GAO-04-630, Information Security: Information System Controls at the Federal Deposit Insurance Corporation


This is the accessible text file for GAO report number GAO-04-630 
entitled 'Information Security: Information System Controls at the 
Federal Deposit Insurance Corporation' which was released on May 28, 
2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to the Board of Directors, Federal Deposit Insurance 
Corporation: 

May 2004: 

Information Security: 

Information System Controls at the Federal Deposit Insurance 
Corporation: 

[Hyperlink, http: //www.gao.gov/cgi-bin/getrpt?GAO-04-630]: 

GAO Highlights: 

Highlights of GAO-04-630, a report to the Board of Directors, Federal 
Deposit Insurance Corporation 

Why GAO Did This Study: 

Effective controls over information systems are essential to ensuring 
the protection of financial and personnel information and the security 
and reliability of bank examination data maintained by the Federal 
Deposit Insurance Corporation (FDIC). As part of our calendar year 2003 
financial statement audits of three FDIC Funds, GAO assessed the 
effectiveness of the corporation’s general controls on its information 
systems. Our assessment included follow up on the progress that FDIC 
has made in correcting or mitigating computer security weaknesses 
identified in our audits for calendar years 2001 and 2002. 

What GAO Found: 

FDIC has made significant progress in correcting prior year information 
security weaknesses. The corporation addressed almost all the computer 
security weaknesses we previously identified in our audits for calendar 
years 2001 and 2002 (see figure). Nonetheless, testing in our calendar 
year 2003 audit identified additional computer control weaknesses in 
FDIC’s information systems. These weaknesses place critical FDIC 
financial and sensitive examination information at risk of unauthorized 
disclosure, disruption of operations, or loss of assets.

A key reason for FDIC’s continuing weaknesses in information system 
controls is that it has not yet fully established a comprehensive 
security management program to ensure that effective controls are 
established and maintained and that information security receives 
significant management attention. The corporation only recently 
established a program to test and evaluate its computer control 
environment, and this program does not yet include adequate provisions 
to ensure that (1) all key computer resources supporting FDIC’s 
financial environment are routinely reviewed and tested, (2) weaknesses 
detected are analyzed for systemic solutions, (3) corrective actions 
are independently tested, and (4) newly identified weaknesses or 
emerging security threats are incorporated into the test and evaluation 
process. 

FDIC Progress in Implementing GAO Recommendations: 

[See PDF for image]

[End of figure]

What GAO Recommends: 

www.gao.gov/cgi-bin/getrpt?GAO-04-630.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Robert F. Dacey at (202) 
512- 3317 or daceyr@gao.gov.

[End of section]

Contents: 

Letter: 

Results in Brief: 

Background: 

Objective, Scope, and Methodology: 

Improvements Were Made in Correcting Prior Year Weaknesses, but Systems 
Remain Vulnerable: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendixes: 

Appendix I: Comments from the Federal Deposit Insurance Corporation: 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Staff Acknowledgments: 

CFO: Chief Financial Officer: 

CIO: Chief Information Officer: 

FDIC: Federal Deposit Insurance Corporation: 

FISMA: Federal Information Security Management Act: 

FSLIC: Federal Savings and Loan Insurance Corporation: 

ID: identification: 

IDS: intrusion-detection system: 

Letter May 28, 2004: 

To the Board of Directors Federal Deposit Insurance Corporation: 

As part of our calendar year 2003 financial statement audits of the 
Federal Deposit Insurance Corporation's (FDIC) Bank Insurance Fund, 
Savings Association Fund, and FSLIC (Federal Savings and Loan Insurance 
Corporation) Resolution Fund,[Footnote 1] we assessed the effectiveness 
of the corporation's information system general controls.[Footnote 2] 
Our assessment included follow-up on the progress that FDIC has made in 
correcting or mitigating computer security weaknesses in our audits for 
calendar years 2001[Footnote 3] and 2002.[Footnote 4] Effective 
information system controls are essential to ensuring that financial 
information is adequately protected from inadvertent or deliberate 
misuse, fraudulent use, improper disclosure, or destruction. Such 
controls also affect the security and reliability of nonfinancial 
information maintained by FDIC such as personnel and bank examination 
information.

This report summarizes weaknesses in information system controls over 
FDIC's computer systems. Because of the significance of these 
weaknesses, we reported information system controls as a reportable 
condition[Footnote 5] in FDIC's financial statements audit report for 
calendar year 2003.[Footnote 6] We are also issuing a report designated 
for "Limited Official Use Only," which describes in more detail the 
computer security weaknesses identified and offers specific 
recommendations for correcting them.

We performed our review at FDIC headquarters in Washington, D.C., and 
at its computer facility in Arlington, Virginia, from September 2003 
through January 2004. Our review was performed in accordance with U.S. 
generally accepted government auditing standards.

