Information Security:

FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed

GAO-16-605: Published: Jun 29, 2016. Publicly Released: Jun 29, 2016.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; however, weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk. During calendar year 2015, the corporation continued to devote attention to securing its financial information and systems that support its mission. Key among its actions were improving controls for identifying and authenticating the identity of users and improving controls for authorizing users' access. However, FDIC continues to have unremediated weaknesses. For example, the corporation (1) did not have an effective process for recertifying user access rights to several systems supporting the corporation's financial processing and (2) had not yet applied critical patches to mitigate known vulnerabilities in third party software on systems supporting financial processing.

Although the corporation had a comprehensive framework for its information security program, some aspects were not fully implemented. For example, the corporation did not (1) fully document and implement procedures for performing system access requests, assignments, and removal and (2) have a policy for monitoring critical file changes. In addition, FDIC had yet to fully address 9 previously-reported weaknesses that were unresolved as of December 31, 2014, as indicated in the following table.

Status of GAO Information Security Recommendations to FDIC as of December 2015

Information security control area

Prior GAO recommendations open at the start of calendar year 2015 audit

Recommendations closed during calendar year 2015 audit

Outstanding prior recommendations at the end of calendar year 2015 audit

Information security program

2

(2)

0

Access controls

10

(5)

5

Other controls

4

(0)

4

Total

16

(7)

9

Source: GAO analysis of FDIC data. | GAO-16-605

While newly-identified weaknesses, along with those previously identified that remain uncorrected, are not individually or collectively a material weakness or a significant deficiency for financial reporting purposes, the corporation will have limited assurance that its sensitive financial information and resources will be secure until these weaknesses have been mitigated.

Why GAO Did This Study

FDIC has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of FDIC's reliance on information systems, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

As part of its audit of the 2015 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.

What GAO Recommends

In addition to the 9 prior recommendations that have not been fully addressed, GAO is making 2 recommendations to improve FDIC's implementation of its information security program. In a separate report with limited distribution, GAO is making 10 new recommendations to FDIC to address newly-identified weaknesses in access controls. FDIC concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In 2016, we verified that FDIC, in response to our recommendation, had updated and implemented access control procedures to require that authorizations for the removal or modification of access rights are documented and that approved changes are acted on in a timely manner.

    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update and implement access control procedures to require that authorizations for the removal or modification of access rights are documented and that approved changes are acted on in a timely manner.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.

    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency Affected: Federal Deposit Insurance Corporation

 

Explore the full database of GAO's Open Recommendations »

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Feb 14, 2017

Looking for more? Browse all our products here