This is the accessible text file for GAO report number GAO-07-351 
entitled 'Information Security: Federal Deposit Insurance Corporation 
Needs to Sustain Progress Improving Its Program' which was released on 
May 18, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chief Financial Officer and Chief Operating Officer, 
Federal Deposit Insurance Corporation: 

United States Government Accountability Office: 

GAO: 

May 2007: 

Information Security: 

Federal Deposit Insurance Corporation Needs to Sustain Progress 
Improving Its Program: 

GAO-07-351: 

GAO Highlights: 

Highlights of GAO-07-351, a report to the Chief Financial Officer and 
Chief Operating Officer, Federal Deposit Insurance Corporation 

Why GAO Did This Study: 

The Federal Deposit Insurance Corporation (FDIC) has a demanding 
responsibility enforcing banking laws, regulating financial 
institutions, and protecting depositors. As part of its audit of the 
calendar year 2006 financial statements, GAO assessed (1) the progress 
FDIC has made in correcting or mitigating information security 
weaknesses previously reported and (2) the effectiveness of FDICís 
system integrity controls to protect the confidentiality and 
availability of its financial information and information systems. 

To do this, GAO examined pertinent security policies, procedures, and 
relevant reports. In addition, GAO conducted tests and observations of 
controls in operation. 

What GAO Found: 

FDIC has made substantial progress in correcting previously reported 
weaknesses in its information security controls. Specifically, it has 
corrected or mitigated 21 of the 26 weaknesses that GAO had reported as 
unresolved at the completion of the calendar year 2005 audit. Actions 
FDIC has taken include developing and implementing procedures to 
prohibit the transmission of mainframe user and administrator passwords 
in readable text across the network, implementing procedures to change 
vender-supplied account/passwords, and improving mainframe security 
monitoring controls. 

Although FDIC has made important progress improving its information 
system controls, old and new weaknesses could limit the corporationís 
ability to effectively protect the integrity, confidentiality, and 
availability of its financial and sensitive information and systems. In 
addition to the five previously reported weaknesses that are in the 
process of being mitigated, GAO identified new weaknesses in controls 
related to (1) e-mail security, (2) physical security, and (3) 
configuration management. Although these weaknesses do not pose 
significant risk of misstatement of the corporationís financial 
statements, they do increase preventable risk to the corporationís 
financial and sensitive systems and information. 

In addition, FDIC has not fully integrated its new financial systemóthe 
New Financial Environment (NFE)óinto its information security program. 
For example, it did not fully implement key control activities for the 
NFE. Until FDIC fully integrates the NFE with the information security 
program, its ability to maintain adequate system controls over its 
financial and sensitive information will be limited. 

What GAO Recommends: 

GAO recommends that FDIC take actions to address control weaknesses and 
fully integrate the NFE into the corporationís information security 
program. In written comments on a draft of this report, FDICís Deputy 
to the Chairman and Chief Financial Officer stated that FDIC concurred 
with seven of GAOís recommendations and partially concurred with five 
and has implemented or will implement corrective actions. If the 
corporation adequately implements these actions, it will have satisfied 
the intent of GAOís recommendations. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-351]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Gregory C. Wilshusen, 
(202) 512-6244, wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Objectives, Scope, and Methodology: 

FDIC Has Made Substantial Progress Correcting Previously Reported 
Weaknesses: 

FDIC Has Made Progress in Information System Controls, However Some 
Weaknesses Remain: 

NFE Not Fully Integrated into the Corporation's Information Security 
Program: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Status of Previously Reported Weaknesses: 

Appendix II: Comments from the Federal Deposit Insurance Corporation: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Abbreviations: 

CSIRT: Computer Security Incident Response Team: 

BIF: Bank Insurance Fund: 

DIF: Deposit Insurance Fund: 

FDIC: Federal Deposit Insurance Corporation: 

FISMA: Federal Information Security Management Act: 

FSLIC: Federal Savings and Loan Insurance Corporation: 

NFE: New Financial Environment: 

NIST: National Institute of Standards and Technology: 

SAIF: Savings Association Insurance Fund: 

SAS: Statement on Auditing Standards: 

United States Government Accountability Office: 
Washington, DC 20548: 

May 18, 2007: 

To the Chief Financial Officer and Chief Operating Officer, 
Federal Deposit Insurance Corporation: 

The Federal Deposit Insurance Corporation (FDIC) has a demanding 
responsibility enforcing banking laws, regulating banking institutions, 
and protecting depositors. In carrying out its financial and mission-
related operations, FDIC relies extensively on computerized systems. 
Because FDIC plays an important role in maintaining public confidence 
in the nation's financial system, issues that affect the integrity, 
confidentiality, and availability of sensitive information maintained 
on its systems--such as personnel and regulatory information--are of 
paramount concern. In particular, effective information security 
controls[Footnote 1] are essential to ensure that FDIC systems and 
information are adequately protected from inadvertent or deliberate 
misuse, fraudulent use, improper disclosure, or destruction.  

As part of our audit of the calendar year 2006 financial statements of 
the Deposit Insurance Fund[Footnote 2] (DIF) and the Federal Savings & 
Loan Insurance Corporation (FSLIC) Resolution Fund[Footnote 3], we 
assessed (1) the progress FDIC has made in correcting or mitigating 
information system control weaknesses reported as unresolved at the 
completion of our 2005 review[Footnote 4] and (2) the effectiveness of 
the corporation's information system controls for protecting the 
confidentiality, integrity, and availability of its information and 
information systems. 

In our audit report[Footnote 5] on the calendar year 2006 financial 
statements of the FDIC's funds, we concluded that issues related to 
information security controls do not constitute a significant 
deficiency.[Footnote 6] We also stated in that report that continued 
management commitment to an effective information security program will 
be essential to ensure that the corporation's financial and sensitive 
information will be adequately protected. 

We performed our review at the FDIC computer facility in Arlington, 
Virginia, from September 2006 through February 2007. Our review was 
performed in accordance with generally accepted government auditing 
standards. 

Results in Brief: 

FDIC has made substantial progress in correcting previously reported 
weaknesses. Specifically, it has corrected or mitigated 21 of the 26 
weaknesses that we had reported as unresolved at the completion of our 
calendar year 2005 audit. Actions that FDIC has taken include 
developing and implementing procedures to prohibit the transmission of 
mainframe user and administrator passwords in plaintext across the 
network, implementing procedures to change vendor-supplied account/ 
passwords, and improving mainframe security monitoring controls. 

Although it has made important progress improving its information 
system controls, weaknesses exist that could limit FDIC's ability to 
effectively protect the confidentiality, integrity, and availability of 
its financial and sensitive information and systems. In addition to the 
five previously reported weaknesses that are in process of being 
addressed, we identified new information security weaknesses. For 
example, the corporation did not consistently implement controls 
related to (1) e-mail security, (2) physical security, and (3) 
configuration management. Although these weaknesses do not pose a 
significant risk of misstatement of the corporation's financial 
statements, they do increase preventable risk to the corporation's 
financial and sensitive systems and information. 

In addition, FDIC has not fully integrated its new financial system-- 
called the New Financial Environment (NFE)--into its information 
security program. Although FDIC had developed, documented, and 
implemented a corporate information security program, it did not fully 
implement key control activities for the NFE. For example, FDIC had not 
sufficiently assessed risks, updated the security plan, reported 
certain security incidents, or updated the contingency plan. Until FDIC 
fully integrates the NFE with the information security program, its 
ability to maintain adequate system controls over its financial and 
sensitive information will be limited. 

We are recommending that the FDIC Chief Financial Officer and Chief 
Operating Officer take actions to address the control weaknesses and to 
fully integrate the NFE into the corporation's information security 
program. 