Results in Brief: 

Although FDIC has made significant progress in correcting prior year 
information security weaknesses, systems still remain vulnerable due to 
weaknesses in information system general controls. FDIC addressed 
almost all of the computer security weaknesses we previously identified 
in our audits for calendar years 2001 and 2002 and has taken other 
steps to improve security since last year's audit. Nonetheless, testing 
in our calendar year 2003 audit identified additional computer control 
weaknesses in the corporation's information systems. Specifically, FDIC 
had not adequately limited the access granted to all authorized users 
or completely secured access to its network. The risk created by these 
access weaknesses was heightened because FDIC had not completed a 
program to fully monitor access activity to identify and investigate 
unusual or suspicious access patterns that could indicate unauthorized 
access. As a result, critical financial and sensitive personnel and 
bank examination information was at risk of unauthorized disclosure, 
disruption of operations, or loss of assets.

A key reason for FDIC's continuing weaknesses in information system 
controls is that it had not yet fully established a comprehensive 
security management program to ensure that effective controls are 
established. An effective program includes a central security function 
that assesses risk, establishes appropriate policies and related 
controls, raises awareness of prevailing risks, and routinely tests and 
evaluates the effectiveness of established controls. FDIC made 
substantial progress during the past year in establishing key elements 
of a security program, including strengthening its security management 
structure, updating security policies and procedures, enhancing 
security awareness training, and implementing a risk assessment 
program. However, it only recently established a program to test and 
evaluate its computer control environment, and this program does not 
yet address all key areas. Specifically, the program does not include 
adequate provisions to ensure that (1) all key computer resources 
supporting FDIC's financial environment are routinely reviewed and 
tested, (2) weaknesses detected are analyzed for systemic solutions, 
(3) corrective actions are independently tested, and (4) newly 
identified weaknesses or emerging security threats are incorporated 
into the test and evaluation process.

We are making a recommendation to fully establish a comprehensive 
computer security management program to strengthen the testing and 
evaluation element of FDIC's program. In a separate report designated 
"Limited Official Use Only," we are making recommendations to correct 
the specific weaknesses identified during our review.

In providing written comments on a draft of this report, FDIC's Chief 
Financial Officer agreed with our recommendations. He reported that 
FDIC plans to address the identified weaknesses and that significant 
progress has already been made.

Background: 

Congress created FDIC in 1933 to restore and maintain public confidence 
in the nation's banking system. The Financial Institutional Reform, 
Recovery, and Enforcement Act of 1989 sought to reform, recapitalize, 
and consolidate the federal deposit insurance system. The act created 
the Bank Insurance Fund and the Savings Association Insurance Fund, 
both of which are responsible for protecting insured bank and thrift 
depositors, respectively, from loss due to institutional failures. The 
act also created the FSLIC Resolution Fund to complete the affairs of 
the former FSLIC and liquidate the assets and liabilities transferred 
from the former Resolution Trust Corporation. It also designated FDIC 
as the administrator of these funds. As part of this function, FDIC has 
an examination and supervision program to monitor the safety of 
deposits held in member institutions.

FDIC insures deposits in excess of $3.3 trillion for about 9,200 
institutions. Together, the three funds have about $49.5 billion in 
assets. FDIC had a budget of about $1.1 billion for calendar year 2003 
to support its activities in managing the three funds. For that year, 
it processed more than 2.6 million financial transactions.

FDIC relies extensively on computerized systems to support its 
financial operations and store the sensitive information it collects. 
Its local and wide area networks interconnect these systems. To support 
its financial management functions, it relies on several financial 
systems to process and track financial transactions that include 
premiums paid by its member institutions and disbursements made to 
support operations. In addition, FDIC uses other systems that maintain 
personnel information for its employees, examination data for financial 
institutions, and legal information on closed institutions. At the time 
of our review, about 6,300 individuals were authorized to use FDIC's 
systems. FDIC's chief information officer (CIO) is the corporation's 
key official for computer security. The CIO is responsible for 
establishing, implementing, and overseeing a corporatewide information 
security program.

Information security is a critical consideration for any organization 
that depends on information systems and networks to carry out its 
mission or business. Without proper safeguards, there is enormous risk 
that individuals and groups with malicious intent may intrude into 
inadequately protected systems and use this access to obtain sensitive 
information, commit fraud, disrupt operations, or launch attacks 
against other computer systems and networks.

We have reported information security as a governmentwide high-risk 
area since February 1997.[Footnote 7] Our previous reports, and those 
of agency inspectors general, describe persistent information security 
weaknesses that place a variety of federal operations, including those 
at FDIC, at risk of disruption, fraud, and inappropriate disclosure.

