Skip to main content

Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data

GAO-09-195 Published: Jan 30, 2009. Publicly Released: Jan 30, 2009.
Jump To:
Skip to Highlights

Highlights

The Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury, relies extensively on its own computer systems, as well as those at the Internal Revenue Service (IRS) and the Treasury Communications System (TCS), to administer the Bank Secrecy Act (BSA) and fulfill its mission of safeguarding the U.S. financial system from financial crimes. Effective information security controls over these systems are essential to ensuring that BSA data, which contains sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction. GAO evaluated whether security controls that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN's mission have been implemented. To do this, GAO examined security policies and controls for systems at three organizations.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of the Treasury To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network.
Closed – Implemented
In fiscal year 2013, we verified that FinCEN updated information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network.
Department of the Treasury To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by ensuring that system security plans document all required controls and describe how all required controls are implemented.
Closed – Implemented
In fiscal year 2013, we verified that FinCEN ensured system security plans documented all required controls and described how all required controls are implemented.
Department of the Treasury To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by conducting vulnerability scans on databases, applications, and network infrastructure on a quarterly schedule.
Closed – Implemented
In fiscal year 2013, we verified that FinCEN conducted monthly vulnerability scans on databases, applications, and the network infrastructure.
Department of the Treasury To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by implementing vulnerability scanning of custom source code or manual source code reviews.
Closed – Implemented
In fiscal year 2013, we verified that FinCEN implemented manual source code reviews.
Department of the Treasury To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective.
Closed – Implemented
In fiscal year 2013, we verified that FinCEN updated remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Access controlAgency missionsClassified informationComputer networksComputer securityConfidential communicationsConfidential informationControlled accessData encryptionData integrityFinancial institutionsFinancial recordsFinancial statementsInformation accessInformation classificationInformation disclosureInformation securityInformation security managementInformation security regulationsInformation systemsInternal controlsLaw enforcementMission critical informationUnauthorized access