Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed
Highlights
What GAO Found
The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; however, weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk. During calendar year 2015, the corporation continued to devote attention to securing its financial information and systems that support its mission. Key among its actions were improving controls for identifying and authenticating the identity of users and improving controls for authorizing users' access. However, FDIC continues to have unremediated weaknesses. For example, the corporation (1) did not have an effective process for recertifying user access rights to several systems supporting the corporation's financial processing and (2) had not yet applied critical patches to mitigate known vulnerabilities in third party software on systems supporting financial processing.
Although the corporation had a comprehensive framework for its information security program, some aspects were not fully implemented. For example, the corporation did not (1) fully document and implement procedures for performing system access requests, assignments, and removal and (2) have a policy for monitoring critical file changes. In addition, FDIC had yet to fully address 9 previously-reported weaknesses that were unresolved as of December 31, 2014, as indicated in the following table.
Status of GAO Information Security Recommendations to FDIC as of December 2015
|
Information security control area |
Prior GAO recommendations open at the start of calendar year 2015 audit |
Recommendations closed during calendar year 2015 audit |
Outstanding prior recommendations at the end of calendar year 2015 audit |
|
Information security program |
2 |
(2) |
0 |
|
Access controls |
10 |
(5) |
5 |
|
Other controls |
4 |
(0) |
4 |
|
Total |
16 |
(7) |
9 |
Source: GAO analysis of FDIC data. | GAO-16-605
While newly-identified weaknesses, along with those previously identified that remain uncorrected, are not individually or collectively a material weakness or a significant deficiency for financial reporting purposes, the corporation will have limited assurance that its sensitive financial information and resources will be secure until these weaknesses have been mitigated.
Why GAO Did This Study
FDIC has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of FDIC's reliance on information systems, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.
As part of its audit of the 2015 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.
Recommendations
In addition to the 9 prior recommendations that have not been fully addressed, GAO is making 2 recommendations to improve FDIC's implementation of its information security program. In a separate report with limited distribution, GAO is making 10 new recommendations to FDIC to address newly-identified weaknesses in access controls. FDIC concurred with GAO's recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Deposit Insurance Corporation | To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update and implement access control procedures to require that authorizations for the removal or modification of access rights are documented and that approved changes are acted on in a timely manner. |
In 2016, we verified that FDIC, in response to our recommendation, had updated and implemented access control procedures to require that authorizations for the removal or modification of access rights are documented and that approved changes are acted on in a timely manner.
|
| Federal Deposit Insurance Corporation | To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit. |
In 2018, we verified that FDIC had taken sufficient actions to address this recommendation. Specifically, FDIC developed standard operating procedures for monitoring changes to critical configuration files.
|