FDIC Information Security:

Improvements Made but Weaknesses Remain

GAO-02-689: Published: Jul 15, 2002. Publicly Released: Jul 15, 2002.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed information systems general controls in the calendar year 2001 financial statement audits of the Federal Deposit Insurance Corporation's (FDIC) Bank Insurance Fund, Savings Association Insurance Fund, and Federal Savings and Loan Insurance Corporation Resolution Fund. FDIC made progress in correcting information security weaknesses previously identified and has taken steps to improve security. Nevertheless, GAO identified new weaknesses in its information systems controls that affect the corporation's ability to safeguard electronic access to critical financial and other sensitive information. FDIC did not adequately limit access to data and programs by controlling mainframe access authority, providing sufficient network security, or establishing a comprehensive program to monitor access activities. Further, other information systems control weaknesses were identified that could hinder FDIC's ability to provide physical security for its computer facility, appropriate segregation of computer functions, effective control of system software changes, or continuity of operations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To establish an effective information systems control environment, FDIC should instruct the acting Chief Information Officer (CIO), as FDIC's key official responsible for computer security, to correct the information systems control weaknesses related to access authority, network security, access monitoring, physical access, segregation of duties, system software, service continuity, and security management. These specific weaknesses are described in a separate report designated for "Limited Official Use Only," also issued today.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Closed - Implemented

    Comments: Based on its calendar year 2003 financial audit at FDIC, GAO concluded that FDIC had completed corrective actions on the 22 information security weaknesses that remained open at the end of GAO's 2001 calendar year audit. Specifically, FDIC corrected information security weaknesses related to access authority, network security, access monitoring, physical access, segregation of duties, system software, service continuity, and security management.

    Recommendation: To establish an effective information systems control environment, FDIC should instruct the acting CIO, as FDIC's key official responsible for computer security, to fully develop and implement a computer security management program. Specifically, this would include (1) establishment clearly defined roles and responsibilities for FDIC's information security managers and guidance for coordinating and collaborating with central security, (2) developing a program for performing periodic risk assessments to determine computer security needs, (3) developing and implementing technical security standards for all computer platforms, and (4) establishing an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Closed - Implemented

    Comments: FDIC established a computer security management program. Specifically, FDIC established a central security management group to provide security guidance and oversight of the corporation's computer security environment. This included establishing defined roles and responsibilities for each of its information security managers and developing guidance for coordinating and collaboration of the work of these managers with the efforts performed by the central security group. Further, FDIC established a framework for performing risk assessments and has initiated a process of conducting risk assessments on a scheduled basis. In addition, FDIC has developed and implemented technical security standards for each of its network platforms, mainframe, and security software. Finally, FDIC established an ongoing program to test and evaluate its information system controls and to ensure compliance with established policies and procedures.

    Recommendation: FDIC should instruct the acting CIO to report periodically on progress in implementing FDIC's corrective action plans.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Closed - Implemented

    Comments: FDIC established a process for the CIO to provide monthly status briefings on progress made to correct the security weaknesses and implement GAO recommendations. These briefings include representatives from FDIC's senior management, board of directors, and audit committee.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here