In written comments on a draft of this report (which are reprinted in 
app. II), FDIC's Deputy to the Chairman and Chief Financial Officer 
stated that FDIC concurred with seven of our recommendations and has 
implemented or will implement them in the coming year. FDIC partially 
concurred with our remaining five recommendations and, based on the 
Deputy's comments, we have made revisions to and clarified one of the 
recommendations. The Deputy stated that the corporation has developed 
or implemented plans to adequately address the underlying risks that 
prompted these five recommendations, in some instances through 
alternative corrective actions. If the corporation effectively 
implements these corrective actions, it will have satisfied the intent 
of our recommendations. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business. It is especially important for government 
agencies, where maintaining the public's trust is essential. The 
dramatic expansion in computer interconnectivity and the rapid increase 
in the use of the Internet have changed the way our government, the 
nation, and much of the world communicate and conduct business. 
However, without proper safeguards, systems are unprotected from 
individuals and groups with malicious intent to intrude and use the 
access to obtain sensitive information, commit fraud, disrupt 
operations, or launch attacks against other computer systems and 
networks. This concern is well-founded for a number of reasons, 
including the dramatic increase in reports of security incidents, the 
ease of obtaining and using hacking tools, the steady advance in the 
sophistication and effectiveness of attack technology, and the dire 
warnings of new and more destructive attacks to come. 

Computer-supported federal operations are likewise at risk. Our 
previous reports and those of agency inspectors general describe 
persistent information security weaknesses that place a variety of 
federal operations at risk of disruption, fraud, and inappropriate 
disclosure. Thus, we have designated information security as a 
governmentwide high-risk area since 1997,[Footnote 7] a designation 
that remains today[Footnote 8].  

Recognizing the importance of securing federal agencies' information 
and systems, Congress enacted the Federal Information Security 
Management Act of 2002 (FISMA) to strengthen the security of 
information and systems within federal agencies.[Footnote 9] FISMA 
requires each agency to use a risk-based approach to develop, document, 
and implement a departmentwide information security program for the 
information and systems that support the operations and assets of the 
agency.  

FDIC Is a Key Protector of Bank and Thrift Depositors: 

Congress created FDIC in 1933[Footnote 10] to restore and maintain 
public confidence in the nation's banking system. The Financial 
Institutions Reform, Recovery, and Enforcement Act of 1989 sought to 
reform, recapitalize, and consolidate the federal deposit insurance 
system[Footnote 11]. The act designated FDIC as the administrator of 
two funds responsible for protecting insured bank and thrift 
depositors--BIF and the SAIF. The act also designated FDIC as the 
administrator of the FSLIC Resolution Fund, which was created to 
complete the affairs of the former FSLIC and liquidate the assets and 
liabilities transferred from the former Resolution Trust Corporation. 
On February 8, 2006, the President signed into law the Federal Deposit 
Insurance Reform Act of 2005. Among its provisions, the act calls for 
the merger of the BIF and SAIF into the D[Footnote 12]IF. FDIC 
completed this merger on March 31, 2006. In managing these funds, the 
corporation has an examination and supervision program to monitor the 
safety of deposits held in member institutions.  

FDIC insures deposits in excess of $4 trillion for its 8,693 member 
institutions. FDIC had a budget of about $1.06 billion for calendar 
year 2006 to support its activities in managing the funds. For that 
year, it processed almost 21 million financial transactions. 

FDIC Reliance on Computer Systems: 

FDIC relies extensively on computerized systems to support its 
financial operations and store the sensitive information that it 
collects. Its local and wide area networks interconnect these systems. 
To support its financial management functions, the corporation relies 
on the NFE and several financial systems that process and track 
financial transactions, including premiums paid by its member 
institutions and disbursements made to support operations. Other 
systems maintain personnel information for employees, examination data 
for financial institutions, and legal information on closed 
institutions. At the time of our review, there were about 5,629 users 
on FDIC systems. 

Federal law delineates responsibilities for the management of computer 
systems at FDIC. Under FISMA, the Chairman of FDIC is responsible for, 
among other things, (1) providing information security protections 
commensurate with the risk and magnitude of the harm resulting from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of the agency's information systems and information; (2) 
ensuring that senior agency officials provide information security for 
the information and information systems that support the operations and 
assets under their control; and (3) delegating to the agency's Chief 
Information Officer the authority to ensure compliance with the 
requirements imposed on the agency under FISMA. 

Two deputies to the Chairman--the Chief Financial Officer and Chief 
Operating Officer--also have information security responsibilities. The 
Chief Financial Officer is responsible for the preparation of financial 
statements and ensures that they are fairly presented and demonstrate 
discipline and accountability. The Chief Financial Officer is part of a 
senior management group that oversees the NFE. The group receives 
monthly system progress updates from the NFE project team. 

The Chief Operating Officer is responsible for planning, coordinating, 
evaluating, and improving programs and resource management. He is also 
in charge of the Chief Information Officer, who is responsible for 
developing and maintaining a departmentwide information security 
program and for developing and maintaining information security 
policies, procedures, and control techniques that address all 
applicable requirements. 

Objectives, Scope, and Methodology: 

The objectives of our review were to assess (1) the progress FDIC has 
made in correcting or mitigating remaining information system control 
weaknesses reported as unresolved at the time of our prior review in 
2005[Footnote 13] and (2) the effectiveness of the corporation's 
information system controls for protecting the confidentiality, 
integrity, and availability of financial and sensitive data. An 
integral part of our objectives was to support the opinion on internal 
control in GAO's 2006 financial statement audit by assessing the degree 
of security over systems that support the generation of the FDIC funds' 
financial statements. 

Our scope and methodology was based on our Federal Information System 
Controls Audit Manual,[Footnote 14] which contains guidance for 
reviewing information system controls that affect the confidentiality, 
integrity, and availability of computerized data. Focusing on FDIC's 
financial systems and associated infrastructure, we evaluated the 
effectiveness of information security controls that are intended to: 

* prevent, limit, and detect access to computer resources (data, 
programs, and systems), thereby protecting these resources against 
unauthorized disclosure, modification, and use; 

* provide physical protection of computer facilities and resources from 
unauthorized use, espionage, sabotage, damage, and theft; 

* prevent the exploitation of vulnerabilities; 

* prevent the introduction of unauthorized changes to application or 
system software; 

* ensure that work responsibilities for computer functions are 
segregated so that one individual does not perform or control all key 
aspects of computer-related operations and thereby have the ability to 
conduct unauthorized actions or gain unauthorized access to assets or 
records without detection; and: 

* ensure the implementation of secure and effective configuration 
management. 

In addition, we evaluated aspects of FDIC's information security 
program as they relate to NFE. This program includes assessing risk; 
developing and implementing policies, procedures, and security plans; 
promoting security awareness and providing specialized training for 
those with significant security responsibilities; testing and 
evaluating the effectiveness of controls; planning, implementing, 
evaluating, and documenting remedial actions to address information 
security deficiencies; detecting, reporting, and responding to security 
incidents; and ensuring the continuity of operations. 

To evaluate FDIC's information security controls and program, we 
identified and examined pertinent FDIC security policies, procedures, 
guidance, security plans, and relevant reports provided during 
fieldwork. In addition, we conducted tests and observations of controls 
in operation and reviewed corrective actions taken by the corporation 
to address vulnerabilities identified during our previous 
review.[Footnote 15] We also discussed with key security 
representatives, system administrators, and management officials 
whether information system controls were in place, adequately designed, 
and operating effectively. 

We performed our review at the FDIC computer facility in Arlington, 
Virginia, from September 2006 through February 2007. Our review was 
performed in accordance with generally accepted government auditing 
standards. 

FDIC Has Made Substantial Progress Correcting Previously Reported 
Weaknesses: 

FDIC has taken steps to address security control weaknesses. The 
corporation has corrected or mitigated 21 of the 26 weaknesses that we 
previously reported as unresolved at the completion of our calendar 
year 2005 audit (see app. I). For example, the corporation has: 

* developed and implemented procedures to prohibit the transmission of 
mainframe user and administrator passwords in plaintext across the 
network, 

* established and implemented a process to monitor and report on vendor-
supplied account/password combinations, and: 

* improved mainframe security monitoring controls. 

