Information Security:

FDIC Sustains Progress but Needs to Improve Configuration Management of Key Financial Systems

GAO-08-564: Published: May 30, 2008. Publicly Released: May 30, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Effective information security controls are essential to ensure that FDIC systems and information are adequately protected from inadvertent misuse, fraudulent, or improper disclosure. As part of its audit of FDIC's 2007 financial statements, GAO assessed (1) the progress FDIC has made in mitigating previously reported information security weaknesses and (2) the effectiveness of FDIC's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do this, GAO examined security policies, procedures, reports, and other documents; observed controls over key financial applications; and interviewed key FDIC personnel.

FDIC has made significant progress in mitigating previously reported information security weaknesses. Specifically, it has corrected or mitigated 16 of the 21 weaknesses that GAO had previously reported as unresolved at the completion of the 2006 audit. For example, FDIC has improved physical security controls over access to its Virginia Square computer processing facility, instructed personnel to use more secure e-mail methods to protect the integrity of certain accounting data transferred over an internal communication network, and updated the security plan and contingency plan of a key financial system. In addition, FDIC stated it has initiated and completed some actions to mitigate the remaining five prior weaknesses. However, we have not verified that these actions have been completed. Although FDIC has made significant progress improving its information system controls, old and new weaknesses could limit the corporation's ability to effectively protect the confidentiality, integrity, and availability of its financial systems and information. In addition to the five previously reported weaknesses that remain unresolved, newly identified weaknesses in access controls and configuration management controls introduce risk to two key financial systems. For example, FDIC did not always implement adequate access controls. Specifically, multiple FDIC users shared the same login ID and password, had unrestricted access to application source code, and used passwords that were not adequately encrypted. In addition, FDIC did not adequately (1) maintain a full and complete baseline for system requirements; (2) assign unique identifiers to configuration items; (3) authorize, document, and report all configuration changes; and (4) perform configuration audits. Although these weaknesses do not pose significant risk of misstatement of the corporation's financial statements, they do increase preventable risk to the corporation's financial systems and information. A key reason for these weaknesses is that FDIC did not always fully implement key information security program activities. For example, it did not adequately conduct configuration control testing or complete the remedial action plan in a timely manner and did not include necessary and key information. Until FDIC fully performs key information security program activities, its ability to maintain adequate control over its financial systems and information will be limited.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We verified that FDIC required that NFE users do not share login ID and password accounts.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that New Financial Environment (NFE) users do not share login ID and password accounts.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Closed - Implemented

    Comments: We verified that FDIC disabled access to all AIMS II users who had full access to application source code, unless they have a legitimate business need.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that Assessment Information Management System II (AIMS II) users do not have full access to application source code, unless they have a legitimate business need.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Closed - Implemented

    Comments: We verified that FDIC configured the database connection so that it is adequately encrypted with passwords that comply with FIPS 140-2.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that the database connection is adequately encrypted with passwords that comply with Federal Information Processing Standard 140-2.

    Agency Affected: Federal Deposit Insurance Corporation

  4. Status: Closed - Implemented

    Comments: We verified that FDIC developed a full requirements baseline for NFE and AIMS II.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that full and complete requirement baselines are developed and implemented.

    Agency Affected: Federal Deposit Insurance Corporation

  5. Status: Closed - Implemented

    Comments: We verified that FDIC developed unique identifiers for NFE and AIMS II.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that configuration items have unique identifiers.

    Agency Affected: Federal Deposit Insurance Corporation

  6. Status: Closed - Implemented

    Comments: We verified that FDIC made configuration changes that were properly authorized, documented, and reported for NFE and AIMS II.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that configuration changes are properly authorized, documented, and reported.

    Agency Affected: Federal Deposit Insurance Corporation

  7. Status: Closed - Implemented

    Comments: We verified that FDIC had physical configuration audits that verify and validate that all items are under configuration management control, all changes made are approved by the configuration control board, and that teams are assigning unique identifiers to configuration items.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that physical configuration audits verify and validate that all items are under configuration management control, all changes made are approved by the configuration control board, and that teams are assigning unique identifiers to configuration items.

    Agency Affected: Federal Deposit Insurance Corporation

  8. Status: Closed - Implemented

    Comments: We verified that FDIC had functional configuration audits that verify and validate that requirements have bidirectional traceability and can be traced from various documents.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that functional configuration audits verify and validate that requirements have bidirectional traceability and can be traced from various documents.

    Agency Affected: Federal Deposit Insurance Corporation

  9. Status: Closed - Implemented

    Comments: We verified that FDIC adequately tested configuration management controls as part of the system test and evaluation process for NFE and AIMS II.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve the security management of NFE and AIMS II by ensuring that users adequately test configuration management controls as part of the system test and evaluation process.

    Agency Affected: Federal Deposit Insurance Corporation

  10. Status: Closed - Implemented

    Comments: We verified that FDIC developed a detailed plan of action and milestones to include who will be responsible for the corrective action, when the action will be closed, and the status of the action for NFE and AIMS II.

    Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve the security management of NFE and AIMS II by ensuring that users develop in a timely manner a detailed plan of action and milestones to include who will be responsible for the corrective action, when the action will be closed, and status of the action for NFE.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Feb 20, 2013

Looking for more? Browse all our products here