Skip to main content

Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed

GAO-16-605 Published: Jun 29, 2016. Publicly Released: Jun 29, 2016.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; however, weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk. During calendar year 2015, the corporation continued to devote attention to securing its financial information and systems that support its mission. Key among its actions were improving controls for identifying and authenticating the identity of users and improving controls for authorizing users' access. However, FDIC continues to have unremediated weaknesses. For example, the corporation (1) did not have an effective process for recertifying user access rights to several systems supporting the corporation's financial processing and (2) had not yet applied critical patches to mitigate known vulnerabilities in third party software on systems supporting financial processing.

Although the corporation had a comprehensive framework for its information security program, some aspects were not fully implemented. For example, the corporation did not (1) fully document and implement procedures for performing system access requests, assignments, and removal and (2) have a policy for monitoring critical file changes. In addition, FDIC had yet to fully address 9 previously-reported weaknesses that were unresolved as of December 31, 2014, as indicated in the following table.

Status of GAO Information Security Recommendations to FDIC as of December 2015

Information security control area

Prior GAO recommendations open at the start of calendar year 2015 audit

Recommendations closed during calendar year 2015 audit

Outstanding prior recommendations at the end of calendar year 2015 audit

Information security program

2

(2)

0

Access controls

10

(5)

5

Other controls

4

(0)

4

Total

16

(7)

9

Source: GAO analysis of FDIC data. | GAO-16-605

While newly-identified weaknesses, along with those previously identified that remain uncorrected, are not individually or collectively a material weakness or a significant deficiency for financial reporting purposes, the corporation will have limited assurance that its sensitive financial information and resources will be secure until these weaknesses have been mitigated.

Why GAO Did This Study

FDIC has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of FDIC's reliance on information systems, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

As part of its audit of the 2015 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.

Recommendations

In addition to the 9 prior recommendations that have not been fully addressed, GAO is making 2 recommendations to improve FDIC's implementation of its information security program. In a separate report with limited distribution, GAO is making 10 new recommendations to FDIC to address newly-identified weaknesses in access controls. FDIC concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Deposit Insurance Corporation To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update and implement access control procedures to require that authorizations for the removal or modification of access rights are documented and that approved changes are acted on in a timely manner.
Closed – Implemented
In 2016, we verified that FDIC, in response to our recommendation, had updated and implemented access control procedures to require that authorizations for the removal or modification of access rights are documented and that approved changes are acted on in a timely manner.
Federal Deposit Insurance Corporation To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.
Closed – Implemented
In 2018, we verified that FDIC had taken sufficient actions to address this recommendation. Specifically, FDIC developed standard operating procedures for monitoring changes to critical configuration files.

Full Report

Office of Public Affairs

Topics

AuthenticationAuthorized accessDocumentationFederal deposit insuranceFinancial statement auditsInformation securityInformation systemsInternal controlsPolicies and proceduresSensitive dataSensitive informationFinancial systems