Information Security:

Further Actions Needed to Address Risks to Bank Secrecy Act Data

GAO-09-195, Jan 30, 2009

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury, relies extensively on its own computer systems, as well as those at the Internal Revenue Service (IRS) and the Treasury Communications System (TCS), to administer the Bank Secrecy Act (BSA) and fulfill its mission of safeguarding the U.S. financial system from financial crimes. Effective information security controls over these systems are essential to ensuring that BSA data, which contains sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction. GAO evaluated whether security controls that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN's mission have been implemented. To do this, GAO examined security policies and controls for systems at three organizations.

FinCEN, TCS, and IRS have taken important steps in implementing numerous controls to protect the information and systems that support FinCEN's mission; however, significant information security weaknesses remain in protecting the confidentiality, integrity, and availability of these systems and information. The three organizations implemented many information security controls to protect the information and systems that support FinCEN's mission. For example, IRS controlled changes to a key application and FinCEN segregated areas of its network. Nonetheless, the organizations had inconsistently applied or not fully implemented controls to prevent, limit, or detect unauthorized access to this information and these systems. For example, the organizations did not always (1) implement user and password management controls for properly identifying and authenticating users, (2) restrict user access to data to only what was required for performing job functions, (3) adequately encrypt data, (4) protect the external and internal boundaries on its systems, and (5) log user activity on databases. Furthermore, weaknesses in which systems were insecurely configured and patches were not applied to critical systems also existed. As a result, sensitive information used by the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing is at an increased risk of unauthorized use, modification, or disclosure. A key reason for many of the weaknesses was that FinCEN and IRS had not fully implemented key information security program activities. For example, FinCEN did not always include detailed implementation guidance in its policies and procedures and adequately test and evaluate information security controls. Furthermore, GAO has previously reported that IRS did not sufficiently verify whether remedial actions were implemented or effective in mitigating vulnerabilities and recommended that it implement a revised remedial action verification process.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by implementing vulnerability scanning of custom source code or manual source code reviews.

    Agency Affected: Department of the Treasury

    Status: Open

    Comments: Action pending.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by conducting vulnerability scans on databases, applications, and network infrastructure on a quarterly schedule.

    Agency Affected: Department of the Treasury

    Status: Open

    Comments: According to FinCEN, it has updated its operating procedure to reflect quarterly scanning requirements, and has proactively implemented monthly vulnerability scans. GAO has not yet validated this corrective action.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by ensuring that system security plans document all required controls and describe how all required controls are implemented.

    Agency Affected: Department of the Treasury

    Status: Open

    Comments: According to FinCEN, it has updated the system security plans to include all required controls, including a description of how all controls are implemented. GAO has not yet validated this corrective action.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network.

    Agency Affected: Department of the Treasury

    Status: Open

    Comments: FinCEN is in the process of conducting an annual review of its information system security policies as part of continuous monitoring efforts. During this review, the policies will be updated to reflect any key missing information, as well as, reflect any changes to federal and/or Treasury requirements.

    Recommendation: To better ensure the security of the overall BSA environment, the Secretary of the Treasury should direct the Director of FinCEN to fully implement its information security program by updating remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective.

    Agency Affected: Department of the Treasury

    Status: Open

    Comments: According to FinCEN, it has documented its remedial action process in a standard operating procedure, and requests supporting documentation from system owners to verify corrective actions. GAO has not yet validated this corrective action.