This is the accessible text file for GAO report number GAO-11-29 entitled 'Information Security: Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses' which was released on November 30, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Chairman, Federal Deposit Insurance Corporation: November 2010: Information Security: Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses: GAO-11-29: GAO Highlights: Highlights of GAO-11-29, a report to the Chairman, Federal Deposit Insurance Corporation. Why GAO Did This Study: The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of its work, the corporation must employ strong information security controls to ensure that its information systems are adequately protected from inadvertent misuse, fraud, and improper disclosure. As part of its audit of the 2009 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund administrated by FDIC, GAO assessed (1) the effectiveness of FDIC’s controls in protecting the confidentiality, integrity, and availability of its financial systems and information and (2) the progress FDIC has made in mitigating previously reported information security weaknesses. To perform the audit, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed key FDIC personnel. What GAO Found: FDIC did not sufficiently implement access and other controls intended to protect the confidentiality, integrity, and availability of its financial systems and information. For example, it did not always: * sufficiently restrict user access to systems, * ensure strong system boundaries, * consistently enforce strong controls for identifying and authenticating users, * encrypt sensitive information, or, * audit and monitor security-relevant events. In addition, FDIC did not have policies, procedures, and controls in place to ensure the appropriate segregation of incompatible duties, adequately manage the configuration of its financial information systems, and update contingency plans. A key reason for these weaknesses is that FDIC did not always fully implement key information security program activities such as effectively developing, documenting, and implementing security policies, and implementing an effective continuous monitoring program. Until these weaknesses and program deficiencies are corrected, the corporation will not have sufficient assurance that its financial information and assets are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. Despite the newly identified weaknesses, FDIC has mitigated each of the information security weaknesses previously reported by GAO. To its credit, the corporation has made improvements to its configuration management controls and aspects of its security management. For example, it maintained a full and complete requirements baseline for two systems and included key information in a remedial action plan. Nevertheless, GAO concluded that weaknesses in information security controls constituted a significant deficiency in internal controls over the information systems and data used for financial reporting. Until FDIC corrects the security weaknesses identified during this year’s audit, it will face an elevated risk of the misuse of federal assets, unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information, and disruption of critical operations. What GAO Recommends: GAO is recommending that FDIC improve key information activities to enhance the corporation’s information security program. FDIC generally agreed with GAO’s recommendations and stated that it plans to address the identified weaknesses. View [hyperlink, http://www.gao.gov/products/GAO-11-29] or key components. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov. [End of section] Contents: Letter: Background: Information Security Weaknesses Place Financial and Other Sensitive Information at Risk: FDIC Has Mitigated Previously Reported Weaknesses: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Federal Deposit Insurance Corporation: Appendix III: GAO Contacts and Staff Acknowledgments: Abbreviations: DHS: Department of Homeland Security: FDIC: Federal Deposit Insurance Corporation: FISMA: Federal Information Security Act: ID: identification: IP: Internet Protocol: NIST: National Institute of Standards and Technology: NSA: National Security Agency: OMB: Office of Management and Budget: SNMP: Simple Network Management Protocol: US-CERT: United States Computer Emergency Readiness Team: [End of section] United States Government Accountability Office: Washington, DC 20548: November 30, 2010: The Honorable Sheila C. Bair: Chairman: Federal Deposit Insurance Corporation: Dear Madame Chairman: The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating banking institutions, and protecting depositors. In carrying out its financial and mission-related operations, FDIC relies extensively on computerized systems. Because FDIC plays an important role in maintaining public confidence in the nation's financial system, issues that affect the confidentiality, integrity, and availability of the sensitive information maintained on its systems are of paramount concern. In particular, effective information security controls are essential to ensure that FDIC systems and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.[Footnote 1] As part of our audit of FDIC's calendar year 2009 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund, we assessed the effectiveness of FDIC's information security controls over key financial systems, data, and networks.[Footnote 2] In that report, we concluded that weaknesses in information security controls collectively constituted a significant deficiency in internal controls over the information systems and data used for financial reporting.[Footnote 3] In this report, we provide additional details on FDIC's information security controls during calendar year 2009. Our specific objectives were to assess (1) the effectiveness of its controls for ensuring the confidentiality, integrity, and availability of its financial information systems and information and (2) the status of FDIC's actions to correct or mitigate previously reported information security weaknesses. We conducted this performance audit at FDIC facilities in Arlington, Virginia; Washington, D.C.; and Dallas, Texas, from December 2009 to November 2010 in accordance with generally accepted government auditing standards.