Information Security:

Further Actions Needed to Address Risks to Bank Secrecy Act Data

GAO-09-195: Published: Jan 30, 2009. Publicly Released: Jan 30, 2009.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury, relies extensively on its own computer systems, as well as those at the Internal Revenue Service (IRS) and the Treasury Communications System (TCS), to administer the Bank Secrecy Act (BSA) and fulfill its mission of safeguarding the U.S. financial system from financial crimes. Effective information security controls over these systems are essential to ensuring that BSA data, which contains sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction. GAO evaluated whether security controls that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN's mission have been implemented. To do this, GAO examined security policies and controls for systems at three organizations.

FinCEN, TCS, and IRS have taken important steps in implementing numerous controls to protect the information and systems that support FinCEN's mission; however, significant information security weaknesses remain in protecting the confidentiality, integrity, and availability of these systems and information. The three organizations implemented many information security controls to protect the information and systems that support FinCEN's mission. For example, IRS controlled changes to a key application and FinCEN segregated areas of its network. Nonetheless, the organizations had inconsistently applied or not fully implemented controls to prevent, limit, or detect unauthorized access to this information and these systems. For example, the organizations did not always (1) implement user and password management controls for properly identifying and authenticating users, (2) restrict user access to data to only what was required for performing job functions, (3) adequately encrypt data, (4) protect the external and internal boundaries on its systems, and (5) log user activity on databases. Furthermore, weaknesses in which systems were insecurely configured and patches were not applied to critical systems also existed. As a result, sensitive information used by the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing is at an increased risk of unauthorized use, modification, or disclosure. A key reason for many of the weaknesses was that FinCEN and IRS had not fully implemented key information security program activities. For example, FinCEN did not always include detailed implementation guidance in its policies and procedures and adequately test and evaluate information security controls. Furthermore, GAO has previously reported that IRS did not sufficiently verify whether remedial actions were implemented or effective in mitigating vulnerabilities and recommended that it implement a revised remedial action verification process.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that FinCEN implemented manual source code reviews.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by implementing vulnerability scanning of custom source code or manual source code reviews.

    Agency Affected: Department of the Treasury

  2. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that FinCEN conducted monthly vulnerability scans on databases, applications, and the network infrastructure.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by conducting vulnerability scans on databases, applications, and network infrastructure on a quarterly schedule.

    Agency Affected: Department of the Treasury

  3. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that FinCEN ensured system security plans documented all required controls and described how all required controls are implemented.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by ensuring that system security plans document all required controls and describe how all required controls are implemented.

    Agency Affected: Department of the Treasury

  4. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that FinCEN updated information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network.

    Agency Affected: Department of the Treasury

  5. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that FinCEN updated remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective.

    Agency Affected: Department of the Treasury

 

Explore the full database of GAO's Open Recommendations »

Nov 20, 2014

Oct 6, 2014

Sep 17, 2014

Aug 5, 2014

Jul 31, 2014

Jun 18, 2014

Apr 29, 2014

Apr 7, 2014

Jan 8, 2014

Looking for more? Browse all our products here