While the corporation has made important progress in strengthening its 
information security controls, it is still in the process of completing 
actions to correct or mitigate the remaining five previously reported 
weaknesses. These uncorrected actions include ensuring that only 
authorized application software changes are implemented, limiting 
network access to sensitive personally identifiable and business 
proprietary information, effectively generating and reviewing the NFE 
audit reports, adequately controlling physical access to the Virginia 
Square building, and properly segregating incompatible system-related 
functions, duties, and capacities for an individual associated with the 
NFE. Not addressing these actions could leave the corporation's 
sensitive data vulnerable to unauthorized access and manipulation. 

Appendix I describes the previously reported weaknesses in information 
security controls that were unresolved at the time of our prior review 
and the status of the corporation's corrective actions. 

FDIC Has Made Progress in Information System Controls, However Some 
Weaknesses Remain: 

Although FDIC made substantial improvements to its information system 
controls, unresolved and newly identified weaknesses could limit its 
ability to effectively protect the confidentiality, integrity, and 
availability of its financial and sensitive information and information 
systems. Specifically, we identified new weaknesses in controls related 
to (1) e-mail security, (2) physical security, and (3) configuration 
management. Although these control weaknesses do not pose significant 
risks of misstatement to the financial reports, they do increase the 
risk to FDIC's financial and sensitive systems and information and 
increase the risk of unauthorized modification of data and programs, 
inappropriate disclosure of sensitive information, or disruption of 
critical operations. 

E-mail Security: 

E-mail is perhaps the most popular system for exchanging business 
information over the Internet or any other computer network. Because 
the computing and networking technologies that underlie e-mail are 
widespread and well-known, attackers are able to develop attack methods 
to exploit security weaknesses. E-mail messages can be secured in 
various ways including the use of digital signatures. Digital 
signatures can be used to ensure the integrity of an e-mail message and 
confirm the identity of its sender. National Institute of Standards and 
Technology (NIST) guidance recommends that organizations consider the 
implementation of secure e-mail technologies such as digital signatures 
to ensure the integrity of e-mail data. FDIC policy requires individual 
division managers to establish specific procedures regarding the use of 
secure e-mail technologies for e-mail. 

FDIC did not use secure e-mail methods to protect the integrity of 
certain accounting data transferred over an internal communication 
network. The corporation relied upon unsecured e-mail transmission of 
accounting data instead of using more secure methods, such as securing 
e-mail with digital signatures or using the internal data transmission 
functions in NFE. Specifically, it did not use secure e-mail 
correspondence during monthly NFE closing processes because the 
Division of Finance--the division responsible for the financial 
environment--had not developed requirements for securing e-mail. In 
addition, the e-mail system could be compromised by sending e-mails 
using forged sender names and addresses. As a result, increased risk 
exists that an attacker could manipulate accounting data. 

Physical Security: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls involve restricting physical access to computer 
resources, usually by limiting access to the buildings and rooms in 
which the resources are housed, and periodically reviewing access 
granted to ensure that it continues to be appropriate. FDIC policy also 
requires that visitors be allowed to enter an office only after 
providing proof of identity, identifying the person they are visiting, 
signing a visitor log, obtaining a visitor badge, and being escorted at 
all times by the employee whom they are visiting. 

FDIC did not apply physical security controls for some instances. For 
example, an unauthorized visitor was able to enter a key FDIC facility 
without providing proof of identity, signing a visitor log, obtaining a 
visitor's badge, or being escorted. In addition, a workstation that had 
access to a payroll system was located in an unsecured office. As a 
result, increased risk exists that unauthorized individuals could gain 
physical access to a key facility and to systems that have sensitive 
information. 

Configuration Management: 

Configuration management involves the identification and management of 
security features for all hardware, software, and firmware components 
of an information system at a given point and systematically controls 
changes to that configuration during the system's life cycle. The 
agency should have configuration management controls to ensure that 
only authorized changes are made to such critical components. In 
addition, all applications and changes to those applications should go 
through a formal, documented systems development process that 
identifies all changes to the baseline configuration. Also, procedures 
should ensure that no unauthorized software is installed. Patch 
management, a component of configuration management, is an important 
element in mitigating the risk associated with software 
vulnerabilities. Up-to-date patch installations help mitigate 
vulnerabilities associated with flaws in software code that could be 
exploited to cause significant damage. FDIC policy requires that 
patches be implemented within the specified time frames. In addition, 
FDIC policy states that configuration status accounting and 
configuration auditing, which includes both functional and physical 
audits, should be performed. Configuration audits help to maintain the 
integrity of the configuration baseline as well as to ensure that when 
a significant product change is introduced, only authorized changes are 
being made. FDIC policy also states that project documentation should 
be managed and updated as it evolves over time. 

FDIC did not consistently implement configuration management controls 
for NFE. Specifically, the corporation did not: 

* develop and maintain a complete listing of all configuration items 
and a baseline configuration for NFE, including application software, 
data files, software development tools, hardware, and documentation; 

* ensure that all significant system changes, such as parameter 
changes, go through a change control process; 

* apply comprehensive patches to system software in a timely manner. 
For example, a FDIC report stated that in the third quarter of fiscal 
year 2006, software patches for 15 out of 21 high-risk vulnerabilities 
and 5 out of 34 medium-risk vulnerabilities were not implemented within 
required time frames. In another report, between July 9, 2006, and 
October 9, 2006, out of nine high-risk patches that were not 
implemented within the required time period, eight were not implemented 
for 42 days. 

* review status accounting reports, or perform complete functional and 
physical configuration audits; and: 

* update or control documents to reflect the current state of the 
environment and to ensure consistency with related documents. 
Specifically, documents such as the NFE security plan, risk assessment, 
and contingency plan did not reflect the current environment. 

The NFE project team did not institute the above because it did not 
always consistently follow the processes as outlined in the NFE 
configuration management plan. According to FDIC officials, they were 
not following the plan because it has not been updated to reflect the 
new system development life cycle. In addition, according to an FDIC 
official, patches were not implemented in the specified time frames 
because contractors do not always follow FDIC policy. 

As a result, the corporation has a higher risk that NFE may not perform 
as intended. 

NFE Was Not Fully Integrated into the Corporation's Information 
Security Program: 

Although FDIC had taken steps to develop, document, and implement a 
corporate information security program, it did not fully implement key 
control activities for NFE. For example, FDIC had not sufficiently 
assessed risks, updated the security plan, reported computer security 
incidents, or updated the contingency plan to reflect the current 
environment for NFE. 

Risk Assessments: 

Identifying and assessing information security risks are essential 
steps in determining what controls are required. Moreover, by 
increasing awareness of risks, these assessments can generate support 
for the policies and controls that are adopted in order to help ensure 
that they operate as intended. Security testing and evaluation can be 
used to efficiently identify system vulnerabilities for use in a risk 
assessment. NIST guidance states that the risk assessment should be 
updated to reflect the results of the security test and evaluation. 

The risk assessment for NFE was not properly updated. FDIC performed a 
security test and evaluation after the risk assessment was performed. 
However, the risk assessment was not updated to include the risks 
associated with any of the newly identified vulnerabilities. As a 
result, NFE may have inadequate or inappropriate security controls that 
might not address the system's true risk. 

Security Plans: 

A security plan provides an overview of the system's security 
requirements and describes the controls that are in place--or planned-
-to meet those requirements. Common security controls are controls that 
can be applied to one or more organizational information systems. 
System-specific controls are the responsibility of the information 
system owner. NIST guidance states that system security plans should 
clearly identify which security controls have been designated as common 
security controls and the individual responsible for implementing the 
common security control. In addition, NIST guidance states that 
organizations should update information system security plans to 
address system/organizational changes. 

The corporation did not update the system security plan for NFE. FDIC 
has identified 77 management, operational, and technical common 
security controls established in its information system. However, the 
NFE security plan was not updated to clearly identify common security 
controls. In addition, the security plan was not updated to reflect the 
correct servers or recently installed mainframe hardware. As a result, 
increased risk exists that proper controls may not be implemented for 
the NFE. 

Incident Handling: 

Even strong controls may not block all intrusions and misuse, but 
organizations can reduce the risks associated with such incidents if 
they take steps to promptly detect and respond to them before 
significant damage is done. In addition, analyzing security incidents 
allows organizations to gain a better understanding of the threats to 
their information and the costs of their security-related problems. 
Such analyses can pinpoint vulnerabilities that need to be eliminated 
so that they will not be exploited again. FISMA requires that agency 
information security programs include procedures for detecting and 
reporting security incidents. NIST guidance states that organizations 
should implement an incident handling capability for security incidents 
that includes preparation, detection and analysis, containment, 
eradication, and recovery. In addition, NIST guidance states that 
organizations should regularly review and analyze information system 
audit records for indications of inappropriate or unusual activity, 
investigate suspicious activity or suspected violations, report 
findings to appropriate officials, and take necessary actions. FDIC 
policy requires all users of the corporate information systems to 
report suspected computer security incidents[Footnote 16] to the 
Computer Security Incident Response Team (CSIRT).  

FDIC has implemented an incident handling program, including 
establishing a team and associated procedures for detecting, responding 
to, and reporting computer security incidents. However, the corporation 
did not always review events occurring in the NFE to determine whether 
the events were computer security incidents or not. For example, during 
our observation of the purchase order matching process, an FDIC 
official overrode a matching exception. Although an override exception 
matching report was generated, it was not reviewed to determine if it 
was an incident, and was not forwarded to CSIRT. According to an 
official, there were not always procedures to review events in NFE. As 
a result, increased risk exists that computer security incidents that 
relate to the NFE will not be identified. 

Continuity of Operations: 

Continuity of operations, which includes disaster recovery planning, 
should be designed to ensure that when unexpected events occur, 
essential operations continue without interruption or can be promptly 
resumed, and critical and sensitive data are protected. These controls 
include procedures to minimize the risk of unplanned interruptions, 
along with a well-tested plan to recover critical operations should 
interruptions occur. FISMA requires that agencies have plans and 
procedures to ensure the continuity of operations for information 
systems that support the operations and assets of the agency. NIST 
guidance states that disaster recovery plans, including contingency 
plans, should be maintained in a ready state that accurately reflects 
system requirements, procedures, and organizational structure. 

FDIC has developed plans for the continuity of NFE operations. To 
assess the effectiveness of the plans, FDIC successfully tested the NFE 
at its new disaster recovery site.[Footnote 17] However, the NFE 
contingency plan was not updated to reflect the new disaster recovery 
site. In addition, the plan identified servers that were not in use. As 
a result, FDIC has limited assurance it will be able to efficiently 
implement continuity of operations for the NFE in the event of an 
emergency when knowledgeable employees are not available. 

Conclusions: 

FDIC has made substantial progress in correcting previously reported 
weaknesses and has taken other steps to improve information security. 
Although five weaknesses from prior reports remain unresolved and new 
control weaknesses related to (1) e-mail security, (2) physical 
security, and (3) configuration management were identified, the 
remaining unresolved weaknesses previously reported and the newly 
identified weaknesses did not pose significant risk of misstatement in 
the corporation's financial statements for calendar year 2006. However, 
the old and new weaknesses do increase preventable risk to the 
corporation's financial and sensitive systems and information. 

Since FDIC did not fully integrate its NFE into its information 
security program, it did not fully implement key control activities for 
NFE, such as sufficiently assessing risks, updating the security plan, 
reporting computer security incidents, or updating the contingency plan 
to reflect the current environment. Continued management commitment to 
integrating the NFE into the corporate information security program 
will be essential to ensure that the corporation's financial and 
sensitive information will be adequately protected. As the corporation 
continues to enhance the NFE, its reliance on controls implemented in 
this single, integrated financial system will increase. Until FDIC 
fully integrates NFE into the security program, its ability to maintain 
adequate information system controls over its financial and sensitive 
information will be limited. 

Recommendations for Executive Action: 

In order to sustain progress to its program, we recommend that the FDIC 
Chief Financial Officer and Chief Operating Officer direct that the 
following 12 actions be performed in a timely manner: 

* Require that e-mail containing or transmitting accounting data be 
secured to protect the integrity of the accounting data. 

* Train security personnel to implement the corporation's policy on 
physical security of the facility. 

* Instruct FDIC personnel to lock rooms that contain sensitive 
software. 

* Develop a configuration item index of all configuration items for NFE 
using a consistent and documented naming convention. 

* Require that significant changes to the system, such as parameter 
changes, go through a formal change management process. 

* Implement patches in a timely manner. 

* Require that the NFE project team review status accounting reports 
and perform complete functional and physical configuration audits. 

* Adequately control the NFE documents so that they are up-to-date and 
accurately reflect the current environment. 

* Update the NFE risk assessment to include the risk associated with 
vulnerabilities identified during security testing and evaluation. 

* Update the NFE security plan to clearly identify all common security 
controls. 

* Develop procedures to review events occurring in the NFE to determine 
whether the events are computer security incidents. 

* Update the contingency plan to reflect the new disaster recovery site 
and servers that are in use. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from FDIC's 
Deputy to the Chairman and Chief Financial Officer (these are reprinted 
in app. II). The Deputy acknowledged the benefit of the recommendations 
made as part of this year's audit and stated that FDIC concurred with 
seven of our recommendations and has implemented or will implement them 
in the coming year. He also stated that FDIC partially concurred with 
our remaining five recommendations and has developed or implemented 
plans to adequately address the underlying risks that prompted these 
five recommendations, in some instances through alternative corrective 
actions. 

With regard to the five recommendations to which FDIC partially 
concurred, if the corporation adequately implements the corrective 
actions below, it will have satisfied the intent of our 
recommendations. Regarding our recommendation that FDIC require that e- 
mail containing or transmitting accounting data be secured to protect 
the integrity of the accounting data, the Deputy stated that by July 
31, 2007, FDIC will ensure that the integrity of accounting data 
transmitted by e-mail is appropriately protected, and that it will 
evaluate the various exchanges of accounting information and identify 
and document where more secure communications are needed. Concerning 
our recommendation that FDIC instruct personnel to lock rooms that 
contain sensitive software, the Deputy stated that FDIC has conducted 
additional analysis on the software that had access to payroll 
information and has removed that software from the desktop. With regard 
to our recommendation that FDIC require that significant changes to the 
system, such as parameter changes, go through a formal change 
management process, the Deputy stated that by December 31, 2007, FDIC 
will have developed procedures that will include appropriate management 
of, and documentation standards for, parameter changes. Based on the 
Deputy's comments, we have clarified our recommendation that FDIC 
update the NFE risk assessment to include the risk associated with 
vulnerabilities identified during security testing and evaluation. The 
Deputy stated that FDIC has since changed its process to require 
updates to the risk assessments when applications undergo major changes 
that affect the security of the system. Finally, with regard to the 
recommendation that FDIC develop procedures to review events occurring 
in the NFE to determine whether the events are computer security 
incidents, the Deputy stated that FDIC addressed this issue during the 
first quarter of 2007 when it established a formal process for 
monitoring and reviewing such events. In addition, FDIC plans to have 
documented procedures for elevating potential security violations to 
the incident handling team and for monitoring unusual events by August 
31, 2007. 

We are sending copies of this report to the Chairman and Ranking 
Minority Member of the Senate Committee on Banking, Housing, and Urban 
Affairs; the Chairman and Ranking Minority Member of the House 
Committee on Financial Services; members of the FDIC Audit Committee; 
officials in FDIC's divisions of information resources management, 
administration, and finance; and the FDIC inspector general. We will 
also make copies available to others upon request. In addition, this 
report will be available at no charge on the GAO Web site at http:// 
www.gao.gov. 

If you have any questions regarding this report, please contact me at 
(202) 512-6244 or by e-mail at wilshuseng@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report are 
listed in appendix III. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Status of Previously Reported Weaknesses:  

Information Security: Information System Controls at the Federal 
Deposit Insurance Corporation (GAO-04-629; ). 

Access authority. 

Weakness: 1. Federal Deposit Insurance Corporation (FDIC) was using 
live data to support application development and testing; 
Action completed: X; 
Action in progress: [Empty]. 

Network security. 

Weakness: 2. Personal firewall settings for corporate examiner laptop 
computers that were used for remotely connecting to the network were 
not adequately secured; 
Action completed: X; 
Action in progress: [Empty]. 

Information Security: Federal Deposit Insurance Corporation Needs to 
Sustain Progress (GAO-05-487SU; ). 

Access controls. 

Weakness: 3. Procedures were not established to prevent processes 
running in supervisor state in one logical partition from accessing 
datasets stored in another partition; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 4. Procedures were not in place to identify and effectively 
control risks caused by sharing critical system components between 
production and nonproduction LPARs (logical partitions); 
Action completed: X; 
Action in progress: [Empty]. 

Network security. 

Weakness: 5. Structured query language database server configurations 
for many of FDIC's financial applications were not adequately secured; 
Action completed: X; 
Action in progress: [Empty]. 

Application change control. 

Weakness: 6. Procedures have not been consistently followed for 
authorizing, documenting, and reviewing all application software 
changes; 
Action completed: [Empty]; 
Action in progress: X. 

Information Security: Federal Deposit Insurance Corporation Needs to 
Improve Its Program (GAO-06-619SU; ). 

Access controls. 

Weakness: 7. FDIC did not always change vendor-supplied account/ 
password combinations; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 8. FDIC did not adequately control inactive user accounts. 
FDIC policy requires accounts that have not been used within 60 days be 
deleted; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 9. FDIC transmitted mainframe user and administrator 
passwords in plaintext across the network; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 10. FDIC did not adequately enforce password management 
restrictions; 
Action completed: X; 
Action in progress: [Empty]. 

Access rights and permissions. 

Weakness: 11. FDIC access authorizations did not consistently support 
the access rights granted to New Financial Environment (NFE) users; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 12. FDIC did not adequately control access to datasets 
containing sensitive data critical to the integrity of loss 
calculations used by the Division of Insurance; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 13. FDIC did not effectively limit network access to 
sensitive personally identifiable and business proprietary information; 
Action completed: [Empty]; 
Action in progress: X. 

Network services. 

Weakness: 14. FDIC did not securely configure Internet-accessible 
remote access to its information resources; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 15. FDIC permitted the use of unencrypted network protocols 
on its UNIX systems; 
Action completed: X; 
Action in progress: [Empty]. 

Configuration assurance. 

Weakness: 16. FDIC did not securely configure an Oracle production 
database; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 17. FDIC did not properly secure the Apache Tomcat server 
that hosts a production database used by the employee time and 
attendance system; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 18. FDIC did not securely configure its workstations; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 19. FDIC laptop computers had unnecessary wireless 
technologies enabled; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 20. FDIC's Blackberry Enterprise Server and handheld devices 
were deployed and configured with several security weaknesses; 
Action completed: X; 
Action in progress: [Empty]. 

Audit and monitoring of security-related events. 

Weakness: 21. FDIC did not effectively generate NFE audit reports or 
review them; 
Action completed: [Empty]; 
Action in progress: X. 

Weakness: 22. FDIC's ability to monitor changes to critical mainframe 
datasets was inadequate; 
Action completed: X; 
Action in progress: [Empty]. 

Weakness: 23. FDIC did not sufficiently audit system activities on its 
Oracle databases; 
Action completed: X; 
Action in progress: [Empty]. 

Physical security. 

Weakness: 24. FDIC did not adequately control physical access to the 
Virginia Square computer processing facility; 
Action completed: [Empty]; 
Action in progress: X. 

Segregation of duties. 

Weakness: 25. FDIC did not properly segregate incompatible system- 
related functions, duties, and capacities for an individual associated 
with the NFE; 
Action completed: [Empty]; 
Action in progress: X. 

Weakness: 26. FDIC granted NFE accounts payable users inappropriate 
access to perform incompatible functions; 
Action completed: X; 
Action in progress: [Empty]. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix II: Comments from the Federal Deposit Insurance Corporation: 

Federal Deposit Insurance Corporation: 
550 17th Street NW, 
Washington, D.C. 20429-9990: 
Deputy to the Chairman and CFO: 

April 25, 2007: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
Government Accountability Office: 
Washington, D.C. 20548: 

Re: FDIC Management Response to the GAO 2006 Audit of Security Program: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on the U.S. Government 
Accountability Office's (GAO) draft audit report titled, Information 
Security: Federal Deposit Insurance Corporation Needs to Sustain 
Progress Improving Its Program, GAO-07-351. The report presents GAO's 
assessment of the progress the Federal Deposit Insurance Corporation 
(FDIC) has made in correcting or mitigating remaining information 
system control weaknesses reported as unresolved at the time of the 
GAO's prior review in 2005, as well as outlining GAO's findings with 
respect to the effectiveness of the corporation's information system 
controls for protecting the confidentiality, integrity, and 
availability of its information and information systems during 2006. 

We are pleased to accept GAO's acknowledgement of the substantial 
progress FDIC has made in correcting previously reported weaknesses and 
improving its information security controls. We are also pleased to 
have GAO acknowledge that, although the weaknesses identified warrant 
FDIC management's attention, they do not pose a significant risk to the 
integrity of the financial statements of either the Deposit Insurance 
Fund (DIF) or the FSLIC solution Fund (FRF). Further, we appreciate the 
work of the GAO and recognize the benefit ber of the recommendations 
made as part of this year's audit. The FDIC has, in fact, already 
completed actions to address some of those recommendations and is 
actively engaged in completing many others. 

The GAO's report contains twelve new recommendations to assist FDIC in 
sustaining the progress it has made enhancing its information security 
program. At this time, the FDIC concurs with seven recommendations and 
partially concurs with the remaining five. In instances where FDIC did 
not fully concur with specific GAO recommendations, FDIC has developed 
or implemented plans to adequately address the underlying risks that 
prompted the recommendations. In some instances, we chose to pursue 
alternative corrective actions. The detailed responses to these twelve 
new recommendations are provided in Attachment l. Appendix I of the 
GAO's report cites five weaknesses that were identified in the previous 
IT security audit and that GAO concludes remain unresolved. Our 
responses to the five, unresolved, prior year weaknesses are provided 
in Attachment 2. For all but two weaknesses identified 1 n GAO's 
report, corrective action has already been or will be completed by 
December 31, 2007. Corrective action for the remaining two will involve 
multi- year efforts to ensure a comprehensive solution. For those two 
multi- year efforts, the most significant risks will be addressed 
earlier in these projects wherever possible. 

Once again, we thank you for your past contributions and your diligent 
work on this year's audit. We look forward to continuing our productive 
dialogue with the GAO as we continue to enhance our information 
security program. 

If you have any questions relating to the FDIC management response, 
please contact James H. Angel, Jr., Director, Office of Enterprise Risk 
Management, at 703-562-6456. 

Sincerely, 

Signed by: 

Steven O. App: 

Deputy to the Chairman and Chief Financial Officer: 

cc: John Bovenzi: 
Michael Bartell: 
Fred Selby: 
James H. Angel, Jr. 
Audit Committee: 

Attachment 1: 

FDIC Responses to GAO Recommendations April 25, 2007: 

Recommendation 1: Require that e-mail containing or transmitting 
accounting data be secured to protect the integrity of the accounting 
data. 

FDIC Response: Partially Concur: 

We agree that certain information may need additional security measures 
to protect the integrity of data transferred over an internal 
communication network. We disagree, however, with the specific example 
that e-mail containing or transmitting basic accounting information 
shared during the monthly New Financial Environment (NFE) closing 
process be secured beyond controls in the e-mail system. E-mail 
correspondence received/sent during the monthly process relating to 
accounting information used to produce journal entries such as the 
monthly expense accrual journal is between known parties, the normal 
monthly amount is known, and the data received is reviewed prior to 
being approved/recorded. This accounting data is reversed in the next 
period and does not impact in any way the amount that will eventually 
be paid to vendors. Any unusual information sent/received related to 
these journal entries would be followed up on prior to a journal entry 
being recorded in NFE. To ensure that the integrity of accounting data 
transmitted by e-mail is appropriately protected, the Division of 
Finance (DOF) will evaluate the various exchanges of accounting 
information within our business processes and identify and document 
where more secure communication methods are warranted. These actions 
will be completed by July 31, 2007. 

Recommendation 2: That FDIC train security personnel to implement the 
corporation's policy on physical security of the facility. 

FDIC Response: Concur: 

The Division of Administration (DOA) concurs with this recommendation. 
The DOA Security and Emergency Preparedness Section (SEPS) has 
implemented a physical security program that takes a proactive approach 
regarding facility access controls. The SEPS considers the security of 
FDIC personnel and protection of its facilities of utmost importance. 
Based on the GAO finding, the SEPS met with the FDIC's security guard 
contractor to discuss the situation. It was determined that the 
security breach was an isolated incident and, after an investigation 
was conducted, the Security Officer who allowed the unauthorized 
individual access to the FDIC facility was dismissed. 

As part of the FDIC's Security Officer Orientation and Training, 
security officers are provided three days of intense on-the-job- 
training (OJT) to ensure that they are knowledgeable on all FDIC 
Security Policies and Procedures, post orders, general orders, special 
orders, and any other applicable security requirements. The OJT 
provides the awareness and working requirements that involve access 
control policies and procedures. In addition, as part of a SEPS long 
standing operating practice, a process exists whereby reminders are 
issued daily to all Security Officers that communicate the importance 
of enforcing all visitor access policies and procedures. The reminders 
are issued to security officers when the guards change shifts. SEPS 
will continue to ensure that incidents such as the reported security 
breach are addressed through the above cited training programs and 
daily guard briefings. 

Recommendation 3: Instruct FDIC personnel to lock rooms that contain 
sensitive software. 

FDIC Response: Partially Concur: 

The FDIC has taken very seriously the GAO statement of weakness in the 
draft report that, "a workstation that had access to a payroll system 
was located in an unsecured office. As a result, increased risk exists 
that unauthorized individuals could gain physical access to a key 
facility and to systems that have sensitive information." Accordingly, 
the FDIC immediately removed the questioned software from the desktop. 

FDIC subsequently revisited GAO's concern by reviewing the security 
controls and potential vulnerabilities of the questioned software. Both 
the Division of Information Technology (DIT) Information Security and 
Privacy Staff and the Infrastructure Services Branch Server Engineering 
staff participated in this review. 

* Based upon discussions with the GAO audit team, it was determined 
that GAO may have assumed that because this software was made available 
on a "limited use" basis, that the FDIC had concerns about the security 
of this software. In fact, the classification as "limited use" software 
by FDIC is a budgetary classification. The licenses for this software 
can be purchased on a desktop by desktop basis, which is more expensive 
per machine than FDIC's customary purchase of software on an enterprise 
basis but, nevertheless, can be very cost effective in instances where 
only a few individuals require access to the software. For budgetary 
reasons, FDIC decided to provide this software on a "limited use" 
basis, only as specifically required to perform critical business 
functions and where a less expensive alternative is not readily 
available. 

* FDIC also understood from the GAO audit team that GAO may have had 
concerns that the software in question may be using an "unencrypted 
protocol" to facilitate "peer-to-peer" connections. The FDIC has 
evaluated this concern, and we believe that the proper encryption and 
authentication protocols were in place to mitigate these concerns. 

* Finally, during the FDIC's discussion with the GAO audit team, it was 
confirmed that no connection to payroll or any other application was 
attempted or completed. The weakness statement in the GAO report 
indicates that, ".a workstation that had access to a payroll system was 
located in an unsecured office. As a result, increased risk exists that 
unauthorized individuals could gain physical access to a key facility 
and to systems that have sensitive information." This statement may 
lead some readers of this report to incorrectly believe that access was 
open to payroll data. FDIC maintains that the password and encryption 
controls FDIC had in place for this software properly restricts access 
and protects our corporate data. 

In summary, FDIC's technical evaluation regarding the questioned 
software determined: 

* The desktop software in question is not considered "Sensitive 
Software"; 

* The identified software itself does not introduce any additional risk 
to FDIC applications; 

* Use of this software requires authentication to access the desktop 
and again to access the server; 

* All traffic between the desktop software and the server is encrypted; 
and as a result: 

* Additional controls to physically lock offices are not required. 

Recommendation 4: Develop a configuration item index of all 
configuration items for NFE using a consistent and documented naming 
convention. 

FDIC Response: Concur: 

FDIC currently uses the following configuration management software to 
manage configuration changes: 

* StarTeam is used to manage documentation and non-mainframe 
application source code. 

* Endevor is used to manage mainframe source code. 

* PeopleSoft is used by the NFE project team for application 
development, and it includes its own internal configuration management 
capabilities. 

Each of these tools can generate a listing of their managed 
configuration items on an ad-hoc basis that could potentially be used 
to develop the recommended item index using a documented naming 
convention. To ensure that FDIC implements an appropriate strategy for 
the development and maintenance of a complete listing of all 
configuration items and baseline configuration for NFE including 
application software, data files, software development tools, hardware 
and documentation, the FDIC will: 

* review the current use of these configuration tools as well as other 
tools available; and: 

* make a determination regarding the best combination to be utilized to 
ensure the consistent implementation of configuration management 
controls for NFE. Once this has been determined, the configuration item 
index and the document naming convention will be in place by December 
31, 2007. 

Recommendation 5: Require that significant changes to the system, such 
as parameter changes, go through a formal change management process. 

FDIC Response: Partially Concur: 

Software changes already are required to go through a formal change 
control process. Although the parameter changes that resulted in this 
finding did not go through the formal change control process, these 
changes were coordinated with and the results reviewed by the necessary 
business areas. Not all changes need to go through the formal change 
control process; however, they should all be documented to support 
changes made. DOF is in the process of developing written procedures 
related to its systems operations and maintenance area which will 
include appropriate management of and documentation standards for 
parameter changes. Documentation will also be developed that defines 
which changes will go through a formal change control process and which 
ones will be covered by operating procedures. This action will be 
completed by December 31, 2007. 

Recommendation 6: Implement patches in a timely manner. 

FDIC Response: Concur: 

FDIC policy requires all high impact security and application software 
patches to be tested and implemented within a 14 day period, where 
practical. FDIC tests and approves all patches prior to installation in 
Production status. In practice some patches cannot be immediately 
deployed due to system or software incompatibility found during FDIC 
testing. This incompatibility results when patch updates cause any of 
the FDIC Production systems to perform improperly, making it 
impractical to install the particular patch within the 14 day window. A 
formal process to document and approve any required waivers to the 
patch installation policy was implemented April 15, 2004. 

