Skip to main content

Information Security: FDIC Sustains Progress but Needs to Improve Configuration Management of Key Financial Systems

GAO-08-564 Published: May 30, 2008. Publicly Released: May 30, 2008.
Jump To:
Skip to Highlights

Highlights

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Effective information security controls are essential to ensure that FDIC systems and information are adequately protected from inadvertent misuse, fraudulent, or improper disclosure. As part of its audit of FDIC's 2007 financial statements, GAO assessed (1) the progress FDIC has made in mitigating previously reported information security weaknesses and (2) the effectiveness of FDIC's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do this, GAO examined security policies, procedures, reports, and other documents; observed controls over key financial applications; and interviewed key FDIC personnel.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that New Financial Environment (NFE) users do not share login ID and password accounts.
Closed – Implemented
We verified that FDIC required that NFE users do not share login ID and password accounts.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that Assessment Information Management System II (AIMS II) users do not have full access to application source code, unless they have a legitimate business need.
Closed – Implemented
We verified that FDIC disabled access to all AIMS II users who had full access to application source code, unless they have a legitimate business need.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that the database connection is adequately encrypted with passwords that comply with Federal Information Processing Standard 140-2.
Closed – Implemented
We verified that FDIC configured the database connection so that it is adequately encrypted with passwords that comply with FIPS 140-2.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that full and complete requirement baselines are developed and implemented.
Closed – Implemented
We verified that FDIC developed a full requirements baseline for NFE and AIMS II.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that configuration items have unique identifiers.
Closed – Implemented
We verified that FDIC developed unique identifiers for NFE and AIMS II.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that configuration changes are properly authorized, documented, and reported.
Closed – Implemented
We verified that FDIC made configuration changes that were properly authorized, documented, and reported for NFE and AIMS II.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that physical configuration audits verify and validate that all items are under configuration management control, all changes made are approved by the configuration control board, and that teams are assigning unique identifiers to configuration items.
Closed – Implemented
We verified that FDIC had physical configuration audits that verify and validate that all items are under configuration management control, all changes made are approved by the configuration control board, and that teams are assigning unique identifiers to configuration items.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that functional configuration audits verify and validate that requirements have bidirectional traceability and can be traced from various documents.
Closed – Implemented
We verified that FDIC had functional configuration audits that verify and validate that requirements have bidirectional traceability and can be traced from various documents.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve the security management of NFE and AIMS II by ensuring that users adequately test configuration management controls as part of the system test and evaluation process.
Closed – Implemented
We verified that FDIC adequately tested configuration management controls as part of the system test and evaluation process for NFE and AIMS II.
Federal Deposit Insurance Corporation In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve the security management of NFE and AIMS II by ensuring that users develop in a timely manner a detailed plan of action and milestones to include who will be responsible for the corrective action, when the action will be closed, and status of the action for NFE.
Closed – Implemented
We verified that FDIC developed a detailed plan of action and milestones to include who will be responsible for the corrective action, when the action will be closed, and the status of the action for NFE and AIMS II.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Access controlBanking lawComputer securityConfiguration controlData encryptionData integrityData transmissionFinancial disclosureFinancial institutionsFinancial management systemsInformation securityInformation security managementInformation security regulationsInformation systemsInternal controlsLaw enforcementPasswordsPhysical securityRisk assessmentRisk managementSecurity assessmentsProgram implementation