[Footnote 4] Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe our audit provides a reasonable basis for our findings and conclusions. See appendix I for additional details on our objectives, scope, and methodology. Background: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission and is especially important for a government corporation such as FDIC, which oversees the financial institutions that are entrusted with safeguarding the public's money. While the use of interconnected electronic information systems allows FDIC to accomplish its mission more quickly and effectively, their use also exposes FDIC's information to the various internal and external threats that come with the use of such systems. Cyber-based threats to information systems and cyber-related critical infrastructure are evolving and growing and can affect FDIC information systems and computer networks. Threats that could adversely affect the systems and information relevant to FDIC's operations associated with financial management and reporting can come from sources internal and external to the organization. Internal threats include mistakes by individuals, and fraudulent or malevolent acts by insiders. External threats include the ever-growing number of cyber-based attacks that can come from a variety of sources such as hackers, criminals, and foreign nations. These potential attackers have a variety of techniques at their disposal, which can vastly enhance the reach and impact of their actions. For example, cyber attackers do not need to be physically close to their targets, their attacks can easily cross state and national borders, and cyber attackers can readily preserve their anonymity. Further, the interconnectivity among information systems presents increasing opportunities for such attacks. Indeed, reports of security incidents from federal agencies are on the rise, increasing by more than 400 percent from fiscal year 2006 to fiscal year 2009. Specifically, the number of incidents reported by federal agencies to the United States Computer Emergency Readiness Team (US-CERT) has increased dramatically over the past 4 years: from 5,503 incidents reported in fiscal year 2006 to about 30,000 incidents in fiscal year 2009.[Footnote 5] Compounding the growing number and kinds of threats are the significant deficiencies in security controls on the information systems at federal agencies, which have resulted in vulnerabilities in both financial and nonfinancial systems and information. These deficiencies continue to place assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, and critical operations at risk of disruption. Accordingly, we have designated information security as a governmentwide high-risk area since 1997, a designation that remains in force today.[Footnote 6] Recognizing the importance of securing federal agencies' information systems, Congress enacted the Federal Information Security Management Act (FISMA) in December 2002 to strengthen the security of information and systems within federal agencies.[Footnote 7] FISMA requires each agency to develop, document, and implement an agencywide information security program to provide information security for the information and systems that support the operations and assets of the entities, using a risk-based approach to information security management. FDIC Is a Key Protector of Bank and Thrift Deposits: FDIC was created by Congress to maintain the stability of and public confidence in the nation's financial system by insuring deposits, examining and supervising financial institutions, and resolving troubled institutions. Congress created FDIC in 1933[Footnote 8] in response to the thousands of bank failures that occurred in the 1920s and early 1930s[Footnote 9]. FDIC identifies, monitors, and addresses risks to the deposit insurance fund when a bank or thrift institution fails. The Bank Insurance Fund and the Savings Association Insurance Fund were established as FDIC responsibilities under the Financial Institutions Reform, Recovery, and Enforcement Act of 1989, which sought to reform, recapitalize, and consolidate the federal deposit insurance system.[Footnote 10] The act also designated FDIC as the administrator of the Federal Savings & Loan Insurance Corporation Resolution Fund, which was created to complete the affairs of the former Federal Savings & Loan Insurance Corporation and liquidate the assets and liabilities transferred from the former Resolution Trust Corporation. The Bank Insurance Fund and the Savings Association Insurance Fund merged into the Deposit Insurance Fund on February 8, 2006, as a result of the passage of the Federal Deposit Insurance Reform Act of 2005.[Footnote 11] FDIC Relies on Computer Systems to Support Its Mission and Financial Reporting: FDIC relies extensively on computerized systems to support its mission, including financial operations, and to store the sensitive information that it collects. Its local and wide area networks interconnect these systems. To support its financial management functions, the corporation relies on many systems, including a corporatewide system that functions as a unified set of financial and payroll systems that are managed together and operated in an integrated fashion, a system to calculate and collect FDIC deposit insurance premiums and Financing Corporation bond principal and interest amounts from insured financial institutions;[Footnote 12] a Web-based application that provides full functionality to support franchise marketing, asset marketing, and asset management; a system to request access to and receive permission for the computer applications and resources available to its employees, contractors, and other authorized personnel; and a primary receivership and subsidiary financial processing and reporting system. FDIC financial systems process and track financial transactions such as disbursements made to support operations. FDIC protects its computerized systems using a layered approach to security defense. Under FISMA, the Chairman of FDIC is responsible for, among other things, (1) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of the entity's information systems and information; (2) ensuring that senior agency officials provide information security for the information and information systems that support the operations and assets under their control; and (3) delegating to the corporation's Chief Information Officer the authority to ensure compliance with the requirements imposed on the agency under FISMA. The Chief Information Officer is responsible for developing and maintaining a corporatewide information security program and for developing and maintaining information security policies, procedures, and control techniques that address all applicable requirements. The Chief Information Officer also serves as the authorizing official with the authority to approve the operation of the information systems at an acceptable level of risk to the corporation. The Chief Information Security Officer reports to the Chief Information Officer and serves as the Chief Information Officer's designated representative. The Chief Information Security Officer is responsible for the overall support of certification and accreditation activities.