Information Security:

Federal Deposit Insurance Corporation Needs to Sustain Progress

GAO-05-486: Published: May 19, 2005. Publicly Released: May 19, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Deposit Insurance Corporation (FDIC) relies extensively on computerized systems to support its financial and mission-related operations. As part of GAO's audit of the calendar year 2004 financial statements for the three funds administered by FDIC, GAO assessed (1) the progress FDIC has made in correcting or mitigating information system control weaknesses identified in our audits for calendar years 2002 and 2003 and (2) the effectiveness of the corporation's information system general controls.

FDIC has made significant progress in correcting previously reported information system control weaknesses and has taken other steps to improve information security. Of the 22 weaknesses reported in GAO's 2003 audit, FDIC corrected 19 and is taking action to resolve the 3 that remain. In addition, it corrected the one weakness still open from GAO's 2002 audits. Although FDIC has made substantial improvements in its information system controls, GAO identified additional weaknesses that diminish FDIC's ability to effectively protect the integrity, confidentiality, and availability of its financial and sensitive information systems. These included weaknesses in electronic access controls, network security, segregation of computer functions, physical security, and application change control. Although these do not pose significant risks to FDIC's financial and sensitive systems, they warrant management's action to decrease the risk of unauthorized modification of data and programs, inappropriate disclosure of sensitive information, or disruption of critical operations. A key reason for FDIC's weaknesses in information system controls is that it had not fully implemented a complete test and evaluation process, which is a key element of a comprehensive agency information security program with effective controls. Although FDIC has made substantial progress in implementing its information security program and has enhanced its process to test and evaluate its information system controls, it did not ensure that all key control areas supporting FDIC's financial environment are routinely reviewed and tested. These control areas included electronic access, network security, and audit logging.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendation for Executive Action

    Recommendation: To strengthen FDIC's information security program, the Chairman should direct the Chief Information Officer to broaden its process of tests and evaluations to ensure that all key control areas supporting FDIC's financial environment are routinely reviewed and tested. This process should include routine tests and evaluations of key control areas such as electronic access, network security, and audit logging.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Closed - Implemented

    Comments: FDIC has since developed a comprehensive system testing and evaluation process in 2005 with the New Financial Environment (NFE) System Test and Evaluation (ST&E), which follows and incorporates all of the National Institute of Standards and Technology (NIST) requirements, and includes key control areas such as electronic access, network security, and audit logging. Federal Information Security Management Act (FISMA) requires that the corporation perform annual re-testing of such controls. The FISMA submission or self assessment qualifies for the re-testing.

    Apr 7, 2014

    Jan 8, 2014

    Dec 11, 2013

    Nov 14, 2013

    Oct 29, 2013

    Sep 6, 2013

    Jul 18, 2013

    Jul 8, 2013

    Looking for more? Browse all our products here