Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data
Highlights
The Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury, relies extensively on its own computer systems, as well as those at the Internal Revenue Service (IRS) and the Treasury Communications System (TCS), to administer the Bank Secrecy Act (BSA) and fulfill its mission of safeguarding the U.S. financial system from financial crimes. Effective information security controls over these systems are essential to ensuring that BSA data, which contains sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction. GAO evaluated whether security controls that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN's mission have been implemented. To do this, GAO examined security policies and controls for systems at three organizations.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Treasury | To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network. |
In fiscal year 2013, we verified that FinCEN updated information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network.
|
| Department of the Treasury | To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by ensuring that system security plans document all required controls and describe how all required controls are implemented. |
In fiscal year 2013, we verified that FinCEN ensured system security plans documented all required controls and described how all required controls are implemented.
|
| Department of the Treasury | To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by conducting vulnerability scans on databases, applications, and network infrastructure on a quarterly schedule. |
In fiscal year 2013, we verified that FinCEN conducted monthly vulnerability scans on databases, applications, and the network infrastructure.
|
| Department of the Treasury | To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by implementing vulnerability scanning of custom source code or manual source code reviews. |
In fiscal year 2013, we verified that FinCEN implemented manual source code reviews.
|
| Department of the Treasury | To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective. |
In fiscal year 2013, we verified that FinCEN updated remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective.
|