This is the accessible text file for GAO report number GAO-11-708 entitled 'Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data' which was released on August 12, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Acting Chairman, Federal Deposit Insurance Corporation: August 2011: Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data: GAO-11-708: GAO Highlights: Highlights of GAO-11-708, a report to the Acting Chairman, Federal Deposit Insurance Corporation. Why GAO Did This Study: The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of FDIC’s work, effective information security controls are essential to ensure that the corporation’s systems and information are adequately protected from inadvertent misuse, fraudulent use, or improper disclosure. As part of its audits of the 2010 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund administrated by FDIC, GAO assessed the effectiveness of the corporation’s controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To perform the audit, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed key FDIC personnel. What GAO Found: Although FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed and tested contingency plans for major systems, and improved mainframe logging controls. However, the corporation had not always (1) required strong passwords on financial systems and databases; (2) reviewed user access to financial information in its document sharing system in accordance with policy; (3) encrypted financial information transmitted over and stored on its network; and (4) protected powerful database accounts and privileges from unauthorized use. In addition, other weaknesses existed in FDIC’s controls that were intended to appropriately segregate incompatible duties, manage system configurations, and implement patches. An underlying reason for the information security weaknesses is that FDIC had not always implemented key information security program activities. To its credit, FDIC had developed and documented a security program and had completed actions to correct or mitigate 26 of the 33 information security weaknesses that were previously identified by GAO. However, the corporation had not assessed risks, documented security controls, or performed periodic testing on the programs and data used to support the estimates of losses and costs associated with the servicing and disposal of the assets of failed institutions. Additionally, FDIC had not always implemented its policies for restricting user access or for monitoring the progress of security patch installation. Because FDIC had made progress in correcting or mitigating previously reported weaknesses and had implemented compensating management and reconciliation controls during 2010, GAO concluded that FDIC had resolved the significant deficiency in internal control over financial reporting related to information security reported in GAO’s 2009 audit, and that the remaining unresolved issues and the new issues identified did not individually or collectively constitute a material weakness or significant deficiency in 2010. However, if left unaddressed, these issues will continue to increase FDIC’s risk that its sensitive and financial information will be subject to unauthorized disclosure, modification, or destruction. What GAO Recommends: GAO recommends that FDIC take two actions to enhance its comprehensive information security program. In commenting on a draft of this report, FDIC discussed actions that it has taken or plans to take to address these recommendations. View [hyperlink, http://www.gao.gov/products/GAO-11-708] or key components. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov. Contents: Letter: Background: Opportunities Exist for FDIC to Improve Information Security Controls: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Federal Deposit Insurance Corporation: Appendix III: GAO Contacts and Staff Acknowledgments: Abbreviations: FDIC: Federal Deposit Insurance Corporation: FISMA: Federal Information Security Management Act: ID: identification: IT: information technology: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: SAS: Statement on Auditing Standards: SSAE: Statement on Standards for Attestation Engagements: US-CERT: United States Computer Emergency Readiness Team: VPN: virtual private network: [End of section] United States Government Accountability Office: Washington, DC 20548: August 12, 2011: The Honorable Martin J. Gruenberg: Acting Chairman: Federal Deposit Insurance Corporation: Dear Mr. Gruenberg: The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating banking institutions, and protecting depositors. In carrying out its financial and mission-related operations, FDIC relies extensively on computerized systems. Because the corporation plays an important role in maintaining public confidence in the nation's financial system, issues that affect the confidentiality, integrity, and availability of the sensitive information maintained on its systems are of paramount concern. In particular, effective information security controls are essential to ensure that FDIC systems and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.[Footnote 1] As part of our audits of FDIC's calendar year 2010 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund, we assessed the effectiveness of FDIC's information security controls over key financial systems, data, and networks.[Footnote 2] In that report, we concluded that FDIC had resolved the significant deficiency[Footnote 3] over information systems that we had reported in our 2009 audit, and that the unresolved prior year issues and new weaknesses we identified did not individually or collectively constitute a material weakness[Footnote 4] or a significant deficiency in internal controls over the information systems and data used for financial reporting for 2010 because the corporation had made improvements in its information security controls and had implemented compensating management and reconciliation controls to detect potential misstatements in the Deposit Insurance Fund. However, the weaknesses we identified, particularly those weaknesses associated with FDIC's process for deriving and reporting estimates of losses to the Deposit Insurance Fund from resolution transactions involving loss-sharing agreements, still present challenges for FDIC in ensuring that authorized users have only the access needed to perform their assigned duties and in adequately protecting corporate systems from unauthorized access. In this report, we provide additional details on FDIC's information security controls over its computerized financial systems during calendar year 2010. Our objective was to determine the effectiveness of the corporation's controls protecting the confidentiality, integrity, and availability of its financial systems and information. This work was performed to support our opinion on FDIC's internal control over financial reporting as of December 31, 2010. We conducted this audit at FDIC facilities in Arlington, Virginia, and Washington, D.C., from November 2010 to August 2011, in accordance with generally accepted government auditing standards.