[Footnote 13] According to FDIC policy, the Chief Information Security Officer is responsible for the development, coordination, and implementation of FDIC's security policy and the coordination of information security and privacy efforts across the corporation. The Chief Information Security Officer coordinates the process of building a corporatewide security strategy and vision to include the creation and maintenance of FDIC's information security policy, security risk assessment efforts, information technology risk assessments, disaster recovery, security monitoring, security awareness and training program, and security protection architecture. Information Security Weaknesses Place Financial and Other Sensitive Information at Risk: FDIC did not sufficiently implement access and other controls intended to protect the confidentiality, integrity, and availability of its financial systems and information and other sensitive information. A key reason for these weaknesses is that FDIC did not always fully implement key information security program activities such as effectively developing and implementing security policies, and implementing an effective continuous monitoring program. These control deficiencies, which collectively constituted a significant deficiency for calendar year 2009, reduced FDIC's ability to ensure that authorized users had only the access needed to perform their assigned duties, and that its systems were sufficiently protected from unauthorized access. As a result, increased risk exists that financial information and other sensitive information could be disclosed or modified without authorization. Access Controls to Information Resources Were Not Sufficient: A basic management objective for any organization is to protect the resources that support its critical operations and assets from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computer resources (e.g., data, programs, equipment, and facilities), thereby protecting them from unauthorized disclosure, modification, and loss. Specific access controls include authorization restrictions, system boundary protections, identification and authentication of users, cryptography, and audit and monitoring procedures. Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or personal gain. In addition, authorized users can intentionally or unintentionally modify or delete data or execute changes that are outside of their authority. User Access Was Not Sufficiently Restricted: Authorization is the process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file. A key component of granting or denying access rights is the concept of "least privilege," which refers to granting users only the access rights and permissions that they need to perform their official duties. To restrict legitimate users' access to only those programs and files that they need in order to do their work, organizations establish user access rights: allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that are associated with a particular file or directory, regulating which users can access it--and the extent of their access rights. To avoid unintentionally giving a user unnecessary access to sensitive files and directories, an organization should give careful consideration to its assignment of rights and permissions. In addition, National Institute of Standards and Technology (NIST) guidance states that an organization should enforce approved authorizations for logical access to its information systems with access mechanisms such as access control lists within the network system.[Footnote 14] Furthermore, NIST guidance states that access should be allowed only for authorized users and only for the tasks necessary to accomplish their work in accordance with the organization's missions and business functions. FDIC did not always sufficiently restrict system access and privileges to only those users who needed access to perform their assigned duties. For example, FDIC did not always: * configure access control lists on all its network devices to limit or restrict network traffic, * configure access control lists on servers dedicated to network management to restrict access to only those users who require it, * ensure access to sensitive files of critical network devices was adequately controlled, * control access to a database supporting an accounting application used to process receivership asset financial activity, and: * limit user access rights to only those roles necessary to perform their duties. As a result, increased risk exists that a user could gain inappropriate access to computer resources, circumvent security controls, and deliberately or inadvertently read, modify, or delete financial information and other sensitive information. System Boundary Protections Were Not Adequately Enforced: Boundary protection controls logical connectivity into and out of networks and controls connectivity to and from network-connected devices. Unnecessary connectivity to an organization's network increases not only the number of access paths that must be managed and the complexity of the task, but also the risks of unauthorized access. National Security Agency (NSA) guidelines state that, to reduce the probability of a successful network penetration, the data and telephony networks must be logically separated. FDIC did not control access to its data network by separating or partitioning the data network from the voice network. Physical convergence of voice and data networks is an advantage of Internet Protocol (IP) telephony systems; however, placing both systems on the same network means both are now susceptible to the same attacks and the same attackers. As a result, increased risk exists that unauthorized or malicious users could gain access to the data network and inadvertently read, modify, or delete financial information and other sensitive information. Identification and Authentication User Controls Were Not Consistently Enforced: A computer system must be able to identify and authenticate the identity of a user so that activities on the system can be linked to that specific individual and to protect its systems from inadvertent or malicious access. When an organization assigns unique user accounts to specific users, the system is able to distinguish one user from another--a process called identification. This allows the system to distinguish and track one user from another. The system must also establish the validity of the user's claimed identity by requesting some kind of information, such as a password, that is known only by the user--a process known as authentication. The NSA security guidelines state that standard or default community strings should not be used.[Footnote 15] In addition, NIST guidance states that an organization should manage information system authenticators by changing the default content of authenticators (e.g., passwords) when installing an information system. Furthermore, FDIC policy states that passwords should be changed after 90 days. FDIC did not consistently enforce identification and authentication controls for its users and systems. Specifically, * FDIC had not securely configured the Simple Network Management Protocol (SNMP) community strings.