Information Security:

FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain

GAO-14-674: Published: Jul 17, 2014. Publicly Released: Jul 17, 2014.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; nevertheless, weaknesses place the confidentiality, integrity, and availability of financial systems and information at unnecessary risk. During 2013, the corporation implemented 28 of the 39 open GAO recommendations pertaining to previously-reported security weaknesses that were unaddressed as of December 31, 2012. The table below details the status of previously-reported recommendations by year.

Status of Previously-Reported Information Security Recommendations

Year Reported

Not implemented at the beginning of 2013

Implemented during 2013

Not Implemented

2011

8a

7

1

2012

1b

0

1

2013

30

21

9

Total

39

28

11

Source: GAO analysis of FDIC data. | GAO14674

aFDIC had previously implemented 31 of the 38 recommendations GAO originally reported in 2011.

bFDIC had previously implemented 41 of the 42 recommendations GAO originally reported in 2012.

However, FDIC had not fully implemented controls for (1) identifying and authenticating the identity of users, (2) restricting access to sensitive systems and data, (3) encrypting sensitive data, (4) completing background reinvestigations for employees and (4) auditing and monitoring system access.

An underlying reason for many of these weaknesses is that FDIC did not fully or consistently implement aspects of its information security program. Specifically, FDIC did not:

fully document and implement information security controls;

ensure that employees and contractors received security awareness training;

conduct ongoing assessments of security controls for all systems; and

remediate agency identified weaknesses in a timely manner.

These weaknesses individually or collectively do not constitute either a material weakness or a significant deficiency for financial reporting purposes. Nevertheless, unless FDIC takes further steps to mitigate these weaknesses, the corporation's sensitive financial information and resources will remain exposed to unnecessary risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

Why GAO Did This Study

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of FDIC's work, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

As part of its audits of the 2013 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.

What GAO Recommends

GAO is recommending four actions for FDIC to enhance its information security management program. FDIC concurred with GAO's recommendations. In a separate report with limited distribution, GAO is recommending that FDIC take 21 specific actions to address weaknesses in security controls.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen access controls and other information security controls over key financial information, systems, and networks, the Chairman of the FDIC should direct the Chief Information Officer to document security controls descriptions for all systems to describe the control thoroughly and ensure that all the required information is included.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen access controls and other information security controls over key financial information, systems, and networks, the Chairman of the FDIC should direct the Chief Information Officer to document and maintain a description for each common control in an appropriate document, such as system security plans or other authoritative documents.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen access controls and other information security controls over key financial information, systems, and networks, the Chairman of the FDIC should ensure that those with administrative-level access have completed the requisite "Rules of Behavior" training upon receiving access and each year after that.

    Agency Affected: Federal Deposit Insurance Corporation

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen access controls and other information security controls over key financial information, systems, and networks, the Chairman of the FDIC should direct the Chief Information Officer to perform control assessments for Federal Financial Institutions Examination Council Central Data Repository and Data Communications in accordance with the frequency established.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here