Congress and the executive branch have taken actions to address the 
risks associated with persistent information security weaknesses. In 
December 2002, the Federal Information Security Management Act (FISMA), 
which is intended to strengthen information security, was enacted as 
Title III of the E-Government Act of 2002.[Footnote 8] In addition, the 
administration undertook important actions to improve security, such as 
integrating information security into the President's Management Agenda 
Scorecard. Moreover, the Office of Management and Budget and the 
National Institute of Standards and Technology have issued security 
guidance to agencies.

Objective, Scope, and Methodology: 

The objective of our review was to assess the effectiveness of FDIC's 
information system general controls, including the progress the 
corporation had made in correcting or mitigating weaknesses reported in 
our financial statement audits for calendar years 2001[Footnote 9] and 
2002.[Footnote 10] Our evaluation was based on (1) our Federal 
Information System Controls Audit Manual,[Footnote 11] which contains 
guidance for reviewing information system controls that affect the 
integrity, confidentiality, and availability of computerized data, and 
(2) our May 1998 report on security management best practices[Footnote 
12] at leading organizations, which identifies key elements of an 
effective information security program.

Specifically, we evaluated information system controls intended to: 

* protect data and software from unauthorized access;

* prevent the introduction of unauthorized changes to application and 
system software;

* provide segregation of duties involving application programming, 
system programming, computer operations, information security, and 
quality assurance;

* ensure recovery of computer process operations in case of disaster or 
other unexpected interruption; and: 

* ensure an adequate information security program.

To evaluate these controls, we identified and reviewed pertinent FDIC 
security policies and procedures, and conducted tests and observations 
of controls in operation. In addition, we reviewed FDIC's corrective 
actions taken to address vulnerabilities identified in our audits for 
calendar years 2001 and 2002.

Improvements Were Made in Correcting Prior Year Weaknesses, but Systems 
Remain Vulnerable: 

In 2001[Footnote 13] and again in 2002,[Footnote 14] we reported 
computer security weaknesses at FDIC, including specific weaknesses 
related to mainframe and network security, physical access, application 
change control, and service continuity. These weaknesses placed 
critical corporation operations at risk of misuse and disruption. 
Although FDIC has made significant progress in correcting these 
weaknesses and has taken other steps to improve security, our testing 
in our calendar year 2003 audit identified additional control 
weaknesses. Specifically, FDIC had not adequately limited the access 
granted to all authorized users or completely secured access to its 
network. Further, FDIC had not yet completed a program to fully monitor 
user activities for unusual or suspicious patterns that could indicate 
unauthorized access. As a result, critical FDIC financial and sensitive 
personnel and bank examination information was at risk of unauthorized 
disclosure, disruption of operations, or loss of assets--possibly 
without detection. A key reason for FDIC's weaknesses is that it had 
not yet fully implemented a comprehensive security management program.

FDIC Has Taken Action to Correct Prior Year Weaknesses and Improve 
Security: 

FDIC has made significant progress in correcting previously identified 
information security weaknesses. FDIC took action to address current 
and prior year weaknesses, including completing action on (1) the 
22[Footnote 15] weaknesses that remained open from our 2001 
audit[Footnote 16] and (2) 28 of the 29 weaknesses from our 2002 
audit.[Footnote 17] Specifically, FDIC: 

* reduced user access to sensitive program libraries and critical 
financial and sensitive data,

* strengthened security over certain network platforms,

* expanded its application software change control procedures to 
include all software changes,

* developed and implemented disaster recovery plans for all its major 
systems and incorporated unannounced testing procedures into its 
service continuity process, and: 

* enhanced system software change control processes.

In addition to responding to previously identified weaknesses, FDIC 
established several other computer controls to enhance its information 
security. For example, it established procedures for securing new 
remote access and private network services. In addition, it 
strengthened security procedures over its system that handles large 
files submitted to FDIC by banking institutions. Further, FDIC 
initiated reviews of its network infrastructure as a precursor to 
establishing an ongoing program of tests and evaluations of its 
computer environment.

Access Authority Was Not Appropriately Limited for All Users: 

A basic management control objective for any organization is to protect 
data supporting its critical operations from unauthorized access, which 
could lead to improper modification, disclosure, or deletion. 
Organizations can protect this critical information by granting 
employees the authority to read or modify only those programs and data 
that they need to perform their duties and by periodically reviewing 
access granted to ensure it is appropriate. Effective access controls 
should be designed to restrict access to computer programs and data and 
prevent and detect unauthorized access. These controls include 
assigning user access rights and permissions and ensuring that access 
remains appropriate on the basis of job responsibilities.

