Information Security:

Information System Controls at the Federal Deposit Insurance Corporation

GAO-04-630: Published: May 28, 2004. Publicly Released: May 28, 2004.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Effective controls over information systems are essential to ensuring the protection of financial and personnel information and the security and reliability of bank examination data maintained by the Federal Deposit Insurance Corporation (FDIC). As part of our calendar year 2003 financial statement audits of three FDIC Funds, GAO assessed the effectiveness of the corporation's general controls on its information systems. Our assessment included follow up on the progress that FDIC has made in correcting or mitigating computer security weaknesses identified in our audits for calendar years 2001 and 2002.

FDIC has made significant progress in correcting prior year information security weaknesses. The corporation addressed almost all the computer security weaknesses we previously identified in our audits for calendar years 2001 and 2002. Nonetheless, testing in our calendar year 2003 audit identified additional computer control weaknesses in FDIC's information systems. These weaknesses place critical FDIC financial and sensitive examination information at risk of unauthorized disclosure, disruption of operations, or loss of assets. A key reason for FDIC's continuing weaknesses in information system controls is that it has not yet fully established a comprehensive security management program to ensure that effective controls are established and maintained and that information security receives significant management attention. The corporation only recently established a program to test and evaluate its computer control environment, and this program does not yet include adequate provisions to ensure that (1) all key computer resources supporting FDIC's financial environment are routinely reviewed and tested, (2) weaknesses detected are analyzed for systemic solutions, (3) corrective actions are independently tested, and (4) newly identified weaknesses or emerging security threats are incorporated into the test and evaluation process.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: FDIC has established a process to ensure that all information system control weaknesses identified by the Inspector General and GAO, or those identified internally in connection with operational issues are included in their test and evaluation process. Further, FDIC has established procedures to ensure that emerging security threats are considered for inclusion in their ongoing testing program.

    Recommendation: To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by incorporating into the test and evaluation process newly identified weaknesses or emerging security threats.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Closed - Implemented

    Comments: FDIC developed an ongoing process to collectively analyze related information system control weaknesses for systemic problems that could adversely affect critical financial and bank information.

    Recommendation: To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by analyzing for systemic solutions weaknesses detected.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Closed - Implemented

    Comments: FDIC has since developed a comprehensive system testing and evaluation process in 2005 with the New Financial Environment (NFE) System Test and Evaluation (ST&E), which follows and incorporates all of National Institute of Standards and Technology (NIST) requirements. The ST&E includes test cases, which show whether the control failed or passed. Corrective actions for failed controls are documented in the Plan of Action and Milestones (POA&Ms) and reviewed monthly. The corporation also conducts the Federal Information Security Management Act (FISMA) submission or self assessment annually.

    Recommendation: To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by routinely reviewing and testing all key computer resources supporting FDIC's financial environment.

    Agency Affected: Federal Deposit Insurance Corporation

  4. Status: Closed - Implemented

    Comments: FDIC expanded its system for documenting and tracking corrective actions to include a process for independently testing or reviewing the appropriateness of the corrective action taken for each information system control weakness corrected.

    Recommendation: To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by independently testing corrective actions.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here