[Footnote 5] Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe our audit provides a reasonable basis for our findings and conclusions. See appendix I for additional details on our objective, scope, and methodology. Background: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission and is especially important for a government corporation such as FDIC, which has responsibilities to oversee the financial institutions that are entrusted with safeguarding the public's money. While the use of interconnected electronic information systems allows the corporation to accomplish its mission more quickly and effectively, their use also exposes FDIC's information to various internal and external threats. Cyber-based threats to information systems and cyber-related critical infrastructure can come from sources internal and external to the organization. Internal threats include errors as well as fraudulent or malevolent acts by employees or contractors working within an organization. External threats include the ever-growing number of cyber-based attacks that can come from a variety of sources such as hackers, criminals, and foreign nations. Potential attackers have a variety of techniques at their disposal, which can vastly enhance the reach and impact of their actions. For example, cyber attackers do not need to be physically close to their targets, their attacks can easily cross state and national borders, and cyber attackers can preserve their anonymity. Further, the interconnectivity among information systems presents increasing opportunities for such attacks. Indeed, reports of security incidents from federal agencies are on the rise, increasing by more than 650 percent from fiscal year 2006 to fiscal year 2010. Specifically, the number of incidents reported by federal agencies to the United States Computer Emergency Readiness Team[Footnote 6] (US-CERT) has increased dramatically over the past 4 years: from 5,503 incidents reported in fiscal year 2006 to about 41,776 incidents in fiscal year 2010. Compounding the growing number and kinds of threats are the deficiencies in security controls on the information systems at federal agencies, which have resulted in vulnerabilities in both financial and nonfinancial systems and information. These deficiencies continue to place assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, and critical operations at risk of disruption. Accordingly, we have designated information security as a governmentwide high risk area since 1997, a designation that remains in force today.[Footnote 7] The Federal Information Security Management Act (FISMA)[Footnote 8] requires each agency to develop, document, and implement an agencywide information security program to provide information security for the information and systems that support the operations and assets of the entities, using a risk-based approach to information security management. FDIC Is a Key Protector of Bank and Thrift Deposits: FDIC was created by Congress to maintain the stability of and public confidence in the nation's financial system by insuring deposits, examining and supervising financial institutions, and resolving troubled institutions. Congress created FDIC in 1933[Footnote 9] in response to the thousands of bank failures that had occurred throughout the late 1920s and early 1930s.[Footnote 10] FDIC identifies, monitors, and addresses risks to the Deposit Insurance Fund when a bank or thrift institution fails. The Bank Insurance Fund and the Savings Association Insurance Fund were established as FDIC responsibilities under the Financial Institutions Reform, Recovery, and Enforcement Act of 1989, which sought to reform, recapitalize, and consolidate the federal deposit insurance system.[Footnote 11] The act also designated FDIC as the administrator of the Federal Savings & Loan Insurance Corporation Resolution Fund, which was created to complete the affairs of the former Federal Savings & Loan Insurance Corporation and liquidate the assets and liabilities transferred from the former Resolution Trust Corporation.[Footnote 12] The Bank Insurance Fund and the Savings Association Insurance Fund merged into the Deposit Insurance Fund on February 8, 2006, as a result of the passage of the Federal Deposit Insurance Reform Act of 2005.[Footnote 13] FDIC Relies on Computer Systems to Support Its Mission and Financial Reporting: FDIC relies extensively on computerized systems to support its mission, including financial operations, and to store the sensitive information that it collects. The corporation uses local and wide area networks to interconnect its systems and a layered approach to security defense. To support its financial management functions, FDIC relies on many systems, including a corporatewide system that functions as a unified set of financial and payroll systems that are managed and operated in an integrated fashion, a system to calculate and collect FDIC deposit insurance premiums and Financing Corporation[Footnote 14] bond principal and interest amounts from insured financial institutions; a Web-based application that provides full functionality to support franchise marketing, asset marketing, and asset management; a system to request access to and receive permission for the computer applications and resources available to its employees, contractors, and other authorized personnel; and a primary receivership and subsidiary financial processing and reporting system. FDIC also relies on other computerized systems in deriving its estimates of losses from loss-sharing agreements.[Footnote 15] This complex estimation process was developed and implemented in order to manage the significant number of loss-sharing agreements that have been created as a result of the current financial crisis. The process uses databases containing information on loss-sharing agreements and asset valuations, software programs that use information from the databases and other sources to calculate the estimated losses, data and programs stored in FDIC's document sharing system, a Web service used to exchange valuation information with outside contractors, and several manual processing steps. In addition, in order to reduce the risk that a material misstatement will not be detected, FDIC relies heavily on supervisory review and oversight controls in the process. We have previously reported[Footnote 16] that this process is complex, is not fully documented, and involves multiple manual data entries. In a separate report,[Footnote 17] we have made an additional recommendation to FDIC to improve the documentation around this process. Under FISMA, the Chairman of FDIC is responsible for, among other things, (1) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of the entity's information systems and information; (2) ensuring that senior agency officials provide information security for the information and information systems that support the operations and assets under their control; and (3) delegating to the corporation's Chief Information Officer the authority to ensure compliance with the requirements imposed on the agency under FISMA. The Chief Information Officer is responsible for developing and maintaining a corporatewide information security program and for developing and maintaining information security policies, procedures, and control techniques that address all applicable requirements. The Chief Information Officer also serves as the authorizing official with the authority to approve the operation of the information systems at an acceptable level of risk to the corporation. The Chief Information Security Officer reports to the Chief Information Officer and serves as the Chief Information Officer's designated representative. The Chief Information Security Officer is responsible for the overall support of assessment and authorization activities;[Footnote 18] for the development, coordination, and implementation of FDIC's security policy; and for the coordination of information security and privacy efforts across the corporation. Opportunities Exist for FDIC to Improve Information Security Controls: Although FDIC had implemented numerous controls over its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. A key reason for these weaknesses is that the corporation did not always fully implement key information security program activities, such as effectively developing and implementing security policies. Although these weaknesses did not individually or collectively constitute a material weakness or significant deficiency in 2010, they still increase the risk that financial and other sensitive information could be disclosed or modified without authorization. FDIC Had Not Always Restricted Access to Information Resources: A basic management objective for any organization is to protect the resources that support its critical operations and assets from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computer resources (e.g., data, programs, equipment, and facilities), thereby protecting them from unauthorized disclosure, modification, and loss. Specific access controls include system boundary protections, identification and authentication of users, authorization restrictions, cryptography, protection of sensitive system resources, and audit and monitoring procedures. Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain. In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority. FDIC Had Not Always Protected System Boundaries: Boundary protection controls logical connectivity into and out of networks and controls connectivity to and from network-connected devices. Any connections to the Internet or to other external and internal networks or information systems should occur through controlled interfaces (for example, proxies, gateways, routers and switches, firewalls,[Footnote 19] and concentrators). Many networked systems allow remote access to the information systems from virtually any remote location; thus, it is imperative that remote access paths be appropriately controlled and protected using a method such as a virtual private network (VPN).[Footnote 20] In addition, networks should also be appropriately configured to adequately protect access paths between systems; this can be accomplished through the use of access control lists and firewalls. National Institute of Standards and Technology (NIST) guidance states that agencies should establish trusted communication paths between users and the agency's information systems, that firewalls should be configured to provide adequate protection for the organization's networks, and that the information transmitted between interconnected systems should be controlled and regulated. FDIC had not always controlled the logical and physical boundaries protecting its information and systems. Examples are as follows: * Certain network devices, servers, and workstations on FDIC's internal network were not always configured to sufficiently restrict access or to fully secure connections. * Firewalls controlling traffic between segments of FDIC's internal network did not sufficiently control certain types of network traffic. * Boundary protection controls were configured in a manner that limited the effectiveness of monitoring controls. As a result of these deficiencies, FDIC faces an increased risk that individuals could gain unauthorized access to its financial systems and information. * Controls for Identifying and Authenticating Users Were Not Consistently Enforced: A computer system must be able to identify and authenticate the identity of a user so that activities on the system can be linked to that specific individual and to protect the system from inadvertent or malicious access. When an organization assigns a unique user account to a specific user, the system is able to distinguish that user from others--a process called identification. The system must also establish the validity of the user's claimed identity by requesting some kind of information, such as a password, which is known only by the user--a process called authentication. NIST guidance states that an organization should manage information system authenticators by changing the default content of authenticators (e.g., passwords) when installing an information system. Also, FDIC policy states that passwords should be changed periodically. FDIC had effectively implemented controls for identifying and authenticating users on certain systems. For example, it had implemented controls to effectively detect and change default vendor- supplied user accounts and passwords in installed software and had ensured that passwords for privileged accounts on certain servers were changed in accordance with its policy. However, FDIC had not consistently enforced other identification and authentication user controls. Examples are as follows: * Passwords for certain privileged accounts on a system supporting financial processing were not configured in accordance with FDIC policy. Additionally, two of the accounts were using the same password. * Password settings for certain accounts on a system supporting the loss-share loss estimation process were not configured in accordance with FDIC policy. * Systems supporting financial processing were not always configured with sufficiently strong identification and authentication controls. As a result of these deficiencies, FDIC is at an increased risk that an individual with malicious intentions could gain inappropriate access to its financial systems and information. FDIC Had Implemented Restrictions on User Access, but Weaknesses Still Exist: Authorization is the process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file. A key component of granting or denying access rights is the concept of "least privilege," which refers to granting a user only the access rights and permissions needed to perform official duties. To restrict a legitimate user's access to only those programs and files needed, organizations establish user access rights: allowable actions that can be assigned to a user or to groups of users. File and directory permissions are rules that are associated with a particular file or directory, regulating which users can access it--and the extent of their access rights. To avoid unintentionally giving a user unnecessary access to sensitive files and directories, an organization should give careful consideration to its assignment of rights and permissions. NIST guidance states that access to information systems should be allowed only for authorized users and only for the tasks necessary to accomplish the work, in accordance with the organization's missions and business functions. In addition, NIST guidance states that agency information systems should separate user functionality from functions necessary to administer databases, network components, workstations, or servers. FDIC policy requires that the access to information technology (IT) resources be periodically reviewed to ensure that access controls remain consistent with existing authorizations and current business needs. Also, the Division of Resolutions and Receiverships requires user access to the document sharing system supporting the loss-share estimation process to be reviewed every 3 months. FDIC had implemented controls to restrict user access to certain resources. For example, it had configured access control lists on servers dedicated to network management to restrict access to only those users who required it, controlled access to sensitive files of critical network devices, and limited user access rights to a business application supporting resolution and receivership activities to only those roles necessary for personnel to perform their duties. However, other deficiencies in authorization controls placed FDIC's financial information and systems at risk. Examples are as follows: * The Division of Resolutions and Receiverships had not documented a procedure describing how access to the Web service used in the loss- share loss estimation process was to be reviewed, including requirements for conducting reviews at regular intervals or retaining documentation of reviews. * The Division of Resolutions and Receiverships had not reviewed access to the document sharing system every 3 months in accordance with its policy; instead, it had conducted a review only once during 2010. * FDIC had given users access to sensitive resources on certain systems supporting financial processing that they did not need to accomplish their work. As a result, FDIC faces an increased risk that a user could gain inappropriate access to computer resources, circumvent security controls, and deliberately or inadvertently read, modify, or delete financial information and other sensitive information. Sensitive Information Was Not Always Encrypted: Cryptography underlies many of the mechanisms used to enforce the confidentiality and integrity of sensitive information. A basic element of cryptography is encryption.[Footnote 21] Encryption can be used to provide basic data confidentiality and integrity by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm.[Footnote 22] If encryption is not used, user identification (ID) and password combinations will be susceptible to electronic eavesdropping by devices on the network when they are transmitted. The National Security Agency and NIST recommend encrypting network services, and NIST guidance states that passwords should be encrypted while being stored and transmitted. NIST guidance also states that the use of encryption by organizations can reduce the probability of unauthorized disclosure of information and that government systems should use sufficiently strong encryption in order to establish and maintain secure communication links between information systems and applications. FDIC had implemented controls to encrypt certain sensitive information on its systems. For example, it had restricted the use of unencrypted protocols on the mainframe and had required that sensitive information stored on user workstations or mobile devices be encrypted. However, FDIC had not always ensured that sensitive financial information transmitted over and stored on its network was adequately encrypted. Specifically, FDIC had not always used sufficiently strong encryption on two systems supporting the loss-share loss estimation process and had not always strongly encrypted stored passwords on certain financial systems. As a result of these deficiencies, FDIC is at an increased risk that an individual could capture information such as user IDs and passwords and use them to gain unauthorized access to data and system resources. Audit and Monitoring of Security-Relevant Events Was Not Always Adequate: To establish individual accountability, monitor compliance with security policies, and investigate security violations, the capability to determine what, when, and by whom specific actions have been taken on a system is needed. Organizations accomplish this by implementing system or security software that provides an audit trail for determining the source of a transaction or attempted transaction and by monitoring user activity. To be effective, organizations should (1) configure the software to collect and maintain a sufficient audit trail for security-relevant events; (2) generate reports that selectively identify unauthorized, unusual, and sensitive access activity; and (3) regularly monitor and take action on these reports. NIST guidance states that organizations should track and monitor access by individuals who use elevated access privileges, review and analyze information system audit records for indications of inappropriate or unusual activity, and report the findings to designated organization officials. FDIC had ensured that default installation user accounts were no longer used on certain servers and had configured its mainframe logging controls efficiently. However, FDIC's audit and monitoring of security-relevant events on key financial systems was not always sufficient. For example, FDIC had not always sufficiently configured logging controls on a system that supported the loss-share loss estimation process or on several network devices. As a result of these deficiencies, FDIC faces an increased risk that unauthorized activity or a policy violation on its systems and networks would not be detected. Other Information System Controls Can Be Improved: In addition to access controls, organizations should use policies, procedures, and techniques for securely segregating incompatible duties, configuring information systems, and ensuring continuity of computer processing operations in the event of a disaster or unexpected interruption to ensure the confidentiality, integrity, and availability of its information. However, FDIC's systems were not always in full compliance with these policies, procedures, and techniques, leaving them vulnerable to intrusions. Incompatible Duties and Functions Were Not Adequately Segregated: Segregation of duties refers to the policies, procedures, and organizational structure that help ensure that one individual cannot independently control all key aspects of a process or computer-related operation and thereby gain unauthorized access to assets or records. Often, segregation of incompatible duties is achieved by dividing responsibilities among two or more organizational groups, which diminishes the likelihood that errors and wrongful acts will go undetected because the activities of one individual or group will serve as a check on the activities of the other. Inadequate segregation of duties increases the risk that erroneous or fraudulent transactions could be processed, improper program changes implemented, and computer resources damaged or destroyed. According to NIST, in order to maintain separation of duties, personnel who administer access control functions should not also be responsible for administering audit functions. FDIC's Division of Resolutions and Receiverships had not always separated audit responsibilities from administration of access to loss-share and asset valuation data and programs. Specifically, the FDIC access administrators for both the external Web service and the document sharing system used in the loss-share loss estimation process were also responsible for approving and reviewing user access to the systems. As a result, the access administrators had the ability to grant inappropriate levels of access to loss-share and asset valuation data and programs without being detected, placing the data and programs at risk of unauthorized access, misuse, modification, or destruction. Elements of Configuration Management Controls Existed but Were Not Fully Implemented: Configuration management is another important control that involves the identification and management of security features for all hardware and software components of an information system at a given point and systematically controls changes to that configuration during the system's life cycle. An effective configuration management process includes procedures for (1) identifying, documenting, and assigning unique identifiers (for example, serial number and name) to a system's hardware and software parts and subparts, generally referred to as configuration items; (2) evaluating and deciding whether to approve changes to a system's baseline configuration; (3) documenting and reporting on the status of configuration items as a system evolves; (4) determining alignment between the actual system and the documentation describing it; and (5) developing and implementing a configuration management plan for each system. In addition, establishing controls over the modification of information system components and related documentation helps to prevent unauthorized changes and ensure that only authorized systems and related program modifications are implemented. This is accomplished by instituting policies, procedures, and techniques that help make sure all hardware, software, and firmware programs and program modifications are properly authorized, tested, and approved. According to NIST, organizations should document approved configuration-controlled changes to information systems, retain and review records of the changes, audit activities associated with the changes, and coordinate and provide oversight for configuration change control activities through a mechanism such as a change control board. NIST also recommends that agencies configure their systems to reflect the most restrictive mode possible consistent with operational requirements and employ malicious code protection mechanisms to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, or other common means. FDIC had not applied appropriate configuration management controls to many of the special purpose programs and data in the loss-share estimating process. Although FDIC had documented activities for development, testing, and production for three of the programs used to calculate the estimates of losses due to loss-sharing agreements and had assigned responsibility for the different activities, it had neither documented approved changes to the programs prior to implementation nor retained records of the changes made. While the corporation had documented plans for tracking changes to these three programs, the plans had not been implemented. Additionally, the corporation had not documented plans for controlling changes to a program that generated a key dataset or to two other programs used to validate the data contained in a key database used in the loss-share loss estimation process. Furthermore, FDIC had not applied version control or change control to the database for the loss-share cost estimates. Moreover, a workstation used to execute one of the key calculation programs had configuration weaknesses that could allow it to be compromised. Until FDIC fully implements configuration management and configuration change controls to these data and programs, increased risk exists that changes to the programs could be unnecessary, may not work as intended, or may result in the unintentional loss of data or program integrity, or that individuals, both internal and external to the corporation, could exploit configuration weaknesses and gain unauthorized access to financial or other sensitive data and systems. Critical Systems Were Not Always Fully Patched: Patch management is a critical process that can help alleviate many of the challenges in securing computing systems.[Footnote 23] Malicious acts can range from defacing a Web site to taking control of an entire system, thereby being able to read, modify, or delete sensitive information; disrupt operations; or launch attacks against other organizations' systems. After a vulnerability has been validated, the software vendor may develop and test a patch or workaround to mitigate the vulnerability. Incident response groups and software vendors issue regular information updates on the vulnerability and the availability of patches. NIST guidance states that a comprehensive patch management process should include prioritization of the order in which vulnerabilities are addressed, with a focus on high-priority systems such as those essential for mission-critical operations. FDIC had patched many of its systems and had ensured that much of its software was up-to-date. For example, it had retired critical network devices that were not supported by their manufacturers, updated patch levels for third-party software running on two UNIX servers, and removed an obsolete version of third-party software running on a Windows server. However, FDIC had not consistently updated its financial systems and servers with critical patches or kept its software up-to-date, including systems supporting the loss-share loss estimation process. For example, certain servers supporting financial processing were running a version of software that was unsupported for patch updates, and several workstations used in the loss-share loss estimation process were missing patches and were running software that was no longer supported by the manufacturer. Additionally, certain workstations were missing operating system patches. As a result of these deficiencies, FDIC is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised. Contingency Plans Were Not Documented for Systems and Processes Supporting Loss-Share Loss Estimation: Contingency planning, which includes developing contingency, business continuity, and disaster recovery plans, should be performed to ensure that when unexpected events occur, essential operations can continue without interruption or can be promptly resumed, and that sensitive data are protected. NIST guidance states that organizations should develop and implement contingency plans that describe activities associated with backing up and restoring the system after a disruption or failure. The plans should be updated and include information such as contact, resources, and description of files in order to restore the application in the event of a disaster. In addition, the plans should be tested to determine their effectiveness and the organization's readiness to execute the plans. Officials should review the test results and initiate corrective actions. FDIC's Information Technology Security Risk Management Program requires contingency plans and disaster recovery plans to be developed and tested for all sensitive applications (both major and nonmajor) and general support systems; the plans should address measures to be taken in response to a disruption in availability due to an unplanned outage. Although FDIC had developed contingency plans for its major systems and had also conducted testing on these plans, it had not documented plans for recovering the automated and semiautomated processes supporting the loss-share loss estimation process. Although the security plan for one of FDIC's general support systems included the document sharing system and one of the key databases supporting the process, the corporation had not documented or tested contingency plans that addressed restoring the computer programs, workstations, and datasets supporting the preparations of the estimates of losses and costs due to loss-sharing agreements or of the workspaces within the document sharing system where loss-share and asset valuation information and programs are stored. As a result, FDIC may not be able to effectively recover the data and programs in the loss-share loss estimation process and resume normal operations after a disruption. FDIC Had Not Always Implemented Key Activities of its Information Security Program: An underlying reason for the information security weaknesses noted in the previous section is that, while FDIC has developed and documented a comprehensive corporate information security program, including documenting an information security risk management policy, developing security policies and procedures, documenting system security plans, and periodically testing information security controls, the corporation had not fully implemented its information security program. Specifically, it had not fully implemented its security policies and had not completed actions to remediate certain control weaknesses. In addition, FDIC had not applied security management controls to the programs and data in the loss-share loss estimation process. Security Program Elements Had Been Developed and Documented, but Not All Elements Had Been Fully Implemented: An entitywide information security management program is the foundation of a security control structure and a reflection of senior management's commitment to addressing security risks. The security management program should establish a framework and continuous cycle of activity for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures. Without a well-designed program, security controls may be inadequate; responsibilities may be unclear, misunderstood, or improperly implemented; and controls may be inconsistently applied. FISMA requires each agency to develop, document, and implement an information security program that, among other things, includes: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; * policies and procedures that (1) are based on risk assessments, (2) cost effectively reduce information security risks to an acceptable level, (3) ensure that information security is addressed throughout the life cycle of each system, and (4) ensure compliance with applicable requirements; * plans for providing adequate information security for networks, facilities, and systems; * periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; and: * a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in its information security policies, procedures, or practices. FDIC had developed and documented a comprehensive corporate information security program that was consistent with FISMA requirements and had implemented some elements of its program, but had not fully implemented other elements. Specifically: * FDIC had developed and documented an IT security risk management policy that required all sensitive applications to periodically be assessed for the risk and magnitude of harm that could result from vulnerabilities and potential threats. * FDIC had not fully implemented its policies requiring that users be provided with only the minimum level of access required to allow them to perform their duties and that its computer security information response team monitor the progress of security patching activities by reviewing reports on the status of implementation. In addition, it had not fully implemented its policies for frequency of password changes and for storage of passwords. * FDIC had developed and documented security plans for all of the major systems we reviewed that addressed policies and procedures for providing management, operational, and technical controls, and had documented requirements for physically securing FDIC facilities. * FDIC had conducted annual periodic testing and evaluation of the effectiveness of the management, operational, and technical controls for the major systems we reviewed. * Although FDIC had established a process for planning, implementing, evaluating, and documenting remedial actions to address information security weaknesses, and had completed actions to remediate 26 of the 33 control weaknesses we identified in our calendar year 2009 audit, the corporation had not yet completed actions to correct or mitigate 7 of the previously reported weaknesses. For example, FDIC had not separated or partitioned the data network from the voice network, developed and documented policies and procedures for assigning access to systems and databases where application controls could be compromised, or fully implemented its monitoring program. In addition, FDIC had not received an independent audit report from the provider of its Web service in a timely manner. FISMA information security requirements apply not only to an agency's own systems but also to information systems used or operated on its behalf by a contractor or other agency, such as an external service provider. According to OMB,[Footnote 24] service providers are required to provide client organizations with an audit report that describes whether internal controls were designed to achieve specified objectives, have been placed into operation, and are operating effectively. Previously known as Statement on Auditing Standards (SAS) 70 reports, since June 15, 2011, they have been known as Statement on Standards for Attestation Engagements (SSAE) 16 reports.