GAO correctly identified several Remote Client Network (RCN) servers 
upon which some security patch updates had not been installed in a 
timely manner. The RCN servers were located within the Demilitarized 
Zone (DMZ) of the FDIC protective firewall software. The DMZ protects 
the internal FDIC network by only allowing encrypted access to specific 
ports needed to access the service. FDIC employs two different software 
tools to perform automated scans on all servers to ensure all patches 
are installed and up to date. However, because access to the DMZ was 
blocked, the scan software did not detect that patches on the RCN 
servers were not up to date. Immediately upon notification by GAO, FDIC 
took corrective action to apply all missing patches to all RCN servers. 
Then, technical infrastructure engineers worked with the FDIC firewall 
support group to open ports so that patch updates can be pushed out to 
RCN servers and to include the RCN servers in periodic scan reports 
that identify missing patches. The scan reports are closely monitored 
and reconciled with related reports on the status of FDIC servers. 

Recommendation 7: Require that the NFE project team review status 
accounting reports and perform complete functional and physical 
configuration audits. 

FDIC Response: Concur: 

The FDIC recognizes the definitions of a Physical Configuration Audit 
and a Functional Configuration Audit provided by the Software 
Engineering Institute in its clarification regarding Specific Practices 
3.2 in the Configuration Management Process Area. They are: 

* "Physical configuration audits include the physical description that 
enables the reconstruction of products, product components, and 
baselines. This type of audit ensures the physical configuration is 
complete." 

As specified in the Configuration Management (CM) Plan, a physical 
configuration audit is conducted at the end of the Construction phase 
to ensure that Change Requests (CRs) targeted for the deployment are 
documented properly and that all artifacts changed against those CRs 
are correctly linked and labeled. 

* "Functional configuration audits include the functional description 
that enables the evaluation of conformance to requirements. This type 
of audit ensures that the functional configuration is correct." 

The practice of Functional Configuration Audits is employed at the FDIC 
through the Rational Unified Process (RUP). The RUP process specifies 
that the application be tested through a formal process to determine if 
the changes made to the application are consistent with the 
requirements specified in the Inception Phase. The testing process in 
the Construction and Transition RUP phases results in a Test Analysis 
Report, which serves as the documentation that the application's "as- 
tested" functional characteristics are in conformance with the "as- 
specified" characteristics. This process is performed by the project 
team each time there is a change to the application and is documented 
through the RUP artifacts and stored in StarTeam. Additional guidance 
regarding audits is provided in the CM Plan. 

Status Accounting reports contain the information needed to manage 
software configuration items effectively (i.e., status of proposed 
changes or the implementation status of approved changes to the 
baselines) and are used to support configuration auditing. StarTeam 
provides a reporting capability for ad-hoc charts and reports. The two 
most common reports are the Change Request Link Report and a listing of 
artifacts based on View Label. The NFE Project Team is currently using 
these reports, though not necessarily storing the output. A process 
change will be implemented to ensure that these artifacts are 
maintained in the NFE StarTeam project. 

The CM Plan will be updated, and FDIC will complete physical and 
functional audits and status accounting reports (as defined in our 
response) by December 31, 2007. 

Recommendation 8: Adequately control the NFE documents so that they are 
up-to-date and accurately reflect the current environment. 

FDIC Response: Concur: 

The FDIC has implemented the Certification and Accreditation program, 
which provides a timely methodology and process for maintaining the key 
primary documentation noted by the GAO audit team. The FDIC had already 
scheduled updates to the Security Test and Evaluation and Certification 
and Accreditation (C&A) reviews for NFE to be performed during 2007. 
The C&A is intended to address changes in the NFE environment that will 
also address GAO residual concerns with FDIC's use of the more detailed 
and robust draft of NIST 800-53 controls in the initial C&A review 
process. The final C&A package will include updated C&A artifacts as 
appropriate. The NFE business owner, supported by DIT Information 
Security and Privacy Staff, will monitor the C&A package to ensure that 
it incorporates all major modifications and changes since the prior C&A 
that was completed during 2005. The above C&A tasks will be completed 
by December 31, 2007. 

To further ensure that future changes are properly captured and 
maintained, the DIT NFE project manager in coordination with the DOF 
Information Security Manager and DIT ISPS will manage the configuration 
of each of these documents in StarTeam. The documents will be updated 
at the points called for by the FDIC RUP SDLC, and reviewed at the 
milestones called for by the FDIC RUP. This process will be established 
by June 30, 2007. 

Recommendation 9: Update the NFE risk assessment to include the 
identified vulnerabilities in security testing and evaluation. 

FDIC Response: Partially Concur: 

FDIC agrees with the overriding principle that we believe is behind 
this recommendation, which is that identified risks and open 
vulnerabilities should be properly identified and brought to the 
attention of the certifying and accrediting officials in the risk 
management process. However, the FDIC does not agree with the 
recommendation as specifically written. The Risk Assessment is a 
judgmental examination of the probability of potential harmful events 
conducted early in the development process by internal FDIC staff and 
is not an appropriate place to capture results from the independent 
Security Testing and Evaluation (ST&E) review or other processes. In 
the FDIC's current process, vulnerabilities or security control 
weaknesses detected during the ST&E or other independent processes are 
assigned a risk rating by an independent team and are tracked in a Plan 
of Actions and Milestones (POA&M). 

The POA&M is the document that should be updated throughout the risk 
management process in order to track and mitigate vulnerabilities. 
Through the ST&E portion of the risk management process, security 
control weaknesses are independently identified and rated with an 
appropriate risk level. Within the RUP, the FDIC already requires 
updates to risk assessments when applications undergo major changes 
that affect the security posture of the system or application. 

Vulnerabilities that are mitigated in the POA&M are independently 
verified or retested, as appropriate, by an independent team within the 
DIT Information Security and Privacy Staff to confirm closure. 
Remaining vulnerabilities for which risk is accepted are documented in 
an acceptance of risk (AOR) form that is made part of the documentation 
that is provided to the Certifying Official as part of the 
Certification and Accreditation process. The Certifying Official looks 
at any remaining open items on the POA&M that have mitigation plans and 
at the risks being accepted in the AOR and uses them to prepare a 
Security Assessment Report (SAR) that is provided along with all the 
other C&A documentation to the Accreditation Official for consideration 
during the accreditation decision. Based upon the Accreditation 
Official's assessment, the system is either given full Authority to 
Operate (ATO) or given an Interim Authority to Operate (IATO). This 
process, as documented above, is in place now, but was not fully in 
place at the time of the GAO's audit; therefore, this change represents 
an improvement that we expect the GAO will be able to observe and 
verify upon subsequent re-test. We believe that the actions we have 
already taken are fully responsive to this recommendation. 

Recommendation 10: Update the NFE security plan to clearly identify all 
common security controls. 

FDIC Response: Concur: 

The FDIC concurs that, at the time of the audit, the NFE security plan 
was out of date. FDIC believes that this is partially a timing issue in 
the documentation due to the effort already underway in FDIC to 
identify and incorporate common security controls into the recently 
implemented revised security plan templates. The FDIC has developed a 
new Security Plan Template, and is updating the NFE Security Plan to 
conform to this template which we believe will bring the plan in line 
with NIST 800-18 requirements and NIST 800-53 controls. By May 31, 
2007, FDIC will update the NFE Security Plan to include information 
about FDIC's common controls as well as a reference to the document 
that contains the correct server and mainframe hardware information. 

Recommendation 11: Develop procedures to review events occurring in the 
NFE to determine whether the events are computer security incidents. 

FDIC Response: Partially Concur: 

As GAO is aware, FDIC is in the process of enhancing report monitoring 
and evaluating additional options for audit logging for NFE. We believe 
the match exception override example cited should be incorporated into 
report monitoring and/or audit logging findings rather than raised as 
if it is a separate and distinct finding. That said, we concur with the 
GAO that at the time of its review we did not have formal procedures to 
review match exception overrides performed by the Disbursements Unit 
staff. This supervisory review issue was addressed during the first 
quarter of 2007 when we established a more formal process for 
monitoring and reviewing these events. A match override report was 
created and is now being reviewed and approved weekly by the supervisor 
of the Disbursement Operations Unit. To address GAO's broader 
recommendation of reviewing system events, the FDIC will document 
procedures for elevating potential security violations to CSIRT and for 
monitoring unusual/unexpected events as identified by our current audit 
logging, audit triggers/alerts, and program monitoring efforts. 
Procedures will be developed by August 31, 2007. 

