Information Security:

Opportunities Exist for the Federal Housing Finance Agency to Improve Controls

GAO-10-528: Published: Apr 30, 2010. Publicly Released: Apr 30, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Housing Finance Agency (FHFA) relies extensively on computerized systems to carry out its mission to provide effective supervision, regulation, and housing mission oversight of the Federal National Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), and the federal home loan banks. Effective information security controls are essential to ensure that FHFA's financial information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of FHFA's fiscal year 2009 financial statements, GAO assessed the effectiveness of the agency's information security controls to ensure the confidentiality, integrity, and availability of the agency's financial information. To do this, GAO examined FHFA information security policies, procedures, and other documents; tested controls over key financial applications; and interviewed key agency officials.

Although FHFA has implemented important information security controls, it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of financial information stored on and transmitted over its key financial systems, databases, and computer networks. The agency's financial system computing environment had deficiencies in several areas and the controls that were in place were not always effectively implemented to prevent, limit, and detect unauthorized access to the agency network and systems. Specifically, FHFA did not always maintain authorization records for network and system access, enforce the most restrictive access needed by users on shared network files and directories, and enforce the most restrictive set of rights needed by users to perform their assigned duties. Further, it did not effectively implement physical protection and environmental safety controls over its facilities and information technology resources. GAO identified numerous instances in which FHFA facilities were not adequately secured and was able to obtain unauthorized access from outside agency facilities into the agency's interior space containing sensitive information and information technology equipment. FHFA officials acknowledged these shortcomings and indicated that the agency has taken steps or is planning to take steps to mitigate these deficiencies. A key reason for the control deficiencies in FHFA's financial system computing environment is that the agency has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Although FHFA made important progress in developing and documenting elements of its information security program, written policies, procedures, and technical standards do not reflect the current operating environment. Further, the agency has not yet developed, documented, and implemented sufficient policies and procedures to ensure that the activities performed by external third parties are monitored for compliance with FHFA's policies. Although these deficiencies were not considered significant deficiencies for financial reporting purposes, if left uncorrected they unnecessarily increase the risk that sensitive and financial information is subject to unauthorized disclosure, modification, or destruction.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that FHFA, in response to our recommendation, maintained network access authorizations for every agency network user.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve logical access controls, the Acting Director should ensure FHFA maintains network access authorizations for every agency network user.

    Agency Affected: Federal Housing Finance Agency

  2. Status: Open

    Comments: Recommendation is pending closure.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve logical access controls, the Acting Director should ensure FHFA reviews current access to network files and directories containing confidential information and restricts access to personnel with an authorized need to access that information.

    Agency Affected: Federal Housing Finance Agency

  3. Status: Closed - Implemented

    Comments: We verified that FHFA continuously monitors the use of privileged accounts on systems throughout its network so inadvertent or extended use of privileged access is promptly detected and removed.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve logical access controls, the Acting Director should ensure FHFA continuously monitors use of privileged accounts on systems throughout the network so inadvertent or extended use of privileged access is promptly detected and removed.

    Agency Affected: Federal Housing Finance Agency

  4. Status: Closed - Implemented

    Comments: We verified that FHFA secured areas that contain IT equipment and sensitive information.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA secures areas that contain IT equipment and sensitive information.

    Agency Affected: Federal Housing Finance Agency

  5. Status: Closed - Implemented

    Comments: We verified that FHFA completed sufficient physical security policies to address protection of agency assets, including incident response, access authorizations, and environmental safety controls.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA completes sufficient physical security policies to address protection of agency assets, including incident response, access authorizations, and environmental safety controls.

    Agency Affected: Federal Housing Finance Agency

  6. Status: Closed - Implemented

    Comments: We verified that FHFA performed physical security risk assessments at key facilities.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA performs physical security risk assessments at key facilities.

    Agency Affected: Federal Housing Finance Agency

  7. Status: Closed - Implemented

    Comments: We verified that FHFA developed, documented, and implemented monitoring procedures to ensure that physical access authorizations to secure areas containing sensitive computer resources, including server rooms and sensitive information, are current and controlled.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA develops, documents, and implements monitoring procedures to ensure that physical access authorizations to secure areas containing sensitive computer resources, including server rooms and sensitive information, are current and controlled.

    Agency Affected: Federal Housing Finance Agency

  8. Status: Closed - Implemented

    Comments: We verified that FHFA developed, documented, and implemented monitoring procedures and installed appropriate equipment to ensure that FHFA can detect and respond to potential physical security incidents.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA develops, documents, and implements monitoring procedures and installs appropriate equipment to ensure that FHFA can detect and respond to potential physical security incidents.

    Agency Affected: Federal Housing Finance Agency

  9. Status: Closed - Implemented

    Comments: We verified that FHFA implemented and enforced visitor control practices at all facilities.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA implements and enforces visitor control practices at all facilities.

    Agency Affected: Federal Housing Finance Agency

  10. Status: Closed - Implemented

    Comments: We verified that FHFA increased employees awareness of the need to enforce physical security safeguards through steps such as improved signage, emails, and training activities.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA increases employees' awareness of the need to enforce physical security safeguards.

    Agency Affected: Federal Housing Finance Agency

  11. Status: Closed - Implemented

    Comments: We verified that FHFA secured and removed construction materials from telecommunications and electrical closets that support computer operations.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to strengthen controls over physical access, the Acting Director should ensure FHFA secures and removes construction materials from telecommunications and electrical closets that support computer operations.

    Agency Affected: Federal Housing Finance Agency

  12. Status: Closed - Implemented

    Comments: We verified that FHFA developed, documented, and implemented procedures enforcing separation of incompatible duties among personnel.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA develops, documents, and implements procedures enforcing separation of incompatible duties among personnel.

    Agency Affected: Federal Housing Finance Agency

  13. Status: Closed - Implemented

    Comments: We verified that FHFA finalized, approved, and implemented configuration management policies and procedures.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA finalizes, approves, and implements configuration management policies and procedures.

    Agency Affected: Federal Housing Finance Agency

  14. Status: Closed - Implemented

    Comments: We verified that FHFA approved and tested continuity of operations and disaster recovery plans.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA approves and tests continuity of operations and disaster recovery plans.

    Agency Affected: Federal Housing Finance Agency

  15. Status: Open

    Comments: Recommendation is pending closure.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA develops, documents, and implements procedures to monitor access to agency financial information by Bureau of Public Debt (BPD) and Oracle Corporation staff and contractors.

    Agency Affected: Federal Housing Finance Agency

  16. Status: Closed - Implemented

    Comments: We verified that FHFA developed, documented, and implemented procedures to assess all security reviews and plans of action and milestones developed by BPD and Oracle Corporation staff and contractors.

    Recommendation: To help strengthen access controls and other information system controls over key financial systems, information, and networks, and to improve its information security program, the Acting Director should ensure FHFA develops, documents, and implements procedures to assess all security reviews and plans of action and milestones developed by BPD and Oracle Corporation staff and contractors.

    Agency Affected: Federal Housing Finance Agency

 

Explore the full database of GAO's Open Recommendations »

Aug 1, 2014

Mar 31, 2014

Mar 27, 2014

Mar 18, 2014

Feb 6, 2014

Jan 30, 2014

Jan 28, 2014

Oct 22, 2013

Aug 8, 2013

Looking for more? Browse all our products here