[Footnote 25] OMB also states that such reports should be provided within a reasonable time frame so that auditors of client organizations may use them during their financial statement audits. However, the provider of the Web service used to exchange information with valuation contractors did not provide FDIC with a SAS 70 report until March 2011, more than 8 weeks after the end of the financial reporting period and more than 5 months after the end of the period that the SAS 70 audit covered. Until all key elements of its information security program are fully implemented, FDIC may not have assurance that controls over its financial systems and information are appropriately designed and operating effectively. FDIC Had Not Applied Security Program Controls to the Loss-Share Loss Estimation Process: FDIC had not applied key controls in its information security program to the loss-share loss estimation process. OMB Circular A-130, Appendix III,[Footnote 26] requires federal agencies to implement and maintain an automated information security program, including planning for adequate security of each system, assessing risks, and reviewing security controls. OMB Circular A-127[Footnote 27] requires that federal financial management systems, which include core financial systems as well as any automated and manual processes, procedures, data, hardware, and software that support financial management, be subject to the requirements of Circular A-130. However, FDIC had not applied key controls in its information security program to the automated and semiautomated processes used to support the preparation of the estimates of losses and costs due to loss-sharing agreements. Specifically, FDIC had not: * assessed the risks associated with the information and programs involved to identify potential threats and vulnerabilities as well as possible countermeasures and mitigating controls, and had not included the programs in the risk assessment of any of its general support systems; * documented the management, technical, or operational security controls intended to protect the programs in system security plans, and had not included the programs in the system security plans of any general support system; or: * tested any security controls for the programs, and had not included the programs when testing the security controls of other general support systems. FDIC had not applied these controls because the Division of Resolutions and Receiverships developed the process independently, in order to be able to manage the large increase in bank failures and the extensive use of loss-sharing agreements resulting from the current financial crisis. In doing so, the Division of Resolutions and Receiverships had not used FDIC's existing IT management framework-- which requires these controls to be put into place--to develop and manage the process. During 2010, FDIC had mitigated the effect of these weaknesses on financial reporting by implementing compensating management and reconciliation controls in this process. However, because of ongoing financial institution failures and the lack of information security management controls around the process, the financial information processed by the programs involved--representing a nearly $39 billion impact on the corporation's financial statements--continues to be at risk of unauthorized disclosure, modification, or destruction. Conclusions: FDIC has made significant progress in correcting or mitigating previously reported information security weaknesses, but other control weaknesses continue to unnecessarily put FDIC's systems at an increased risk from internal and external threats. A key reason for these weaknesses is that the corporation had not fully implemented key elements of its information security program, such as effectively implementing security policies, conducting risk assessments, documenting security management plans, documenting contingency plans, testing security controls, or implementing an effective continuous monitoring program. FDIC had made improvements in its information security controls and had mitigated the potential effect of its remaining weaknesses on financial reporting by implementing compensating management and reconciliation controls during 2010, enabling us to conclude that FDIC had resolved the significant deficiency over information systems that we had reported in our 2009 audit. However, the weaknesses--both old and new--continue to challenge the corporation in its efforts to ensure the confidentiality, integrity, and availability of financial and sensitive information. Until FDIC further mitigates known information security weaknesses in access controls and other information system controls and fully implements its information security program, the corporation will continue to face an increased risk that sensitive financial information and resources will not be sufficiently protected from inadvertent or deliberate misuse, improper disclosure, or destruction. Recommendations for Executive Action: We recommend that the Acting Chairman take the following two actions to enhance FDIC's information security program: * Direct the Director of the Division of Resolutions and Receiverships and the Chief Information Officer to develop, document, and implement appropriate information security activities in the loss-share loss estimation process, such as assessing and mitigating risks, managing and controlling the configurations of programs and databases, evaluating the effectiveness of security controls, and ensuring that data and programs can be recovered after a disruption. * Direct the Chief Information Officer to work with the external Web service provider to obtain a more timely delivery of the provider's SSAE 16 report (previously known as a SAS 70 report), or to obtain other means of assurance of internal controls. We are also making 38 new recommendations to address 37 new findings in a separate report with limited distribution. These recommendations consist of actions to implement and correct specific information security weaknesses related to access controls, segregation of duties, configuration management, and contingency planning identified during this audit. Agency Comments and Our Evaluation: In providing written comments (reprinted in appendix II) on a draft of this report, the Deputy to the Chairman and Chief Financial Officer of FDIC stated that FDIC was pleased to accept our acknowledgment of the significant progress made toward correcting and mitigating our previously reported weaknesses. In addition, he indicated that the corporation plans to implement improvements to address our recommendations, and discussed the actions that FDIC has taken or plans to take to review and improve controls over the loss-share loss estimation process, to obtain timely delivery of appropriate audit reports from current and future service providers, and to conduct additional due diligence activities to obtain assurance of the service provider's internal controls. In responding to our draft recommendation that FDIC develop, document, and implement appropriate information security controls over the automated and semiautomated processes within the loss-share loss estimation process, the Deputy to the Chairman stated that although FDIC agrees that the loss-share business processes and the data associated with these processes deserve proper controls assessment and protection, the corporation will not necessarily treat the processes and data as a separate FDIC system. The Deputy to the Chairman further stated that FDIC is currently taking steps to improve the information security controls around the process. The intent of our draft recommendation was not to suggest that FDIC treat the data and programs supporting the loss-share loss estimation process as a separate information system. We agree that it may not be appropriate for FDIC to treat these data and programs as a separate information system, as they are stored, processed, and executed across multiple systems. Rather, our intent was to recommend that appropriate information security control activities be incorporated into the process. Accordingly, we have clarified our recommendation to state that the Acting Chairman direct the Director of the Division of Resolutions and Receiverships and the Chief Information Officer to develop, document, and implement appropriate information security activities in the loss-share loss estimation process, such as assessing and mitigating risks, managing and controlling the configurations of programs and databases, evaluating the effectiveness of security controls, and ensuring that data and programs can be recovered after a disruption. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; Chairman and Ranking Member of the House Financial Services Committee; and other interested parties. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact Gregory C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512-4499. We can also be reached by e-mail at wilshuseng@gao.gov and barkakatin@gao.gov. Key contributors to this report are listed in appendix III. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: Signed by: Dr. Nabajyoti Barkakati: Director, Center for Technology and Engineering: [End of section] Appendix I: Objective, Scope, and Methodology: The objective of our audit was to determine the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) controls protecting the confidentiality, integrity, and availability of its financial systems and information. To do this, we examined FDIC information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials in order to (1) assess the effectiveness of corrective actions taken by FDIC to address weaknesses we previously reported and (2) determine whether any additional weaknesses existed. This work was performed in support of our opinion on internal control over the preparation of the calendar year 2010 and 2009 financial statements of two funds administered by FDIC. To determine whether controls over key financial systems were effective, we considered the results of our evaluation of FDIC's actions to mitigate previously reported weaknesses and performed new audit work at FDIC facilities in Arlington, Virginia, and Washington, D.C. We concentrated our evaluation primarily on the controls for financial applications and enterprise database applications associated with the New Financial Environment; the Assessment Information Management System; the Communication, Capability, Challenge, and Control System (4C) application; the programs, data, and systems supporting the preparation of the estimates of losses and costs due to loss-sharing agreements, and the general support systems. Our selection of the systems to evaluate was based on consideration of systems that directly or indirectly support the processing of material transactions that are reflected in the funds' financial statements. Our evaluation was based on GAO's Federal Information System Controls Audit Manual, which contains guidance for reviewing information system controls that affect the confidentiality, integrity, and availability of computerized information. Using National Institute of Standards and Technology (NIST) standards and guidance and FDIC's policies, procedures, practices, and standards, we evaluated controls by: * observing methods for providing secure data transmissions across the network to determine whether sensitive data were being encrypted; * testing and observing physical access controls to determine if computer facilities and resources were being protected from espionage, sabotage, damage, and theft; * evaluating the control configurations of selected servers and database management systems; * inspecting key servers and workstations to determine whether critical patches had been installed or were up-to-date; and: * examining access responsibilities to determine whether incompatible functions were segregated among different individuals. Using the requirements of the Federal Information Security Management Act (FISMA), which establishes key elements for an effective agencywide information security program, we evaluated FDIC's implementation of its security program by: * reviewing FDIC's risk assessment process and risk assessments for key FDIC systems that support the preparation of financial statements to determine whether risks and threats were documented consistent with federal guidance; * analyzing FDIC's policies, procedures, practices, and standards to determine their effectiveness in providing guidance to personnel responsible for securing information and information systems; * analyzing security plans to determine if management, operational, and technical controls were in place or planned and that security plans were updated; * analyzing security testing and evaluation results for six key FDIC systems to determine whether management, operational, and technical controls were tested at least annually and based on risk; and: * examining remedial action plans to determine whether they addressed vulnerabilities identified in FDIC's security testing and evaluations. We also discussed with key security representatives and management officials whether information security controls were in place, adequately designed, and operating effectively. To determine the status of FDIC's actions to correct or mitigate previously reported information security weaknesses, we identified and reviewed its information security policies, procedures, and guidance. We reviewed prior GAO reports to identify previously reported weaknesses and examined FDIC's corrective action plans to determine which weaknesses FDIC reported as being corrected. For those instances where FDIC reported it had completed corrective actions, we assessed the effectiveness of those actions. We conducted this audit from November 2010 to August 2011, in accordance with generally accepted government auditing standards. We conducted our data collection, analysis, and assessment procedures in support of the financial audit between November 2010 and March 2011. We conducted supplemental audit procedures to prepare this report from March 2011 to August 2011. The generally accepted government auditing standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and CFO: 550 17th Street NW: Washington, D.C. 20429-9990: July 21, 2011: Mr. Gregory C. Wilshusen: Director, information Security Issues: Dr. Nabajyoti Barkakati: Director, Center for Technology and Engineering: Government Accountability Office: Washington, D.C. 20548: Dear Mr. Wilshusen and Dr. Barkakati: Thank you for the opportunity to comment on the U.S. Government Accountability Office's (GAO) draft audit report titled, Information Security: Federal Deposit Insurance Corporation Has Made Progress. but Further Actions Are Needed to Protect Financial Data, GAO-11-708. We are pleased to accept GAO's acknowledgment of significant progress FDIC has made correcting and mitigating previously reported information security weaknesses. The GAO's report contains two new recommendations to assist FDIC in further strengthening its information security controls. FDIC will implement improvements to address these recommendations. Specifically, GAO recommended that FDIC develop, document, and implement appropriate information security controls, such as configuration management and configuration change controls, contingency plans, risk assessments, security plans, and testing and evaluation plans, in the automated and semi-automated processes within the loss share loss estimation process. The FDIC takes seriously the GAO's concerns regarding loss share related controls as evidenced by improvements in those controls during 2010. The FDIC agrees that the loss share business processes and the data associated with these processes deserve proper control assessment and protection. Nevertheless, FDIC will not necessarily treat these processes and associated data as a separate FDIC system. Consistent with the progress of our review of the appropriate controls over these automated and semi-automated processes, FDIC is currently taking steps to improve role-based access control, data integrity, and configuration