[Footnote 16] Also, FDIC had not recently changed the SNMP read-write community string for administering routers and switches. * An FDIC network software package was operating with a default vendor- supplied identification (ID) and password. * Several service and administrator user accounts on UNIX servers were not required to change their passwords in accordance with FDIC policy or were set to never expire. As a result of these weaknesses, increased risk exists that a user would not be uniquely identified before accessing the FDIC network, leaving FDIC without a reliable trail to follow to hold the user accountable in the event of a security incident. Sensitive Information Was Not Always Encrypted: Cryptography underlies many of the mechanisms used to enforce the confidentiality and integrity of sensitive information. A basic element of cryptography is encryption.[Footnote 17] Encryption can be used to provide basic data confidentiality and integrity by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm.[Footnote 18] If encryption is not used, user ID and password combinations will be susceptible to electronic eavesdropping by devices on the network when they are transmitted. NSA and NIST recommend encrypting network services, and NIST guidance states that organizations should configure an information system to provide only the essential capabilities needed or restrict the use of protocols that can allow the unauthorized transfer of information.[Footnote 19] NIST guidance also states that the use of encryption by organizations can reduce the probability of unauthorized disclosure of information. FDIC did not always ensure that sensitive information transmitted over its network was adequately encrypted. Specifically, FDIC did not disable an unencrypted protocol in use in the production and nonproduction logical partitions on the mainframe. In addition, FDIC did not restrict the use of unencrypted protocols on network servers. As a result, increased risk exists that an individual could capture information such as user IDs and passwords and use them to gain unauthorized access to data and system resources. Audit and Monitoring of Security-Relevant Events Were Inadequate: To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Organizations accomplish this by implementing system or security software that provides an audit trail for determining the source of a transaction or attempted transaction and monitoring user activity. To be effective, organizations should (1) configure the software to collect and maintain a sufficient audit trail for security- relevant events; (2) generate reports that selectively identify unauthorized, unusual, and sensitive access activity; and (3) regularly monitor and take action on these reports. NIST guidance states that an organization should review and analyze information system audit records for indications of inappropriate or unusual activity, and should report the findings to designated organization officials. NIST guidance also states that organizations should track and monitor access by individuals who use elevated access privileges and that an organization should review and analyze information system audit records for indications of inappropriate or unusual activity, and should report the findings to designated organization officials. FDIC did not always sufficiently review audit and monitoring of security-relevant events. For example, * FDIC's monitoring processes did not detect the existence of default installation user accounts on three UNIX servers. * FDIC did not effectively monitor certain dataset access activity on the mainframe. * FDIC mainframe logging controls were inappropriately configured, allowing the creation of large quantities of logged data for routine activities. As a result of these deficiencies, increased risk exists that unauthorized activity or a policy violation would not be detected on FDIC systems and networks. Weaknesses in Other Information System Controls Increased Risk: In addition to access controls, other important controls should be in place to ensure the confidentiality, integrity, and availability of an organization's information. These controls include policies, procedures, and techniques for securely segregating incompatible duties, configuring information systems, and updating continuity documents. However, FDIC weaknesses in these areas have increased the risk of unauthorized use, disclosure, modification, or loss of information and information systems. Incompatible Duties and Functions Were Not Adequately Segregated: In addition to having access controls, an organization should have policies, procedures, and controls in place to appropriately segregate computer-related duties. Segregation of duties refers to the policies, procedures, and organizational structure that help ensure that one individual cannot independently control all key aspects of a process or computer-related operation and thereby gain unauthorized access to assets or records. Often segregation of incompatible duties is achieved by dividing responsibilities among two or more organizational groups, which diminishes the likelihood that errors and wrongful acts will go undetected because the activities of one individual or group will serve as a check on the activities of the other. Inadequate segregation of duties increases the risk that erroneous or fraudulent transactions could be processed, improper program changes implemented, and computer resources damaged or destroyed. FDIC policy on UNIX security states that development and production data shall be separated and access controlled such that application developers have access to only development areas (nonproduction) and application users have access to only production areas (nondevelopment). FDIC did not always adequately segregate incompatible computer-related duties and functions. For example, FDIC developers are allowed access to both development and production UNIX servers. Allowing developers such access reduced FDIC's ability to achieve segregation of duties and increased the risk of unauthorized and unnecessary access to sensitive production data by individuals who do not require it to perform their job duties. As a result, increased risk exists that users could perform unauthorized system activities without detection. Although Elements of Configuration Management Controls Existed, They Were Not Always Fully Implemented: Configuration management is another important control that involves the identification and management of security features for all hardware and software components of an information system at a given point and systematically controls changes to that configuration during the system's life cycle. An effective configuration management process includes procedures for identifying, documenting, and assigning unique identifiers (for example, serial number and name) to a system's hardware and software parts and subparts, generally referred to as configuration items, and evaluating and deciding whether to approve changes to a system's baseline configuration. In addition, vendor specification states that engineers will not develop, repair, maintain, or test the product software after a system reaches its end- of-life date. NIST guidance also states that an organization should promptly install security-relevant software updates, such as patches. FDIC has implemented some elements of a configuration management process. Specifically, it has documented policy and procedures for assigning unique identifiers and naming configuration items so that they can be distinguished from one another and for requesting changes to configuration items. FDIC has also developed a change request process and a baseline for its systems. However, FDIC did not always implement key configuration management controls over its information system components. For example, FDIC had critical end-of-life systems that were not supported by their manufacturers, which indicates that patches or updates for emerging threats were no longer available. In addition, patch levels for third- party software running on two UNIX servers at FDIC were not current and an obsolete version of third-party software was running on a Windows server. As a result, increased risk exists that these FDIC systems will be exposed to unauthorized access or manipulation through the exploitation of known vulnerabilities that have not been patched or emergent vulnerabilities for which no known remedy exists. Contingency Planning Documentation Was Incomplete or Had Incorrect Information: Contingency planning, which includes developing contingency, business continuity, and disaster recovery plans, should be performed to ensure that when unexpected events occur, essential operations can continue without interruption or can be promptly resumed, and that sensitive data are protected. NIST guidance states that organizations should develop and implement a contingency plan that describes activities associated with backing up and restoring the system after a disruption or failure. The plan should be updated and include information such as contact, resources, and description of files in order to restore the application in the event of a disaster. In addition, the plans should be tested to determine the plans' effectiveness and the organization's readiness to execute the plans. Officials should review the plan results and initiate corrective actions. FDIC has developed contingency plans, business continuity plans, and disaster recovery plans and has also conducted testing on these plans. However, one contingency plan at the Virginia Square office contained incomplete information. Specifically, the contingency plan did not include information such as resources (servers, applications, network components, supplies, telecommunications, and databases) and technical information about databases, libraries, and guidance for restoring devices to operational order. In addition, the business continuity plans at the Dallas office did not have correct information. Specifically, one of the plans was dated September 2005, and was created for a previous location. In addition, another plan had missing information. It listed a contact person for the headquarters security department who no longer worked there. Also, there was no contact information for the emergency management team. At the time of our review, FDIC officials stated that they will update the contingency and continuity plans with the required information. Until FDIC maintains current contingency and continuity plans, increased risk exists that it will not be able to effectively recover and continue operations when an emergency occurs and its operations will be disrupted. FDIC Had Not Fully Implemented Its Information Security Program: A key reason for the information security weaknesses is that although FDIC has made important progress in implementing its security program, it did not always fully complete key information security program activities. FDIC has provided employees with security awareness and security-specific training, and has implemented a system to track remedial action plans to ensure that deficiencies are mitigated in an effective and timely manner. However, FDIC did not always fully implement key information security program activities such as effectively developing and implementing security policies, and implementing an effective continuous monitoring program. Until all key elements of its information security program have been fully and consistently implemented, FDIC will not have sufficient assurance that its financial information and assets are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. Security Policies and Procedures Were Not Always Developed, Documented, or Implemented: A key task in developing an effective information security program is to establish and implement risk-based policies, procedures, and technical standards that govern security over an agency's computing environment. If properly implemented, policies and procedures help reduce the risk that could come from unauthorized access or disruption of services. Because security policies and procedures are the primary mechanisms through which management communicates its views and requirements, it is important that these policies and procedures be established and documented. FISMA requires agencies to develop and implement policies and procedures to support an effective information security program. NIST has also issued security standards and related guidance to help entities implement security controls, including appropriate information security policies and procedures. While FDIC has generated agencywide information security policy relating to access control and risk management, certain policies and procedures had not always been developed, documented, and implemented. For example, * FDIC did not develop or document policies and procedures to prevent users from having inappropriate or incompatible access to multiple applications. For example, FDIC did not have policies and procedures to identify and govern the assignment of access privileges to combinations of systems that create logical access to data that is otherwise prevented by applications. As a result, a combination of access privileges assigned to individuals allowed for the circumvention of an accounting application's access controls. Additionally, FDIC did not develop or document technical controls in place to identify or prevent the assignment of such combinations of access privileges that expose the data associated with certain applications from access outside of the access controls implemented within the functions of those applications. As a result, individuals could inappropriately obtain access to data in certain applications. * FDIC did not implement the policy requiring service and administrator user accounts on UNIX servers to change their passwords. * FDIC did not implement the policy to have many of the mainframe IDs set with an "expire date." Until these policies and procedures are fully developed, documented, and