Although FDIC restricted access to certain data and programs on its 
systems, we identified instances in which access to sensitive data and 
programs had not been sufficiently restricted. For example: 

* Many users had unnecessary access to production systems that includes 
financial and bank information. These users were inadvertently granted 
access to the systems that could allow these users to gain access to 
critical financial management information. This vulnerability was 
further heightened because an undetermined number of the users were 
system developers. These developers have detailed knowledge of the 
systems' processing functions; knowledge that could allow them to 
improperly add, alter, or delete critical financial and sensitive 
information or programs--possibly without detection.

* A large number of users had access that allowed them to read a 
powerful user identification (ID) and password used to transfer data 
among FDIC production computer systems. With this ID and password, the 
users could gain unauthorized access to financial and sensitive 
corporation information--possibly without detection.

* FDIC did not adequately restrict users from viewing sensitive 
information. For example, all network users had unrestricted read 
access to sensitive bank information. Failure to adequately control 
access to this type of information could result in users gaining 
unauthorized access to privileged information.

Although FDIC has initiated actions to correct these weaknesses, the 
access vulnerabilities continue because the corporation has not yet 
fully established a process for reviewing the appropriateness of 
individual access privileges. Specifically, FDIC's process did not 
include a comprehensive method for identifying and reviewing all access 
rights granted to any one user. Such reviews would have allowed FDIC to 
identify and correct inappropriate access.

In response, FDIC said that it has since taken steps to restrict access 
to critical financial data and programs and related sensitive 
information. Further, the corporation stated that it enhanced its 
process for identifying and reviewing user access granted and was 
establishing a policy that will require quarterly reviews of users with 
broad access privileges.

Network Security Improved, but Some Weaknesses Continue: 

Networks are a series of interconnected devices and software that allow 
individuals to share data and computer programs. Because sensitive 
programs and data are stored on and transmitted along networks, 
effectively securing networks is essential for protecting computing 
resources and data from unauthorized access, manipulation, and use. 
Organizations can secure their networks, in part, by limiting the 
services that are available on the network and by installing and 
configuring network devices that permit authorized network service 
requests and deny unauthorized requests. Network devices include (1) 
firewalls designed to prevent unauthorized access into the network, (2) 
routers that filter and forward data along the network, (3) switches 
that filter and forward information among parts of a network, and (4) 
servers that host applications and data. Insecurely configured network 
services and devices can make a system vulnerable to internal or 
external threats, such as hackers, cyberterrorist groups, and denial-
of-service attacks. Since networks provide the entry point for access 
to electronic information assets, failure to secure them increases the 
risk of the unauthorized use of sensitive data and systems.

FDIC continued to take steps to secure its network through enhancements 
to its firewall and specific network platforms. Further, it established 
processes to strengthen the security of its local area network and 
password management. In addition, FDIC initiated a testing cycle to 
review the effectiveness of information system controls for specific 
network resources. Nonetheless, we identified weaknesses in the way 
that FDIC managed network services, controlled network connectivity, 
and maintained network software, as the following examples demonstrate.

* A network service was not configured to restrict access to sensitive 
network resources. As a result, anyone--including contractors--with 
access to the FDIC network could obtain copies or modify configuration 
files containing control information such as access control lists. With 
the ability to read, copy, or modify these files, an intruder could 
disable or disrupt network operations by taking control of sensitive 
and critical network resources.

* Access connectivity to critical network resources was not adequately 
restricted. With connectivity to these key resources, an unauthorized 
user could attempt to exploit network vulnerabilities and gain control 
of key segments of the network.

* Certain network connections to off-site locations were not adequately 
controlled. These connections are essential to securing operations of 
the network they serve. Ineffectively secured network connections could 
expose the internal network to unauthorized access and make it easier 
for this access to go undetected.

Further, FDIC did not consistently secure its network against known 
software vulnerabilities or minimize the operational impact of 
potential failure in a critical network device. Failure to address 
known vulnerabilities increases the risk of system compromise, such as 
unauthorized access to and manipulation of sensitive system data, 
disruption of services, and denial of service.

In responding to our findings, FDIC's CIO said that the corporation had 
taken steps to improve network security. Specifically, he said that 
FDIC had reconfigured network resources to restrict access, made 
software modifications to secure against known vulnerabilities, and 
established a process for assessing contractor connectivity 
requirements.

Program to Fully Monitor Access Was Not Complete: 

The risks created by these access and network security weaknesses were 
heightened because FDIC had not yet completed a program to fully 
monitor user activities. Such a program to monitor access would include 
routinely reviewing user access activity and investigating failed 
attempts to access sensitive data and resources, as well as unusual and 
suspicious patterns of successful access to sensitive data and 
resources.