management (i.e. version control) on data repositories and shared network resources that contain end-user commodity tools used to augment the loss share estimation processes. The process to review and improve controls began while the GAO audit team was on site and will continue through December 2011. Further, GAO recommended that FDIC work with the external Web service provider to obtain a more timely delivery of the provider's SSAE 16 report (previously known as a SAS 70 report), or to obtain other means of assurance of internal controls. FDIC will work with current and future outsourced information service providers to obtain timely delivery of the appropriate Service Organization Control (SOC) reports for annual review. FDIC will also continue to conduct additional due diligence activities to obtain assurance of the service provider's internal controls. These activities may include obtaining an assertion letter from the service provider's management regarding whether or not controls have changed since the last review. They may also include obtaining supplemental information regarding any changes in the design and operation of the service provider's internal controls and supporting processes. Once again, we thank you for your past contributions and your work on this year's audit. We look forward to continuing our positive working relationship during the 2011 audit and beyond. If you have any questions relating to the FDIC management response, please contact James H. Angel, Jr., Director, Office of Enterprise Risk Management, at 703-562-6456. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: cc: James H. Angel, Jr. Bret Edwards: Craig Jarvill: Russell Pittman: Audit Committee: [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov Dr. Nabajyoti Barkakati, (202) 512-4499, barkakatin@gao.gov: Staff Acknowledgments: In addition to the individuals named above, Lon Chin, David Hayes, Charles Vrabel, and Christopher Warweg, Assistant Directors; Gary Austin; Angela Bell; William Cook; Saar Dagani; Nancy Glover; Rosanna Guerrero; Jason Porter; Michael Stevens; and Shaunyce Wallace made key contributions to this report. [End of section] Footnotes: [1] Information system general controls affect the overall effectiveness and security of computer operations and are not unique to specific computer applications. These controls include security management, configuration management, operating procedures, software security features, and physical protections designed to ensure that access to data is appropriately restricted, that only authorized changes to computer programs are made, that incompatible computer- related duties are segregated, and that backup and recovery plans are adequate to ensure the continuity of operations. [2] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2010 and 2009 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-11-412] (Washington, D.C.: Mar. 18, 2011). [3] A significant deficiency is a control deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or to detect and correct misstatements on a timely basis. [4] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or will not be detected and corrected on a timely basis. [5] We conducted data collection, analysis, and assessment procedures in support of the financial audit during the November 2010 to March 2011 time frame. We conducted supplemental audit procedures to prepare this report from March 2011 to August 2011. [6] The Department of Homeland Security's federal information security incident center is hosted by US-CERT. When incidents occur, agencies are to notify the center. [7] GAO, High-Risk Series: Information Management and Technology, [hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, D.C.: February 1997) and High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [8] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). [9] Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89, § 8. [10] FDIC is an independent agency of the federal government and receives no direct federal appropriations; it is funded by premiums that banks and thrift institutions pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. Additionally, FDIC realizes some income from failed financial institutions for services it performs on their behalf. [11] Pub. L. No. 101-73, § 211, 103 Stat. 183, 218-22 (Aug. 9, 1989). [12] A third fund to be managed by FDIC, the Orderly Liquidation Fund, established by section 210 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376, 1506 (July 21, 2010), is unfunded and conducted no transactions during the fiscal years covered by this audit. [13] Pub. L. No. 109-171, Title II, Subtitle B, § 2102 (Feb. 8, 2006). [14] The Financing Corporation, established by the Competitive Equality Banking Act of 1987, is a mixed-ownership government corporation with its primary purpose being to function as a financing vehicle for the Federal Savings & Loan Insurance Corporation. Effective December 12, 1991, as provided by the Resolution Trust Corporation Refinancing, Restructuring and Improvement Act of 1991, the Financing Corporation's ability to issue new debt was terminated. Outstanding Financing Corporation bonds, which are 30-year noncallable bonds with a principal amount of approximately $8.1 billion, mature in 2017 through 2019. [15] Under a loss-sharing agreement, FDIC sells a failed institution to an acquirer with an agreement that FDIC, through the Deposit Insurance Fund, will share in losses the acquirer experiences in servicing and disposing of assets purchased and covered under the loss- sharing agreement. [16] [hyperlink, http://www.gao.gov/products/GAO-11-412]. [17] GAO, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures, [hyperlink, http://www.gao.gov/products/GAO-11-687R] (Washington, D.C.: Aug. 5, 2011). [18] The Office of Management and Budget (OMB) requires that a management official formally authorize an information system to process information and accept the risk associated with its operation based on a formal evaluation (or assessment) of the system's security controls. For annual reporting, OMB requires agencies to report the number of systems, including impact levels, authorized for processing after completing certification and accreditation. [19] A firewall is a hardware or software component that protects computers or networks from attacks by blocking network traffic. [20] A VPN is a private network that is maintained across a shared or public network, such as the Internet, by means of specialized security procedures. VPNs are intended to provide secure connections between remote clients, such as branch offices or traveling personnel and a central office. [21] Encryption is a subset of cryptography, which is used to secure transactions by providing ways to ensure data confidentiality (assurance that the information will be protected from unauthorized access), data integrity (assurance that data have not been accidentally or deliberately altered), authentication of the message's originator, electronic certification of data, and nonrepudiation (proof of the integrity and origin of data that can be verified by a third party). [22] A cryptographic algorithm and key are used to apply cryptographic protection to data (e.g., encrypt the data or generate a digital signature) and to remove or check the protection (e.g., decrypt the encrypted data or verify the digital signature). [23] For example, see GAO, Information Security: Continued Action Needed to Improve Software Patch Management, [hyperlink, http://www.gao.gov/products/GAO-04-706] (Washington, D.C.: June 2, 2004). [24] OMB, Audit Requirements for Federal Financial Statements, OMB-07- 04 (Washington, D.C.: amended Sept. 23, 2009). [25] SSAE 16 reports refer to reports typically prepared by an independent auditor based on a review of the controls relevant to user entities' internal control over financial reporting as discussed in the American Institute of Certified Public Accountants' Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. A service organization provides services to the entity whose financial statements are being audited. [26] OMB, Circular No. A-130, Appendix III, Security of Federal Automated Information Resources (Washington, D.C.: Nov. 28, 2000). [27] OMB, Circular No. A-127, Financial Management Systems (Washington, D.C.: Jan. 9, 2009). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: