Information Security:

Federal Deposit Insurance Corporation Needs to Improve Its Program

GAO-06-620: Published: Aug 31, 2006. Publicly Released: Aug 31, 2006.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.

FDIC has made progress in correcting previously reported weaknesses. Specifically, the corporation has corrected or mitigated 18 of the 24 weaknesses that GAO previously reported as unresolved at the time of the last review. Among actions FDIC has taken are developing and implementing procedures to comply with its computer file naming convention standards and developing and implementing automated procedures for limiting access to sensitive information. Nevertheless, FDIC has not consistently implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to the remaining six previously reported weaknesses for which FDIC has not completed corrective actions, GAO identified 20 new information security weaknesses. Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information. In addition, weaknesses exist in other information security controls relating to segregation of duties and application change controls. A key reason for these weaknesses is that FDIC has not fully implemented elements of its information security program. For example, it has not consistently implemented its security-related policies, addressed security plans for certain applications, provided specialized training to individuals with significant security responsibilities, implemented remedial action plans for resolving known weaknesses, and updated or tested continuity plans in light of its implementation of the new financial environment. As a result, financial and sensitive information are at increased risk of unauthorized access, modification, and/or disclosure, possibly without detection. Because of this, GAO reported information system control weaknesses to be a reportable condition in 2005.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: FDIC has implemented or accurately reported the status of its remedial actions.

    Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should report weaknesses as closed in remedial action plans only when corrective actions have been completed.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Closed - Implemented

    Comments: FDIC has provided specialized training to all employees with significant security responsibility. FDIC tracks employee training and those that miss training are required to view the training DVD in its entirety and certify that they have completely reviewed the training material.

    Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should provide specialized training to individuals with significant security responsibilities.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Closed - Implemented

    Comments: FDIC has incorporated non-major systems in a security plan.

    Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should include security plans or requirements for nonmajor applications into the plans for general support systems.

    Agency Affected: Federal Deposit Insurance Corporation

  4. Status: Closed - Implemented

    Comments: FDIC has consistently implemented various policies and procedures related to information security.

    Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should consistently implement the corporation's documented policies and procedures related to information security.

    Agency Affected: Federal Deposit Insurance Corporation

  5. Status: Closed - Implemented

    Comments: FDIC has updated the continuity of operations plan. FDIC has tested selected functions of NFE.

    Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should update continuity of operations plans and test them for the New Financial Environment.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Dec 19, 2014

Dec 17, 2014

Nov 20, 2014

Oct 6, 2014

Sep 17, 2014

Aug 5, 2014

Jul 31, 2014

Jun 18, 2014

Looking for more? Browse all our products here