Information Security:

FDIC Implemented Many Controls over Financial Systems, but Opportunities for Improvement Remain

GAO-15-426: Published: Apr 9, 2015. Publicly Released: Apr 9, 2015.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; nevertheless, weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk. During 2014, the corporation implemented 27 of the 36 GAO recommendations pertaining to previously reported security weaknesses that were unaddressed as of December 31, 2013; actions to implement the remaining 9 recommendations were in progress. The table below details the status of these recommendations.

Status of Previously Reported Information Security Recommendations

Year reported

Not implemented at the beginning of 2014

Implemented during 2014

Actions in progress

2010

1a

1

0

2012

1b

1

0

2013

9c

6

3

2014

25

19

6

Total

36

27

9

Source: GAO analysis of FDIC data. | GAO-15-426

aFDIC had previously implemented 32 of the 33 recommendations GAO originally reported in 2010.

bFDIC had previously implemented 41 of the 42 recommendations GAO originally reported in 2012.

cFDIC had previously implemented 21 of the 30 recommendations GAO originally reported in 2013.

Although FDIC developed and implemented elements of its information security program, shortcomings remain in key program activities. For example:

FDIC had taken steps to improve its security policies and procedures, but important activities were not always required by its policies. For example, although FDIC had a policy on controlling physical access to its primary data center, the policy did not apply to all FDIC data centers.

FDIC did not consistently remediate agency-identified weaknesses in a timely manner. However, to its credit, the corporation created a strategy outlining planned actions to address weaknesses in its remedial action processes.

Additionally, FDIC has designed and documented numerous information security controls intended to protect its key financial systems; nevertheless, controls were not always consistently implemented. For example, the corporation had not always (1) ensured that passwords for a financial application complied with FDIC policy for password length or (2) centrally collected audit logs on certain servers.

These weaknesses individually or collectively do not constitute either a material weakness or a significant deficiency for financial reporting purposes. Nonetheless, by mitigating known information security weaknesses and consistently applying information security controls, FDIC could continue to reduce risks and better protect its sensitive financial information and resources from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

Why GAO Did This Study

FDIC has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of FDIC's work, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

As part of its audits of the 2014 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.

What GAO Recommends

GAO is making two recommendations to FDIC to improve its implementation of its information security program. FDIC concurred with GAO's recommendations. In a separate report with limited distribution, GAO is recommending that FDIC take five specific actions to address weaknesses in security controls.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We confirmed that FDIC has included requirements for periodic review of access to all data centers in their physical access policies.

    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to ensure that physical access policies require periodic review of access to all FDIC data centers.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Closed - Implemented

    Comments: We confirmed that FDIC has updated its procedures to require a documented review prior to granting access to the system supporting the marketing of failed banks' assets.

    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update existing procedures to require that access verifications to the system supporting the marketing of failed banks' assets be documented.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Feb 14, 2017

Looking for more? Browse all our products here