To effectively monitor user access, it is critical that logs of user 
activity be maintained for all critical processing activities. This 
includes collecting and monitoring activities on all critical systems, 
including mainframes, network servers, and routers. A comprehensive 
monitoring program should include an intrusion-detection system (IDS) 
that monitors all key network resources and automatically logs unusual 
activity, provides necessary alerts, and terminates access. Further, to 
safeguard IDS operations and the access information it collects, the 
duties and responsibilities of staff assigned to the monitoring program 
should be adequately segregated.

Although FDIC has made progress in developing systems to identify 
unauthorized or suspicious access activities for both its mainframe and 
network systems, its program as implemented does not fully monitor for 
such activities. As a result, there are weaknesses in FDIC's monitoring 
program that could result in significant breaches to its computer 
security environment. For example, the network IDS did not monitor all 
network traffic originating from certain locations. Further, certain 
network resources were not configured to monitor network traffic, which 
lessens the corporation's ability to identify anomalies. In addition, 
responsibilities for operating the IDS were not appropriately 
segregated. For example, the corporation assigned the responsibilities 
for design, implementation, and maintenance to one individual. By 
assigning these functions to one person, it did not adequately ensure a 
system of checks and balances. Thus, FDIC is at risk that its program 
designed to monitor access activities for unusual or suspicious 
activities could be altered to allow unauthorized system actions that 
could go undetected.

In response to our findings, FDIC's CIO said that the corporation had 
developed and begun implementation of a monitoring strategy for 
information technology security. This includes monitoring, event 
correlations, and incident identification and response. Further, the 
corporation plans to hire additional staff to allow it to segregate 
responsibilities for operating the IDS.

Substantial Progress Was Made in Implementing a Computer Security 
Program, but a Key Element Was Incomplete: 

A key reason for FDIC's continuing weaknesses in information system 
controls is that it has not yet fully established a comprehensive 
security management program to ensure that effective controls are 
established and maintained and that information security receives 
significant management attention. Our May 1998 study[Footnote 18] of 
security management best practices determined that a comprehensive 
information security management program is essential to ensuring that 
information system controls work effectively on a continuing basis. The 
recently enacted FISMA, consistent with our study, describes certain 
key elements of a comprehensive information security management 
program. These elements include: 

* a central security management structure to provide overall security 
policy and guidance along with oversight to ensure compliance with 
established policies and reviews of the effectiveness of the security 
environment;

* policies and procedures that (1) are based on risk assessments, (2) 
cost-effectively reduce risks, (3) ensure that information security is 
addressed throughout the life cycle of each system, and (4) ensure 
compliance with applicable requirements;

* security awareness training to inform personnel, including 
contractors and other users of information systems, about information 
security risks and the responsibilities of these individuals in 
complying with agency policies and procedures;

* periodic assessments of the risk and magnitude of the harm that could 
result from unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems; 
and: 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices--to be performed with a 
frequency depending on risk, but no less than annually--that include 
testing of management, operational, and technical controls of major 
information systems.

During the past year, FDIC made substantial progress in establishing a 
comprehensive computer security management program. As discussed below, 
FDIC has (1) strengthened its central security management structure, 
(2) updated its security policies and procedures, (3) enhanced its 
security awareness training, and (4) developed a risk assessment 
program.

* Central security management structure. FDIC strengthened 
accountability and authority for its previously established central 
security management function by appointing a permanent CIO who reports 
directly to the chairman. Further, FDIC realigned its security 
management function so that it reports directly to the CIO. Also, FDIC 
provided additional staff management resources to oversee its 
certification and accreditation process, system test and evaluation 
program, computer security incident response team activities, and 
firewall administration. Additionally, other staff resources were added 
to maintain and enhance security policies and procedures and provide 
oversight to the corporation's newly established risk assessment and 
test and evaluation programs.

* Security policies and procedures. FDIC enhanced its overall security 
policies covering network security, computer center access, mainframe 
controls, and security management. For example, it developed new 
policies covering controls for the use of wireless networks and 
requirements for patch management. In addition, it developed network 
security procedures to ensure compliance with policy on the use of 
default vendor accounts, restrictions on network services, and 
adherence to network password standards. Further, FDIC strengthened its 
policies on requesting and granting access to its computer center and 
provided updated requirements to address weaknesses in its 
configuration management procedures for financial system changes. Also, 
the corporation issued new policies on performing risk assessments of 
its security program and information systems.

* Security awareness training. FDIC enhanced its current security 
awareness program for employees and contractors. Specifically, it 
updated the program to reflect FISMA security requirements, new 
policies and procedures developed to mitigate newly identified security 
risks, and discussions of internal threats. The corporation also 
developed specialized security awareness training to address the needs 
of selected technical staff and enhanced its reporting process to 
ensure that all security awareness training is reported.

* Risk assessments. Recently, FDIC developed a framework for assessing 
and managing risk on a continuing basis. This framework specifies (1) 
how the assessments should be initiated and conducted, (2) who should 
participate in the assessment, (3) how disagreements should be 
resolved, (4) what approvals are needed, and (5) how these assessments 
should be documented and maintained. At the completion of our audit, 
the corporation had performed risk assessments on all of its major 
systems.

Although FDIC has made substantial progress in each of the elements 
discussed above, it only recently established a program to test and 
evaluate its computer control environment, but this program was 
incomplete. Test and evaluation is a key element of an information 
security program that includes ongoing reviews, tests, and evaluations 
of information security to ensure that systems are in compliance with 
policies and procedures and to identify and correct weaknesses that may 
occur. FDIC began implementing this program during 2003. In October 
2003, the corporation used a contractor to (1) develop a self-
assessment process that includes annual general and application control 
reviews and (2) begin to perform ongoing quarterly tests of its 
systems. Still, FDIC's test and evaluation program does not address all 
key areas. Specifically, the program does not include the following 
provisions.

* All key computer resources supporting FDIC's financial systems are 
routinely reviewed and tested, as appropriate. FISMA requires agencies 
to develop, document, and implement an agencywide information security 
program that includes routine security reviews of key computer 
resources supporting critical information systems, such as those 
supporting the corporation's financial systems. These reviews should 
include those managed by other agencies or contractors. Although it 
initiated a program of tests and evaluations, this program did not yet 
address all key computer resources. For example, FDIC relies 
extensively on contractors to support its financial systems, and 
accordingly, provides them with connections and access to its internal 
network. Yet, during the past 2 years, the corporation has performed 
only limited security reviews of these contractor connections--a key 
computer resource. Further, FDIC did not schedule a review of these 
contractor connections in conjunction with its newly established self-
assessment process. Without routine tests and evaluations of all key 
computer resources, including contractor connections, the 
corporation's financial or sensitive bank information is at risk of 
unauthorized disclosure, disruption of operations, or loss of assets.

* Information security weaknesses detected are analyzed for systemic 
solutions. To ensure that actions taken to correct identified security 
weaknesses are effective, security management best practices prescribe 
that procedures should include an assessment of systemic causes of 
related security weaknesses. Although FDIC has been very proactive in 
addressing the individual information security weaknesses identified, 
it currently lacks an ongoing process to collectively analyze related 
weaknesses for systemic problems that could adversely affect critical 
financial and bank information systems. A comprehensive assessment of 
related weaknesses, such as those related to user access privileges, 
which is a recurring security weakness we have reported to FDIC, could 
assist in identifying systemic causes of security weaknesses and result 
in remediation efforts that could be more effective in addressing 
security vulnerabilities. Further, such an assessment provides an 
organization with a process of identifying emerging problems, assessing 
the effectiveness of current policies and awareness efforts, and 
determining the need for stepped-up education or new controls to 
address problem areas.

* Corrective actions are independently tested. FISMA requires that 
agencies establish a process to document and track remedial actions 
taken to address security deficiencies in agency operations. This 
process includes requirements for independent testing to ensure that 
prescribed remediation actions are effective. Although FDIC has 
established a system for documenting and tracking corrective actions, 
it has not developed a specific process for independently testing or 
reviewing the appropriateness of the corrective actions taken.

* Newly identified weaknesses or emerging security threats are 
incorporated into the test and evaluation process. To ensure an 
effective test and evaluation program, security management best 
practices prescribe that the scope of information system control tests 
include an evaluation of recently identified weaknesses and an 
assessment of emerging security threats to the computer control 
environment. FDIC's self-assessment process includes provisions for 
updating its annual review of information system controls to evaluate 
control weaknesses that were identified in prior audits. However, the 
process does not specifically include provisions for weaknesses 
reported in other audits or those identified internally in connection 
with operational issues. Further, there are no procedures to ensure 
that emerging security threats are considered for inclusion in the 
self-assessment reviews. For example, in our current review at FDIC, we 
identified network security weaknesses that are linked to specific new 
security threats that had not been addressed by FDIC. To perform a 
comprehensive review of information system controls, it is critical 
that all previously identified weaknesses and emerging security threats 
be considered as part of the test and evaluation process to ensure that 
these weaknesses have been corrected.

Incorporating these key areas into its test and evaluation program 
should allow FDIC to better identify and correct security problems, 
such as those identified in our 2003 audit.

Conclusions: 

FDIC has made significant progress in correcting the computer security 
weaknesses we previously identified and has taken other steps to 
improve security. However, we identified additional computer control 
weaknesses that place critical FDIC financial and sensitive personnel 
and bank examination information at risk of unauthorized disclosure, 
disruption of operations, or loss of assets. Specifically, FDIC had not 
adequately limited the access granted to all authorized users or 
completely secured access to its network. The risks created by these 
access weaknesses are heightened because FDIC has not yet completed a 
program to fully monitor access activity to identify and investigate 
unusual or suspicious access patterns that could indicate unauthorized 
access. Implementation of FDIC's plan to correct these weaknesses is 
essential to establishing an effective information system control 
environment.

A key reason for FDIC's continuing weaknesses in information system 
controls is that it has not yet fully established a comprehensive 
security management program to ensure that effective controls are 
established and maintained and that information security receives 
significant management attention. Although FDIC has made substantial 
progress during the past year toward establishing key elements of this 
program--including strengthening its security management structure, 
updating security policies and procedures, enhancing security 
awareness, and implementing a risk-assessment program--it only recently 
established a program to test and evaluate its computer control 
environment, and this program does not yet address all key areas. 
Specifically, the test and evaluation program does not include adequate 
provisions to ensure that (1) all key computer resources supporting 
FDIC's financial environment are routinely reviewed and tested, (2) 
weaknesses detected are analyzed for systemic solutions, (3) corrective 
actions are independently tested, and (4) newly identified weaknesses 
or emerging security threats are incorporated into the test and 
evaluation process. Until FDIC takes steps to correct or mitigate its 
information system control weaknesses and fully implements a computer 
security management program, FDIC will have limited assurance that its 
financial and sensitive information is adequately protected.

Recommendations for Executive Action: 

To fully establish a comprehensive computer security management 
program, we recommend that the FDIC chairman instruct the CIO, as the 
corporation's key official for computer security, to strengthen the 
testing and evaluation element of this program by taking the following 
actions: 

* all key computer resources supporting FDIC's financial environment 
should be routinely reviewed and tested,

* weaknesses detected should be analyzed for systemic solutions,

* corrective actions should be independently tested, and: 

* newly identified weaknesses or emerging security threats should be 
incorporated into the test and evaluation process.

We are also making recommendations in a separate report designed for 
"Limited Official Use Only." These recommendations address actions 
needed to correct the specific information security weaknesses related 
to user access, network security, and monitoring access activities.

Agency Comments: 

In providing written comments on a draft of this report, FDIC's Chief 
Financial Officer (CFO) agreed with our recommendations. His comments 
are reprinted in appendix I of this report. Specifically, FDIC plans to 
correct the information system control weaknesses identified and 
strengthen the testing and evaluation element of its computer 
management program by December 31, 2004. According to the CFO, 
significant progress has already been made in addressing the identified 
weaknesses.


We are sending copies of this report to the Chairman and Ranking 
Minority Member of the Senate Committee on Banking, Housing, and Urban 
Affairs; the Chairman and Ranking Minority Member of the House 
Committee on Financial Services; members of the FDIC Audit Committee; 
officials in FDIC's divisions of information resources management, 
administration, and finance; and the FDIC inspector general. We will 
also make copies available to other parties upon request. In addition, 
this report will be available at no charge on the GAO Web site at 
[Hyperlink, http://www.gao.gov.].

If you have any questions regarding this report, please contact me at 
(202) 512-3317 or David W. Irvin, Assistant Director, at (214) 777-
5716. We can also be reached by e-mail at [Hyperlink, daceyr@gao.gov] 
and [Hyperlink, irvind@gao.gov], respectively. Key contributors to this 
report are listed in appendix II.

Signed by: 

Robert F. Dacey: 
Director, Information Security Issues: 

[End of section]

Appendixes: 

Appendix I: Comments from the Federal Deposit Insurance Corporation: 

Federal Deposit Insurance Corporation:

550 17th Street, NW, 
Washington, DC 20429 
Deputy to the Chairman and Chief Financial Officer:

May 4, 2004:

Mr. Joel C. Willemssen, 
Managing Director 
Information Technology Issues:
U.S. General Accounting Office 
441 G Street, NW:
Washington, DC 20548:

Dear Mr. Willemssen:

Thank you for the opportunity to respond to the draft reports entitled, 
Information Security: Information System Controls at the Federal 
Deposit Insurance Corporation, dated April 26, 2004. We appreciate the 
generally positive tone of these reports, particularly in the General 
Accounting Office's (GAO's) acknowledgement of the significant 
improvements made and the lengthy discussion of a number of the 
internal controls we have implemented. We were also pleased to have GAO 
acknowledge FDIC's completion of 69 of 70 recommended security 
improvements from the 2001 and 2002 GAO audit reports.

While recognizing that FDIC has made significant progress in correcting 
the prior year information security weaknesses and has taken other 
steps to improve security, GAO did identify new internal control 
matters. These weaknesses were characterized as being the result of 
FDIC not having fully developed and implemented a comprehensive 
corporate program to manage security, particularly a program to test 
and evaluate its computer control environment. We appreciate the 
detailed information technology audit work completed by the GAO team. 
We believe that this work and your report will help us as we continue 
our efforts to improve the FDIC's overall information security program.

Overall the FDIC agrees with the results represented in the referenced 
draft reports and recognizes the need to further enhance its existing 
programs. We believe that it is important to note that our activities 
have essentially moved from program development to enhancement or fine 
tuning of individual program activities. In response to the 
recommendations for executive action, the FDIC will, by December 31, 
2004:

* Complete corrective action for the one remaining control weakness 
identified in the 2002 review;

* Correct the 22 infonnation systems control weaknesses identified in 
this year's review; and:

* Continue to enhance the Corporation's computer security testing and 
evaluation program including ensuring: (1) all key computer resources 
supporting FDIC's financial environment are routinely reviewed and 
tested, 2) weaknesses detected are 
analyzed for systematic solutions, 3) corrective actions are 
independently tested, and 4) newly identified weaknesses or emerging 
security threats are incorporated into the test and evaluation process.

Specific corrective action plans were provided separately.

I believe that significant progress has already been made in addressing 
the weaknesses identified in the draft reports. We understand that a 
sustained effort is needed through substantial resources and strong 
executive involvement to address the multitude of new vulnerabilities 
posed by the rapidly changing information technology industry. To that 
end, the FDIC remains committed to improving every aspect of our 
corporate-wide security program. We look forward to continuing our 
productive dialogue with the GAO as we continue to enhance our security 
program.

If you have questions relating to the FDIC management response, please 
contact Michael MacDermott, Acting Director, Office of Enterprise Risk 
Management, at 202-736-0075.

Sincerely,

Signed by: 

Steven O. App:

Deputy to the Chairman and Chief Financial Officer:

cc: John Bovenzi 
John Brennan 
Michael Bartell 
Michael MacDermott 
Audit Committee:

[End of section]

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David W. Irvin, (214) 777-5716: 

Staff Acknowledgments: 

In addition to the person named above, Edward Alexander, Jr., Gerald 
Barnes, Nicole Carpenter, Lon Chin, Debra Conner, David Hayes, Jeffrey 
Knott, Leena Mathew, Duc Ngo, Rosanna Villa, Charles Vrabel, and Chris 
Warweg made key contributions to this report.

(310525): 

: 

FOOTNOTES

[1] U.S. General Accounting Office, Financial Audit: Federal Deposit 
Insurance Corporation Fund's 2003 and 2002 Financial Statements, GAO-
04-429 (Washington, D.C.: Feb. 13, 2004).

[2] Information system general controls affect the overall 
effectiveness and security of computer operations as opposed to being 
unique to any specific computer application. These controls include 
security management, operating procedures, software security features, 
and physical protection designed to ensure that access to data is 
appropriately restricted, that only authorized changes to computer 
programs are made, that computer security duties are segregated, and 
that back-up and recovery plans are adequate to ensure the continuity 
of essential operations.

[3] U.S. General Accounting Office, FDIC Information Security: 
Improvements Made but Weaknesses Remain, GAO-02-689 (Washington, D.C.: 
July 15, 2002).

[4] U.S. General Accounting Office, FDIC Information Security: Progress 
Made but Existing Weaknesses Place Data at Risk, GAO-03-630 
(Washington, D.C.: June 18, 2003).

[5] Reportable conditions involve matters coming to the auditor's 
attention that, in the auditor's judgment, should be communicated 
because they represent significant deficiencies in the design or 
operation of internal control and could adversely affect FDIC's ability 
to meet the control objectives.

[6] GAO-04-429.

[7] See, for example, U.S. General Accounting Office, High-Risk Series: 
Protecting Information Systems Supporting the Federal Government and 
the Nation's Critical Infrastructure, GAO-03-121 (Washington, D.C.: 
January 2003).

[8] Title III, Federal Information Security Management Act of 2002, E-
Government Act of 2002, P.L. 107-347 (Dec. 17, 2002).

[9] U.S. General Accounting Office, Financial Audit: Federal Deposit 
Insurance Corporation Fund's 2002 and 2001 Financial Statements, GAO-
03-543 (Washington, D.C.: Mar. 28, 2003).

[10] GAO-04-429.

[11] U.S. General Accounting Office, Federal Information System 
Controls Audit Manual, Volume I--Financial Statements Audits GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999).

[12] U.S. General Accounting Office, Information Security Management: 
Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: 
May 1998).

[13] GAO-02-689.

[14] GAO-03-630.

[15] GAO identified 41 weaknesses in the 2001 review; FDIC addressed 19 
of those weaknesses before our next review.

[16] GAO-02-689.

[17] GAO-03-630.

[18] GAO/AIMD-98-68.

GAO's Mission: 

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: