Skip to main content

Information Security: Information System Controls at the Federal Deposit Insurance Corporation

GAO-04-630 Published: May 28, 2004. Publicly Released: May 28, 2004.
Jump To:
Skip to Highlights

Highlights

Effective controls over information systems are essential to ensuring the protection of financial and personnel information and the security and reliability of bank examination data maintained by the Federal Deposit Insurance Corporation (FDIC). As part of our calendar year 2003 financial statement audits of three FDIC Funds, GAO assessed the effectiveness of the corporation's general controls on its information systems. Our assessment included follow up on the progress that FDIC has made in correcting or mitigating computer security weaknesses identified in our audits for calendar years 2001 and 2002.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Deposit Insurance Corporation To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by routinely reviewing and testing all key computer resources supporting FDIC's financial environment.
Closed – Implemented
FDIC has since developed a comprehensive system testing and evaluation process in 2005 with the New Financial Environment (NFE) System Test and Evaluation (ST&E), which follows and incorporates all of National Institute of Standards and Technology (NIST) requirements. The ST&E includes test cases, which show whether the control failed or passed. Corrective actions for failed controls are documented in the Plan of Action and Milestones (POA&Ms) and reviewed monthly. The corporation also conducts the Federal Information Security Management Act (FISMA) submission or self assessment annually.
Federal Deposit Insurance Corporation To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by analyzing for systemic solutions weaknesses detected.
Closed – Implemented
FDIC developed an ongoing process to collectively analyze related information system control weaknesses for systemic problems that could adversely affect critical financial and bank information.
Federal Deposit Insurance Corporation To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by incorporating into the test and evaluation process newly identified weaknesses or emerging security threats.
Closed – Implemented
FDIC has established a process to ensure that all information system control weaknesses identified by the Inspector General and GAO, or those identified internally in connection with operational issues are included in their test and evaluation process. Further, FDIC has established procedures to ensure that emerging security threats are considered for inclusion in their ongoing testing program.
Federal Deposit Insurance Corporation To fully establish a comprehensive computer security management program, the FDIC chairman should instruct the CIO, as the corporation's key official for computer security, to strengthen the testing and evaluation element of this program by independently testing corrective actions.
Closed – Implemented
FDIC expanded its system for documenting and tracking corrective actions to include a process for independently testing or reviewing the appropriateness of the corrective action taken for each information system control weakness corrected.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer resourcesComputer securityFinancial statement auditsInformation securityInformation systemsInformation technologyInternal controlsSecurity threatsFederal deposit insuranceDeposit insurance