable, reliable and cost-effective sources of cash to meet all of our current and future operating
financial commitments and regulatory capital requirements. We obtain the funds we need to operate our
business primarily from the proceeds we receive from the issuance of debt. We seek to maintain sufficient
excess liquidity in the event that factors, whether internal or external to our business, temporarily prevent us
from issuing debt in the capital markets.
148