implemented, FDIC has reduced assurance that computing resources are consistently and effectively protected from inadvertent or deliberate misuse, including fraud or destruction. Continuous Monitoring Efforts Were Not Always Sufficient: NIST states that a continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the state of the security of the information system. The implementation of a continuous monitoring program can result in ongoing updates to the security plan, the security assessment report, and the plan of action and milestones, the three principal documents in the security authorization package. A rigorous and well-executed continuous monitoring program significantly reduces the level of effort required for the reauthorization of the information system. FDIC policy states that in addition to performing system test and evaluation in support of ongoing certification and accreditation efforts, FDIC is to routinely test major applications and their components as part of the continuous monitoring program. The program is designed to identify the most commonly exploited application-level vulnerabilities that exist within the enterprise infrastructure. FDIC's continuous monitoring efforts were not always sufficient. FDIC did not sufficiently (1) monitor users' inappropriate and excessive access privileges to a business application that supports resolution and receivership activities, (2) have the ability to reliably detect changes to powerful mainframe programs, and (3) test and verify that all system interfaces were properly configured for the new systems before putting them into production. FDIC has a continuous monitoring process; however, several of the vulnerabilities we identified with respect to FDIC's security over its information systems were not identified through FDIC's routine monitoring of access privileges, audit logs, and adherence to established policies and procedures. We identified numerous access control vulnerabilities that were not identified by the continuous monitoring program. These vulnerabilities resulted in significant reductions in FDIC's capability to maintain effective controls and to protect the confidentiality, integrity, and availability of its information systems and information. As a result, FDIC had limited assurance that computing resources were being consistently and effectively protected from inadvertent or deliberate misuse, including fraud or destruction. FDIC Has Mitigated Previously Reported Weaknesses: Despite the newly identified weaknesses, FDIC has made progress in mitigating previously reported information security weaknesses. The corporation has mitigated all 10 of the information security weaknesses reported in our calendar year 2007 audit.[Footnote 20] To its credit, the corporation has made improvements to the configuration management controls and aspects of its security management. For example, it maintained a full and complete requirements baseline for two systems and included key information in a remedial action plan. In addition, FDIC has corrected the FDIC Inspector General findings from the 2009 report.[Footnote 21] Conclusions: FDIC had many new control weaknesses putting its systems at a higher level of vulnerability to internal threats. These weaknesses impair the corporation's ability to ensure the confidentiality, integrity, and availability of financial and sensitive information. The weaknesses also represent a significant deficiency in internal controls over the information systems and data used for financial reporting. Despite the newly identified weaknesses, FDIC has made progress in mitigating previously reported information security weaknesses. Until FDIC (1) mitigates known information security weaknesses in access controls and other information system controls and (2) fully implements a comprehensive agencywide information security program that includes developing, documenting, and implementing security policies and implementing an effective continuous monitoring program, its financial and other sensitive information will remain at increased risk of unauthorized disclosure, modification, or destruction, and its management decisions may be based on unreliable or inaccurate information. Recommendations for Executive Action: We recommend that the Chairman direct the Chief Information Officer to take the following two actions to enhance the corporation's information security program: * develop and document policies and procedures for assigning access to systems and databases where application controls could be compromised, and: * complete the implementation of an effective continuous monitoring program to detect vulnerabilities. We are also making 31 new recommendations to address 28 new findings in a separate report with limited distribution. These recommendations consist of actions to implement and correct specific information security weaknesses related to access controls, segregation of duties, configuration management, and contingency planning identified during this audit. Agency Comments: In providing written comments (reprinted in app. II) on a draft of this report, the Deputy to the Chairman and Chief Financial Officer of FDIC generally agreed with our recommendations. In addition, the Deputy discussed the actions that FDIC has taken or plans to take to implement the recommendations, such as restricting access to systems and databases and enhancing its continuous monitoring program as part of an ongoing multiyear effort. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; Chairman and Ranking Member of the House Financial Services; members of the FDIC Audit Committee; the FDIC Inspector General; and other interested parties. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact Gregory C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512-4499. We can also be reached by e-mail at wilshuseng@gao.gov and barkakatin@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix III. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: Signed by: Dr. Nabajyoti Barkakati: Director, Chief Technologist: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of our review were to assess (1) the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) controls in protecting the confidentiality, integrity, and availability of its financial systems and information, and (2) the progress FDIC has made in mitigating previously reported information security weaknesses. These objectives were integral to supporting our opinion on FDIC's internal controls provided in conjunction with our integrated audit of the financial statements of the two funds administrated by FDIC, by assessing the controls over systems that support financial management and the generation of financial statements for two FDIC funds. To determine whether controls over key financial systems were effective, we tested the effectiveness of information security and information technology-based internal controls. We concentrated our evaluation primarily on the controls for financial applications and enterprise database applications associated with a corporatewide system that functions as a unified set of financial and payroll systems that are managed together and operated in an integrated fashion; a system to calculate and collect FDIC deposit insurance premiums and Financing Corporation bond principal and interest amounts from insured financial institutions;[Footnote 22] a Web-based application that provides full functionality to support franchise marketing, asset marketing, and asset management; a system to request access to and receive permission for the computer applications and resources available to its employees, contractors, and other authorized personnel; a primary receivership and subsidiary financial processing and reporting system; and the general support systems. Our selection of the systems was based on discussions with our stakeholders. Our evaluation was based on our Federal Information System Controls Audit Manual, which contains guidance for reviewing information system controls that affect the confidentiality, integrity, and availability of computerized information. Using National Institute of Standards and Technology (NIST) standards and guidance and FDIC's policies, procedures, practices, and standards, we evaluated controls by: * observing methods for providing secure data transmissions across the network to determine whether sensitive data were being encrypted; * testing and observing physical access controls to determine if computer facilities and resources were being protected from espionage, sabotage, damage, and theft; * evaluating the control configurations of selected servers and database management systems; * inspecting key servers and workstations to determine whether critical patches had been installed or were up-to-date; and: * examining access responsibilities to determine whether incompatible functions were segregated among different individuals. Using the requirements of the Federal Information Security Management Act (FISMA), which establishes key elements for an effective agencywide information security program, we evaluated FDIC's implementation of its security program by: * reviewing FDIC's risk assessment process and risk assessments for key FDIC systems that support the preparation of financial statements to determine whether risks and threats were documented consistent with federal guidance; * analyzing FDIC's policies, procedures, practices, and standards to determine their effectiveness in providing guidance to personnel responsible for securing information and information systems; * analyzing security plans to determine if management, operational, and technical controls were in place or planned and that security plans were updated; * examining training records for personnel with significant security responsibilities to determine if they had received training commensurate with those responsibilities; * analyzing configuration management plans and procedures to determine if configurations were being managed appropriately; * analyzing security testing and evaluation results for four key FDIC systems to determine whether management, operational, and technical controls were tested at least annually and based on risk; * examining remedial action plans to determine whether they addressed vulnerabilities identified in FDIC's security testing and evaluations; and: * examining contingency plans for four key FDIC systems to determine whether those plans had been tested or updated. We also discussed with key security representatives and management officials whether information security controls were in place, adequately designed, and operating effectively. To determine the status of FDIC's actions to correct or mitigate previously reported information security weaknesses, we identified and reviewed its information security policies, procedures, and guidance. We reviewed prior GAO reports to identify previously reported weaknesses and examined FDIC's corrective action plans to determine which weaknesses FDIC had reported were corrected. For those instances where FDIC reported it had completed corrective actions, we assessed the effectiveness of those actions. We conducted this performance audit from December 2009 to November 2010 in accordance with generally accepted government auditing standards. We performed our data collection, analysis, and assessment procedures in support of the financial audit during the December 2009 to June 2010 time frame. We performed supplemental audit procedures to prepare this report from June 2010 to November 2010. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and CFO: 550 17th Street NW: Washington DC 20429-9990: November 19. 2010: Mr. Gregory C. Wilshusen: Director, Information Security Issues: Dr. Nabajyoti Barkakati: Director, Chief Technologist: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Mr. Wilshusen and Dr. Barkakati: Thank you for the opportunity to comment on the U.S. Government Accountability Office's (GAO) draft audit report titled. Information Security: Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses. GAO-11-29. We arc pleased to accept GAO's acknowledgement of improvements FDIC has made in configuration management and aspects of security management as well as FDIC's correction of all information security weaknesses reported in prior years' financial statement audits. The GAO's report contains two new recommendations to assist FDIC in further strengthening its information security controls. FDIC has reviewed these recommendations along with the accompanying statements of condition on which the recommendations are based. FDIC has taken action or will take action to restrict access to systems and databases and will continue to enhance its continuous monitoring program as part of an ongoing multi-year effort. Specifically, GAO recommended that FDIC strengthen policies and procedures for assigning access to systems and databases where application controls could be compromised. FDIC agrees to implement the necessary improvements to ensure appropriate policies and procedures arc documented and followed in assigning these types of access. FDIC will complete the necessary actions by March 31. 2011. GAO further recommended that the FDIC strengthen its continuous monitoring program to detect vulnerabilities. FDIC recognizes that a continuous monitoring program, by its very nature. is an evolving program and will continue to build upon the processes now in place by targeting the highest risk areas. During 2010, the FDIC acquired additional automated monitoring tools which arc currently being phased into our monitoring processes. In addition, by June 30. 