Information Security:

Federal Deposit Insurance Corporation Needs to Sustain Progress Improving Its Program

GAO-07-351: Published: May 18, 2007. Publicly Released: May 18, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. As part of its audit of the calendar year 2006 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of FDIC's system integrity controls to protect the confidentiality and availability of its financial information and information systems. To do this, GAO examined pertinent security policies, procedures, and relevant reports. In addition, GAO conducted tests and observations of controls in operation.

FDIC has made substantial progress in correcting previously reported weaknesses in its information security controls. Specifically, it has corrected or mitigated 21 of the 26 weaknesses that GAO had reported as unresolved at the completion of the calendar year 2005 audit. Actions FDIC has taken include developing and implementing procedures to prohibit the transmission of mainframe user and administrator passwords in readable text across the network, implementing procedures to change vender-supplied account/passwords, and improving mainframe security monitoring controls. Although FDIC has made important progress improving its information system controls, old and new weaknesses could limit the corporation's ability to effectively protect the integrity, confidentiality, and availability of its financial and sensitive information and systems. In addition to the five previously reported weaknesses that are in the process of being mitigated, GAO identified new weaknesses in controls related to (1) e-mail security, (2) physical security, and (3) configuration management. Although these weaknesses do not pose significant risk of misstatement of the corporation's financial statements, they do increase preventable risk to the corporation's financial and sensitive systems and information. In addition, FDIC has not fully integrated its new financial system--the New Financial Environment (NFE)--into its information security program. For example, it did not fully implement key control activities for the NFE. Until FDIC fully integrates the NFE with the information security program, its ability to maintain adequate system controls over its financial and sensitive information will be limited.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: FDIC has required that e-mail containing or transmitting accounting data be secured to protect the integrity of the accounting data.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that e-mail containing or transmitting accounting data be secured to protect the integrity of the accounting data. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Closed - Implemented

    Comments: FDIC has trained security personnel to implement the corporation's policy on physical security of the facility.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should train security personnel to implement the corporation's policy on physical security of the facility. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Closed - Implemented

    Comments: FDIC has instructed personnel to lock rooms that contain sensitive software.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should instruct FDIC personnel to lock rooms that contain sensitive software. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  4. Status: Closed - Implemented

    Comments: FDIC has develop a configuration item index of all configuration items for NFE using a consistent and documented naming convention.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should develop a configuration item index of all configuration items for NFE using a consistent and documented naming convention. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  5. Status: Closed - Implemented

    Comments: FDIC has ensured that significant changes to the system, such as parameter changes, go through a formal change management process.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that significant changes to the system, such as parameter changes, go through a formal change management process. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  6. Status: Closed - Implemented

    Comments: FDIC has implemented patches in a timely manner.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should implement patches in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  7. Status: Closed - Implemented

    Comments: FDIC is able to review some status accounting reports and has conducted physical and functional configuration audits for NFE.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that the NFE project team review status accounting reports and perform complete functional and physical configuration audits. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  8. Status: Closed - Implemented

    Comments: FDIC has adequately controlled the NFE documents (risk assessment, security plan, contingency plan) so that they are up-to-date and accurately reflect the current environment.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should adequately control the NFE documents so that they are up-to-date and accurately reflect the current environment. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  9. Status: Closed - Implemented

    Comments: FDIC has updated the NFE risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluation.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the NFE risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluation. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  10. Status: Closed - Implemented

    Comments: FDIC has updated the NFE security plan to clearly identify all common security controls.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the NFE security plan to clearly identify all common security controls. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  11. Status: Closed - Implemented

    Comments: FDIC has developed procedures to review events to determine whether they are computer security incidents.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should develop procedures to review events occurring in the NFE to determine whether the events are computer security incidents. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  12. Status: Closed - Implemented

    Comments: FDIC provided an updated NFE contingency plan that reflects the new disaster recovery site and servers.

    Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the contingency plan to reflect the new disaster recovery site and servers that are in use. This should be performed in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Dec 19, 2014

Dec 17, 2014

Nov 20, 2014

Oct 6, 2014

Sep 17, 2014

Aug 5, 2014

Jul 31, 2014

Jun 18, 2014

Looking for more? Browse all our products here