FDIC Information Security:

Progress Made but Existing Weaknesses Place Data at Risk

GAO-03-630: Published: Jun 18, 2003. Publicly Released: Jun 18, 2003.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Effective controls over information systems are essential to ensuring the protection of financial and personnel information and the security and reliability of bank examination data maintained bythe Federal Deposit Insurance Corporation (FDIC). As part of GAO's 2002 financial statement audits of the three FDIC funds, we assessed (1) the corporation's progress in addressing computer security weaknesses found in GAO's 2001 audit, and (2) the effectiveness of FDIC's controls.

FDIC has made progress in correcting information system controls since GAO's 2001 review. Of the 41 weaknesses identified that year, FDIC has corrected or has specific action plans to correct all of them. GAO's 2002 audit nonetheless identified 29 new computer security weaknesses. These weaknesses reduce the effectiveness of FDIC's controls to safeguard critical financial and other sensitive information. Based on our review, mainframe access was not sufficiently restricted, network security was inadequate, and a program to fully monitor access activities was not implemented. Additionally, weaknesses in areas including physical security, application software, and service continuity further increased the risk to FDIC's computing environment. The primary reason for these continuing weaknesses is that FDIC has not yet completed development and implementation of a comprehensive program to manage computer security across the organization. FDIC has, among other things, established a security management structure, but still has not fully implemented a process for assessing and managing risk on a continuing basis or an ongoing program of testing and evaluating controls. The corporation's acting chief information officer has agreed to complete actions intended to address GAO's outstanding recommendations by December 31 of this year.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To establish an effective information system control environment, in addition to completing actions to resolve prior year weaknesses that remain open, the Chairman should instruct the acting CIO, as the corporation's key official for computer security, to correct the 29 information system control weaknesses related to mainframe access, network security, access monitoring, physical access, application software, and service continuity identified in our current (calendar year 2002) audit. We are also issuing a report designated for "Limited Official Use Only," which describes in more detail the computer security weaknesses identified and offers specific recommendations for correcting them.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Closed - Implemented

    Comments: Based on its calendar year 2003 financial audit, GAO concluded that FDIC substantially completed actions to correct the 29 information system control weaknesses related to mainframe access, network security, access monitoring, physical access, application software, and service continuity identified in GAO's 2002 audit.

    Recommendation: To establish an effective information system control environment, in addition to completing actions to resolve prior year weaknesses that remain open, the Chairman should instruct the acting CIO, as the corporation's key official for computer security, to fully develop and implement a computer security management program. Specifically, this would include (1) developing and implementing a process for performing risk assessments and (2) establishing an effective ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Closed - Implemented

    Comments: FDIC developed and implemented a computer security management program. Specifically, the corporation developed a framework for assessing and managing risk on a continuing basis. This framework specifies (1) how the assessments should be initiated and conducted, (2) who should participate in the assessments, (3) how disagreements should be resolved, (4) what approvals are needed, and (5) how these assessments should be documented and maintained. FDIC has performed risk assessments on all of its major systems. In addition, FDIC established an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. This program includes annual self-assessments of general and application controls and quarterly tests of information controls, including both network and mainframe systems.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here