2011, the FDIC will document our risk-based continuous monitoring program describing the current state and planned near-term improvements. Implementation will be performed in accordance with the plan and possible future guidance from the National Institute of Standards and Technology (NIST). Once again, we thank you for your past contributions and your work on this year's audit. We look forward to continuing our positive working relationship during the 2010 audit and beyond. If you have any questions relating to the FDIC management response. please contact James 11. Angel, Jr., Director. Office of Enterprise Risk Management, at 703-562-6456. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: cc: Russell Pittman: Mitchell Glassman: Arleas Upton Kea: Bret Edwards: James II. Angel, Jr. Audit Committee: [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov: Dr. Nabajyoti Barkakati, (202) 512-4499, barkakatin@gao.gov: Staff Acknowledgments: In addition to the individuals named above, David B. Hayes and Charles M. Vrabel (assistant directors), Nancy E. Glover, Mickie E. Gray, Rosanna Guerrero, Tammi N. Kalugdan, Duc M. Ngo, Zsaroq R. Powe, Eugene E. Stevens IV, and Henry I. Sutanto made key contributions to this report. [End of section] Footnotes: [1] Information system general controls affect the overall effectiveness and security of computer operations and are not unique to specific computer applications. These controls include security management, configuration management, operating procedures, software security features, and physical protections designed to ensure that access to data is appropriately restricted, that only authorized changes to computer programs are made, that incompatible computer- related duties are segregated, and that backup and recovery plans are adequate to ensure the continuity of operations. [2] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2009 and 2008 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-10-705] (Washington, D.C.: June 25, 2010). [3] A significant deficiency is a control deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [4] We performed data collection, analysis, and assessment procedures in support of the financial audit during the December 2009 to June 2010 time frame. We performed supplemental audit procedures to prepare this report from June 2010 to November 2010. [5] The Department of Homeland Security's (DHS) federal information security incident center is hosted by US-CERT. When incidents occur, agencies are to notify the center. [6] GAO, High-Risk Series: Information Management and Technology, [hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, D.C.: February 1997), and High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [7] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). [8] Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89, § 8. [9] FDIC is an independent agency of the federal government and receives no direct congressional appropriations; it is funded by premiums that banks and thrift institutions pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. [10] Pub. L. No. 101-73, § 211, 103 Stat. 183, 218-22 (Aug. 9, 1989). [11] Pub. L. No. 109-171, Title II, Subtitle B, § 2102 (Feb. 8, 2006). [12] The Financing Corporation, established by the Competitive Equality Banking Act of 1987, is a mixed-ownership government corporation with its primary purpose being to function as a financing vehicle for the Federal Savings & Loan Insurance Corporation. Effective December 12, 1991, as provided by the Resolution Trust Corporation Refinancing, Restructuring and Improvement Act of 1991, the Financing Corporation's ability to issue new debt was terminated. Outstanding Financing Corporation bonds, which are 30-year non- callable bonds with a principal amount of approximately $8.1 billion, mature in 2017 through 2019. [13] The Office of Management and Budget (OMB) requires that a management official formally authorize (or accredit) an information system to process information and accept the risk associated with its operation based on a formal evaluation (or certification) of the system's security controls. For annual reporting, OMB requires agencies to report the number of systems, including impact levels, authorized for processing after completing certification and accreditation. [14] Logical access requires users to authenticate themselves (through the use of secret passwords or other identifiers) and limit the files and other resources that authenticated users can access and the actions that they can execute. [15] The community string (also known as the community name) provides a weak authentication mechanism to the Simple Network Management Protocol (SNMP). Agents can be configured to allow read-only, read- write, or no access to their parameters based on the community string in a request. Community strings are passed in clear text in SNMP messages, so they can be easily sniffed and are therefore insufficient for authenticating legitimate manager requests. [16] SNMP enables network and system administrators to remotely monitor and configure devices on the network (devices such as switches and routers). [17] Encryption is a subset of cryptography, which is used to secure transactions by providing ways to ensure data confidentiality (assurance that the information will be protected from unauthorized access), data integrity (assurance that data have not been accidentally or deliberately altered), authentication of the message's originator, electronic certification of data, and nonrepudiation (proof of the integrity and origin of data that can be verified by a third party). [18] A cryptographic algorithm and key are used to apply cryptographic protection to data (e.g., encrypt the data or generate a digital signature) and to remove or check the protection (e.g., decrypt the encrypted data or verify the digital signature). [19] A protocol is a set of rules or procedures for transmitting data between electronic devices, such as computers. In order for computers to exchange information, there must be a preexisting agreement as to how the information will be structured and how each side will send and receive it. [20] GAO, Information Security: FDIC Sustains Program but Needs to Improve Configuration Management of Key Financial Systems, [hyperlink, http://www.gao.gov/products/GAO-08-564] (Washington, D.C.: May 30, 2008). [21] FDIC Office of Inspector General, Information Technology Controls in Support of the FDIC Fund's 2008 and 2007 Financial Statement Audit, AUD-09-020 (Washington, D.C.: Aug. 17, 2009). [22] The Financing Corporation, established by the Competitive Equality Banking Act of 1987, is a mixed-ownership government corporation with its primary purpose being to function as a financing vehicle for the Federal Savings & Loan Insurance Corporation. Effective December 12, 1991, as provided by the Resolution Trust Corporation Refinancing, Restructuring and Improvement Act of 1991, the Financing Corporation's ability to issue new debt was terminated. Outstanding Financing Corporation bonds, which are 30-year non- callable bonds with a principal amount of approximately $8.1 billion, mature in 2017 through 2019. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: