Skip to main content

Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls

GAO-10-528 Published: Apr 30, 2010. Publicly Released: Apr 30, 2010.
Jump To:
Skip to Highlights

Highlights

The Federal Housing Finance Agency (FHFA) relies extensively on computerized systems to carry out its mission to provide effective supervision, regulation, and housing mission oversight of the Federal National Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), and the federal home loan banks. Effective information security controls are essential to ensure that FHFA's financial information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of FHFA's fiscal year 2009 financial statements, GAO assessed the effectiveness of the agency's information security controls to ensure the confidentiality, integrity, and availability of the agency's financial information. To do this, GAO examined FHFA information security policies, procedures, and other documents; tested controls over key financial applications; and interviewed key agency officials.

Although FHFA has implemented important information security controls, it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of financial information stored on and transmitted over its key financial systems, databases, and computer networks. The agency's financial system computing environment had deficiencies in several areas and the controls that were in place were not always effectively implemented to prevent, limit, and detect unauthorized access to the agency network and systems. Specifically, FHFA did not always maintain authorization records for network and system access, enforce the most restrictive access needed by users on shared network files and directories, and enforce the most restrictive set of rights needed by users to perform their assigned duties. Further, it did not effectively implement physical protection and environmental safety controls over its facilities and information technology resources. GAO identified numerous instances in which FHFA facilities were not adequately secured and was able to obtain unauthorized access from outside agency facilities into the agency's interior space containing sensitive information and information technology equipment. FHFA officials acknowledged these shortcomings and indicated that the agency has taken steps or is planning to take steps to mitigate these deficiencies. A key reason for the control deficiencies in FHFA's financial system computing environment is that the agency has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Although FHFA made important progress in developing and documenting elements of its information security program, written policies, procedures, and technical standards do not reflect the current operating environment. Further, the agency has not yet developed, documented, and implemented sufficient policies and procedures to ensure that the activities performed by external third parties are monitored for compliance with FHFA's policies. Although these deficiencies were not considered significant deficiencies for financial reporting purposes, if left uncorrected they unnecessarily increase the risk that sensitive and financial information is subject to unauthorized disclosure, modification, or destruction.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve logical access controls, the Acting Director should ensure FHFA maintains network access authorizations for every agency network user.
Closed – Implemented
In fiscal year 2013, we verified that FHFA, in response to our recommendation, maintained network access authorizations for every agency network user.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve logical access controls, the Acting Director should ensure FHFA reviews current access to network files and directories containing confidential information and restricts access to personnel with an authorized need to access that information.
Closed – Implemented
We verified that FHFA reviews current access to network files and directories containing confidential information and restricts access to personnel with an authorized need to access that information.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve logical access controls, the Acting Director should ensure FHFA continuously monitors use of privileged accounts on systems throughout the network so inadvertent or extended use of privileged access is promptly detected and removed.
Closed – Implemented
We verified that FHFA continuously monitors the use of privileged accounts on systems throughout its network so inadvertent or extended use of privileged access is promptly detected and removed.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA secures areas that contain IT equipment and sensitive information.
Closed – Implemented
We verified that FHFA secured areas that contain IT equipment and sensitive information.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA completes sufficient physical security policies to address protection of agency assets, including incident response, access authorizations, and environmental safety controls.
Closed – Implemented
We verified that FHFA completed sufficient physical security policies to address protection of agency assets, including incident response, access authorizations, and environmental safety controls.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA performs physical security risk assessments at key facilities.
Closed – Implemented
We verified that FHFA performed physical security risk assessments at key facilities.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA develops, documents, and implements monitoring procedures to ensure that physical access authorizations to secure areas containing sensitive computer resources, including server rooms and sensitive information, are current and controlled.
Closed – Implemented
We verified that FHFA developed, documented, and implemented monitoring procedures to ensure that physical access authorizations to secure areas containing sensitive computer resources, including server rooms and sensitive information, are current and controlled.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA develops, documents, and implements monitoring procedures and installs appropriate equipment to ensure that FHFA can detect and respond to potential physical security incidents.
Closed – Implemented
We verified that FHFA developed, documented, and implemented monitoring procedures and installed appropriate equipment to ensure that FHFA can detect and respond to potential physical security incidents.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA implements and enforces visitor control practices at all facilities.
Closed – Implemented
We verified that FHFA implemented and enforced visitor control practices at all facilities.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA increases employees' awareness of the need to enforce physical security safeguards.
Closed – Implemented
We verified that FHFA increased employees awareness of the need to enforce physical security safeguards through steps such as improved signage, emails, and training activities.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA secures and removes construction materials from telecommunications and electrical closets that support computer operations.
Closed – Implemented
We verified that FHFA secured and removed construction materials from telecommunications and electrical closets that support computer operations.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA develops, documents, and implements procedures enforcing separation of incompatible duties among personnel.
Closed – Implemented
We verified that FHFA developed, documented, and implemented procedures enforcing separation of incompatible duties among personnel.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA finalizes, approves, and implements configuration management policies and procedures.
Closed – Implemented
We verified that FHFA finalized, approved, and implemented configuration management policies and procedures.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA approves and tests continuity of operations and disaster recovery plans.
Closed – Implemented
We verified that FHFA approved and tested continuity of operations and disaster recovery plans.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA develops, documents, and implements procedures to monitor access to agency financial information by Bureau of Public Debt (BPD) and Oracle Corporation staff and contractors.
Closed – Implemented
We verified that FHFA developed, documented, and implemented procedures to monitor access to agency financial information by Bureau of Public Debt (BPD) and Oracle Corporation staff and contractors.
Federal Housing Finance Agency To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA develops, documents, and implements procedures to assess all security reviews and plans of action and milestones developed by BPD and Oracle Corporation staff and contractors.
Closed – Implemented
We verified that FHFA developed, documented, and implemented procedures to assess all security reviews and plans of action and milestones developed by BPD and Oracle Corporation staff and contractors.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Access controlAgency proceedingsComputer securityConfidential informationDisaster recovery plansFacility securityFederal regulationsInformation securityInformation security managementInformation systemsInternal controlsMonitoringPhysical securityRisk assessmentSafeguardsStrategic information systems planningUnauthorized accessPolicies and proceduresConfidential communications