Information Security:

Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses

GAO-11-29: Published: Nov 30, 2010. Publicly Released: Nov 30, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of its work, the corporation must employ strong information security controls to ensure that its information systems are adequately protected from inadvertent misuse, fraud, and improper disclosure. As part of its audit of the 2009 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund administrated by FDIC, GAO assessed (1) the effectiveness of FDIC's controls in protecting the confidentiality, integrity, and availability of its financial systems and information and (2) the progress FDIC has made in mitigating previously reported information security weaknesses. To perform the audit, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed key FDIC personnel.

FDIC did not sufficiently implement access and other controls intended to protect the confidentiality, integrity, and availability of its financial systems and information. For example, it did not always (1) sufficiently restrict user access to systems, (2) ensure strong system boundaries, (3) consistently enforce strong controls for identifying and authenticating users, (5) encrypt sensitive information, or (4) audit and monitor security-relevant events. In addition, FDIC did not have policies, procedures, and controls in place to ensure the appropriate segregation of incompatible duties, adequately manage the configuration of its financial information systems, and update contingency plans. A key reason for these weaknesses is that FDIC did not always fully implement key information security program activities such as effectively developing, documenting, and implementing security policies, and implementing an effective continuous monitoring program. Until these weaknesses and program deficiencies are corrected, the corporation will not have sufficient assurance that its financial information and assets are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. Despite the newly identified weaknesses, FDIC has mitigated each of the information security weaknesses previously reported by GAO. To its credit, the corporation has made improvements to its configuration management controls and aspects of its security management. For example, it maintained a full and complete requirements baseline for two systems and included key information in a remedial action plan. Nevertheless, GAO concluded that weaknesses in information security controls constituted a significant deficiency in internal controls over the information systems and data used for financial reporting. Until FDIC corrects the security weaknesses identified during this year's audit, it will face an elevated risk of the misuse of federal assets, unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information, and disruption of critical operations. GAO is recommending that FDIC improve key information activities to enhance the corporation's information security program. FDIC generally agreed with GAO's recommendations and stated that it plans to address the identified weaknesses.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To enhance the corporation's information security program, the Chairman of the FDIC should direct the Chief Information Officer (CIO) to develop and document policies and procedures for assigning access to systems and databases where application controls could be compromised.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To enhance the corporation's information security program, the Chairman of the FDIC should direct the Chief Information Officer (CIO) to complete the implementation of an effective continuous monitoring program to detect vulnerabilities.

    Agency Affected: Federal Deposit Insurance Corporation

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Aug 5, 2014

    Jul 31, 2014

    Jun 18, 2014

    Apr 29, 2014

    Apr 7, 2014

    Jan 8, 2014

    Dec 11, 2013

    Nov 14, 2013

    Oct 29, 2013

    Looking for more? Browse all our products here