Recommendation 12: Update the contingency plan to reflect the new 
disaster recovery site and servers that are in use. 

Response: Concur: 

The NFE contingency plan was updated March 29, 2007, to reflect the new 
disaster recovery site and to include an updated list of servers that 
are in use to ensure continuity of operations in the event of a 
disaster. The corrective actions taken in response to this 
recommendation have been completed. 

Attachment 2: 

FDIC Responses to Unresolved Prior Year Weaknesses April 25, 2007: 

As noted in GAO's draft report, the FDIC has corrected or mitigated 21 
of the 26 weaknesses that GAO previously identified as unresolved at 
the completion of its 2005 audit. Also noted in this report is that 
actions are in progress for the remaining five. The status of each of 
these five is discussed below. The numbers correspond to the numbers 
used by GAO in its report. 

Application Change Control: 

Weakness 6: Procedures have not been consistently followed for 
authorizing, documenting, and reviewing all application software 
changes. 

Status: FDIC has included our response to this weakness in Attachment 
1, FDIC Responses to GAO Recommendations, as part of our response to 
GAO recommendations #4, #7, and #8. 

Access Rights and Permissions: 

Weakness 13: FDIC did not effectively limit network access to 
sensitive, personally identifiable and business proprietary 
information. 

Status: The FDIC launched a formal project to address this issue and 
will monitor progress under a 2007 Corporate Goal. An executive sponsor 
for the project has been selected, and a project work plan has been 
developed. The Work Plan establishes the FDIC commitment to identify 
FDIC network shared storage sites that contain sensitive, personally 
identifiable and business proprietary information. This will be a multi-
year project, and the completion date is to be determined in 
conjunction with completion of the initial tasks. 

Auditing and Monitoring of Security-Related Events: 

Weakness 21: FDIC did not effectively generate NFE audit reports or 
review them. 

Status: In our follow-up action response memo to GAO of November 15, 
2006, we agreed that addressing this recommendation may provide an 
opportunity to further strengthen the FDIC's control environment, and 
we identified many logging/trigger/analytics to be pursued. However, we 
do not concur that all controls must be built into the system itself 
and would point out that management's assessment of controls 
appropriately takes into account the entire control environment, both 
automated and manual. We are evaluating and developing event triggers/ 
monitoring reports where current capabilities of financial activity 
traceability in the system exist. In addition, if key components of 
traceability are not available in the system transaction logs, then 
FDIC will evaluate, in conjunction with the NFE upgrade, the costs and 
benefits of expanding system logging capabilities versus utilizing 
other analytical tools and techniques to minimize the risk of 
unauthorized financial transaction processing. The target completion 
date for developing key items identified in the November 2006 response 
that can be addressed within current system capabilities is December 
31, 2007. 

Physical Security: 

Weakness 24: FDIC did not adequately control physical access to the 
Virginia Square computer processing facility. 

Status: FDIC has completed steps to more tightly control physical 
access to the Virginia Square computer facility (Data Center) including 
the following: 

* developed Data Center access reports to provide an automated 
reporting tool to monitor access to the Data Center; 

* updated the Data Access Control procedure to include "executive 
privilege" clause; and: 

* implemented new door groupings. 

FDIC is currently in the process of: 

* reauthorizing Data Center Access Forms; and: 

* entering the updated information into the FDIC physical access 
control system. 
Final actions are planned for completion by June 30, 2007. 

Segregation of Duties: 

Weakness 25: FDIC did not properly segregate incompatible system- 
related functions, duties, and capacities for an individual associated 
with the NFE. 

Status: FDIC completed actions to address incompatible duties 
associated with the individual identified by GAO. In addition, to 
ensure that incompatible roles do not exist under other circumstances, 
the Division of Finance initiated a project to restructure NFE 
security. The goal of this project is to conduct a comprehensive 
analysis of current NFE security and business requirements in order to 
develop a recommendation for a role-based security design that will 
reconfigure the current NFE security to ensure that appropriate access 
is granted to all users of NFE. It will encompass best practices, 
including separation of duties. Additionally, the NFE Security 
Restructuring project will provide the FDIC with a system security 
solution that is easily maintained and more easily understood by 
business owners, managers, and DOF security personnel. The project is 
risk-based with higher priority assigned to reviewing riskier areas at 
the beginning of the project. If any significant weaknesses are 
identified during the project, they will be addressed timely. 
Significant weaknesses will be documented and resolved in one of 
several ways: as part of the project, through a system change request, 
or through security maintenance. Compensating controls, as appropriate 
to mitigate risk, will be put in place until resolution. The project 
will culminate with a change to role-based security and is scheduled to 
be completed by July 31, 2008. 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, William F. Wadsworth, 
Assistant Director; Verginie A. Amirkhanian; Daniel D. Castro; Patrick 
R. Dugan; Edward Glagola Jr; Mickie E. Gray; David B. Hayes; Kaelin P. 
Kuhn; Duc M. Ngo; Tammi L. Nguyen; Eugene E. Stevens IV; Henry I. 
Sutanto; and Amos Tevelow made key contributions to this report. 

FOOTNOTES 

[1] Information system internal controls affect the overall 
effectiveness and security of computer operations and are not unique to 
specific computer applications. These controls include security 
management, operating procedures, software security features, and 
physical protections designed to ensure that access to data is 
appropriately restricted, that only authorized changes to computer 
programs are made, that incompatible computer-related duties are 
segregated, and that backup and recovery plans are adequate to ensure 
the continuity of operations. 

[2] Bank Insurance Fund (BIF) and the Savings Association Insurance 
Fund (SAIF) merged to become the DIF. 

[3] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2006 and 2005 Financial Statements, GAO-07-371 (Washington, D.C.: Feb. 
13, 2007). 

[4] GAO, Information Security: Federal Deposit Insurance Corporation 
Needs to Improve Its Program, GAO-06-620 (Washington, D.C.: Aug. 31, 
2006) and GAO, Information Security: Federal Deposit Insurance 
Corporation Needs to Improve Its Program (Limited Official Use Only), 
GAO-06-619SU (Washington, D.C.: Aug. 31, 2006). 

[5] GAO-07-371. 

[6] A significant deficiency is a control deficiency, or combination of 
deficiencies, that adversely affects the entity's ability to initiate, 
authorize, record, process, or report financial data reliably in 
accordance with generally accepted accounting principles such that 
there is more than a remote likelihood that a misstatement of the 
entity's financial statements that is more than inconsequential will 
not be prevented or detected. As a result of Statement on Auditing 
Standards (SAS) 112, the term reportable condition is no longer used. 

[7] GAO, High-Risk Series: Information Management and Technology, GAO/ 
HR-97-9 (Washington, D.C.: February 1997). 

[8] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: 
January 2007). 

[9] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347 (Dec.17, 2002). 

[10] Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89, 
ß 8. 

[11] Pub. L. No. 101-73, (Aug. 9,1989). 

[12] Pub. L. No. 109-171, ß2102 (Feb. 8, 2006). 

[13] GAO-06-620 and GAO-06-619SU. 

[14] GAO, Federal Information System Controls Audit Manual, Volume I- 
Financial Statements Audits, GAO/AIMD-12.19.6 (Washington, D.C.: 
January 1999). 

[15] GAO-06-620 and GAO-06-619SU. 

[16] FDIC policy defines a computer security incident as an event that 
threatens the security of the corporate information systems, including 
FDIC's computers, mainframe, networks, software and associated 
equipment, and information stored or transmitted using that equipment. 

[17] In April of 2006, FDIC consolidated its disaster recovery 
capability into one disaster recovery site. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm: 

E-mail: fraudnet@gao.gov: 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: 

U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800: 

U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: