FDIC Information Security: Progress Made but Existing Weaknesses Place Data at Risk
GAO-03-630
Published: Jun 18, 2003. Publicly Released: Jun 18, 2003.
Skip to Highlights
Highlights
Effective controls over information systems are essential to ensuring the protection of financial and personnel information and the security and reliability of bank examination data maintained bythe Federal Deposit Insurance Corporation (FDIC). As part of GAO's 2002 financial statement audits of the three FDIC funds, we assessed (1) the corporation's progress in addressing computer security weaknesses found in GAO's 2001 audit, and (2) the effectiveness of FDIC's controls.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Deposit Insurance Corporation | To establish an effective information system control environment, in addition to completing actions to resolve prior year weaknesses that remain open, the Chairman should instruct the acting CIO, as the corporation's key official for computer security, to correct the 29 information system control weaknesses related to mainframe access, network security, access monitoring, physical access, application software, and service continuity identified in our current (calendar year 2002) audit. We are also issuing a report designated for "Limited Official Use Only," which describes in more detail the computer security weaknesses identified and offers specific recommendations for correcting them. |
Closed – Implemented
Based on its calendar year 2003 financial audit, GAO concluded that FDIC substantially completed actions to correct the 29 information system control weaknesses related to mainframe access, network security, access monitoring, physical access, application software, and service continuity identified in GAO's 2002 audit.
|
| Federal Deposit Insurance Corporation | To establish an effective information system control environment, in addition to completing actions to resolve prior year weaknesses that remain open, the Chairman should instruct the acting CIO, as the corporation's key official for computer security, to fully develop and implement a computer security management program. Specifically, this would include (1) developing and implementing a process for performing risk assessments and (2) establishing an effective ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. |
Closed – Implemented
FDIC developed and implemented a computer security management program. Specifically, the corporation developed a framework for assessing and managing risk on a continuing basis. This framework specifies (1) how the assessments should be initiated and conducted, (2) who should participate in the assessments, (3) how disagreements should be resolved, (4) what approvals are needed, and (5) how these assessments should be documented and maintained. FDIC has performed risk assessments on all of its major systems. In addition, FDIC established an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. This program includes annual self-assessments of general and application controls and quarterly tests of information controls, including both network and mainframe systems.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Financial statement auditsComputer networksInformation resources managementInformation systemsComputer securityInternal controlsFederal deposit insuranceInformation securityApplication softwareSensitive data