GAO-05-486, Information Security: Federal Deposit Insurance Corporation Needs to Sustain Progress


This is the accessible text file for GAO report number GAO-05-486 
entitled 'Information Security: Federal Deposit Insurance Corporation 
Needs to Sustain Progress' which was released on May 19, 2005.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Board of Directors, Federal Deposit Insurance 
Corportation: 

May 2005: 

Information Security: 

Federal Deposit Insurance Corporation Needs to Sustain Progress: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-486]: 

GAO Highlights: 

Highlights of GAO-05-486, a report to the Board of Directors, Federal 
Deposit Insurance Corporation: 

Why GAO Did This Study: 

The Federal Deposit Insurance Corporation (FDIC) relies extensively on 
computerized systems to support its financial and mission-related 
operations. As part of GAO’s audit of the calendar year 2004 financial 
statements for the three funds administered by FDIC, GAO assessed (1) 
the progress FDIC has made in correcting or mitigating information 
system control weaknesses identified in our audits for calendar years 
2002 and 2003 and (2) the effectiveness of the corporation’s 
information system general controls.

What GAO Found: 

FDIC has made significant progress in correcting previously reported 
information system control weaknesses and has taken other steps to 
improve information security. Of the 22 weaknesses reported in GAO’s 
2003 audit, FDIC corrected 19 and is taking action to resolve the 3 
that remain. In addition, it corrected the one weakness still open from 
GAO’s 2002 audits (see figure).

Although FDIC has made substantial improvements in its information 
system controls, GAO identified additional weaknesses that diminish 
FDIC’s ability to effectively protect the integrity, confidentiality, 
and availability of its financial and sensitive information systems. 
These included weaknesses in electronic access controls, network 
security, segregation of computer functions, physical security, and 
application change control. Although these do not pose significant 
risks to FDIC’s financial and sensitive systems, they warrant 
management’s action to decrease the risk of unauthorized modification 
of data and programs, inappropriate disclosure of sensitive 
information, or disruption of critical operations.

A key reason for FDIC’s weaknesses in information system controls is 
that it had not fully implemented a complete test and evaluation 
process, which is a key element of a comprehensive agency information 
security program with effective controls. Although FDIC has made 
substantial progress in implementing its information security program 
and has enhanced its process to test and evaluate its information 
system controls, it did not ensure that all key control areas 
supporting FDIC’s financial environment are routinely reviewed and 
tested. These control areas included electronic access, network 
security, and audit logging. 

FDIC Progress in Implementing GAO Recommendations: 

[See PDF for image]

[End of figure]


What GAO Recommends: 

To improve information system controls, GAO recommends that the FDIC 
Chairman direct the Chief Information Officer to implement an ongoing, 
comprehensive process of tests and evaluations to ensure that all key 
control areas supporting FDIC’s financial environment are routinely 
reviewed and tested. In commenting on a draft of this report, FDIC 
agreed with our recommendations. FDIC plans to address the identified 
weaknesses and indicated that significant progress has already been 
made.

www.gao.gov/cgi-bin/getrpt?GAO-05-486.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov.

[End of figure]

Contents: 

Letter: 

Results in Brief: 

Background: 

Objectives, Scope, and Methodology: 

FDIC Has Made Significant Progress in Correcting Weaknesses and 
Implementing Controls: 

Weaknesses in Information System Controls: 

FDIC Has Made Substantial Progress Implementing Information Security 
Program but Has Not Completed Key Element: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments: 

Appendixes: 

Appendix I: Comments from the Federal Deposit Insurance Corporation: 

Appendix II: GAO Contact and Staff Acknowledgments: 

Abbreviations: 

CIO: Chief Information Officer: 

FDIC: Federal Deposit Insurance Corporation: 

FISMA: Federal Information Security Management Act: 

FISCAM: Federal Information System Controls Audit Manual: 

FSLIC: Federal Savings and Loan Insurance Corporation: 

NIST: National Institute of Standards and Technology: 

Letter May 19, 2005: 

To the Board of Directors: 
Federal Deposit Insurance Corporation: 

Effective information system controls are essential to ensuring that 
financial information is adequately protected from inadvertent or 
deliberate misuse, fraudulent use, improper disclosure, or destruction. 
These controls also affect the integrity, confidentiality, and 
availability of nonfinancial information maintained by Federal Deposit 
Insurance Corporation (FDIC), such as personnel and bank examination 
information. 

As part of our audit of the calendar year 2004 financial statements for 
FDIC's Bank Insurance Fund, Savings Association Fund, and FSLIC 
(Federal Savings and Loan Insurance Corporation) Resolution 
Fund,[Footnote 1] we assessed (1) the progress FDIC has made in 
correcting or mitigating information system control weaknesses reported 
in our prior audits for calendar years 2002[Footnote 2] and 
2003[Footnote 3] and (2) the effectiveness of the corporation's 
information system general controls.[Footnote 4] In a separate report 
designated for "Limited Official Use Only," we are making 
recommendations to correct the specific weaknesses identified. 

We performed our review at FDIC headquarters in Washington, D.C., and 
its computer facility in Arlington, Virginia, from September 2004 
through February 2005. Our review was performed in accordance with 
generally accepted government auditing standards. 

Results in Brief: 

FDIC made significant progress in correcting previously reported 
information system control weaknesses and has taken other steps to 
improve information security. Of the 22 weaknesses reported in our 2003 
audit, FDIC corrected 19 and is taking action to resolve the 3 that 
remain. In addition, it corrected the one weakness still open from our 
2002 review. 

Although FDIC has made substantial improvements in its information 
system controls, GAO identified additional weaknesses that diminish 
FDIC's ability to effectively protect the integrity, confidentiality, 
and availability of its financial and sensitive information systems. 
These included weaknesses in electronic access controls, network 
security, segregation of computer functions, physical security, and 
application change control. Although these do not pose significant 
risks to FDIC's financial and sensitive systems, they warrant 
management's action to decrease the risk of unauthorized modification 
of data and programs, inappropriate disclosure of sensitive 
information, or disruption of critical operations. 

A key reason for FDIC's weaknesses in information system controls is 
that it had not fully implemented a complete test and evaluation 
process, which is a key element of a comprehensive agency information 
security program. Although FDIC has made substantial progress in 
implementing its information security program and has enhanced its 
process to test and evaluate its information system controls, it did 
not ensure that all key control areas supporting FDIC's financial 
environment were routinely reviewed and tested. This included areas 
such as electronic access, network security, and audit logging. Without 
routine tests and evaluations of all key information system control 
areas, FDIC's ability to maintain adequate information system controls 
over its financial and sensitive information will be limited. 

We are recommending that FDIC broaden its process of tests and 
evaluations to ensure that all key control areas supporting its 
financial environment are routinely reviewed and tested. 

In providing written comments on a draft of this report, FDIC's Chief 
Financial Officer agreed with our recommendations. He reported that 
FDIC plans to address the identified weaknesses and that significant 
progress has already been made. 

Background: 

Congress created FDIC in 1933[Footnote 5] to restore and maintain 
public confidence in the nation's banking system. The Financial 
Institutions Reform, Recovery, and Enforcement Act of 1989 sought to 
reform, recapitalize, and consolidate the federal deposit insurance 
system.[Footnote 6] The act created the Bank Insurance Fund and the 
Savings Association Insurance Fund, both of which are responsible for 
protecting insured bank and thrift depositors. The act also abolished 
the FSLIC and created the FSLIC Resolution Fund to complete the affairs 
of the former FSLIC and liquidate the assets and liabilities 
transferred from the former Resolution Trust Corporation. It also 
designated FDIC as the administrator of these funds. As part of this 
function, FDIC has an examination and supervision program to monitor 
the safety of deposits held in member institutions. 

FDIC insures deposits in excess of $10 trillion for about 8,900 
institutions. Together, the three funds--the Bank Insurance Fund, the 
Savings Association Insurance Fund, and the FSLIC Resolution Fund--have 
about $52 billion in assets. FDIC had a budget of about $1.1 billion 
for calendar year 2004 to support its activities in managing the three 
funds. For that year, it processed more than 3.8 million financial 
transactions. 

FDIC relies extensively on computerized systems to support its 
financial operations and store the sensitive information it collects. 
Its local and wide area networks interconnect these systems. To support 
its financial management functions, it relies on several financial 
systems to process and track financial transactions that include 
premiums paid by its member institutions and disbursements made to 
support operations. In addition, FDIC uses other systems that maintain 
personnel information for its employees, examination data for financial 
institutions, and legal information on closed institutions. At the time 
of our review, about 6,200 individuals were authorized to use FDIC's 
systems. The corporation's key official for computer security is the 
Chief Information Officer, who is responsible for establishing, 
implementing, and overseeing a corporatewide information security 
program. 

Information system controls are a critical consideration for any 
organization that depends on computerized systems and networks to carry 
out its mission or business. Without proper safeguards, there is risk 
that individuals and groups with malicious intent may intrude into 
inadequately protected systems and use this access to obtain sensitive 
information, commit fraud, disrupt operations, or launch attacks 
against other computer systems and networks. 

We have reported information security as a governmentwide high-risk 
area since February 1997.[Footnote 7] Our previous reports, and those 
of agency inspectors general, describe persistent information security 
weaknesses that place a variety of federal operations, including those 
at FDIC, at risk of disruption, fraud, and inappropriate disclosure. 

Congress and the executive branch have taken action to address the 
risks associated with persistent information security weaknesses. In 
December 2002, the Federal Information Security Management Act (FISMA) 
of 2002, which is intended to strengthen information security, was 
enacted as Title III of the E-Government Act of 2002.[Footnote 8] In 
addition, the administration undertook important actions to improve 
security, such as integrating information security into the President's 
Management Agenda Scorecard. Moreover, the Office of Management and 
Budget and the National Institute of Standards and Technology (NIST) 
have issued information security guidance to agencies. 

Objectives, Scope, and Methodology: 

The objectives of our review were to assess (1) the progress FDIC had 
made in correcting or mitigating weaknesses reported in connection with 
our financial statement audits for calendar years 2002[Footnote 9] and 
2003[Footnote 10] and (2) the effectiveness of the corporation's 
information system controls. Our evaluation was based on (1) our 
Federal Information System Controls Audit Manual (FISCAM),[Footnote 11] 
which contains guidance for reviewing information system controls that 
affect the integrity, confidentiality, and availability of computerized 
data and (2) our May 1998 report on security management best 
practices[Footnote 12] at leading organizations, which identifies key 
elements of an effective information security program. 

Specifically, we evaluated information system controls intended to: 

* prevent, limit, and detect electronic access to computer resources 
(data, programs, and systems), thereby protecting these resources 
against unauthorized disclosure, modification, and use;

* provide physical protection of computer facilities and resources from 
espionage, sabotage, damage, and theft;

* ensure that work responsibilities for computer functions are 
segregated so that no one individual controls all key aspects of a 
computer-related operation and thereby has the ability to conduct 
unauthorized actions or gain unauthorized access to assets or records 
without detection by another individual performing assigned 
responsibilities;

* prevent the implementation of unauthorized changes to application or 
system software;

* ensure recovery of computer process operations and data in case of 
disaster or other unexpected interruption; and: 

* ensure an adequate information security program. 

To evaluate these controls, we identified and reviewed pertinent FDIC 
security policies and procedures, guidance, plans, and reports. We also 
discussed whether information system controls were in place, adequately 
designed, and operating effectively with key security representatives, 
system administrators, and management officials. In addition, we 
conducted tests and observations of controls in operation and reviewed 
corrective actions taken by the corporation to address vulnerabilities 
identified in our audits for calendar years 2002[Footnote 13] and 
2003.[Footnote 14]

FDIC Has Made Significant Progress in Correcting Weaknesses and 
Implementing Controls: 

FDIC has made significant progress in correcting previously reported 
information system control weaknesses. Of the 22 weaknesses reported in 
our 2003 audit,[Footnote 15] FDIC corrected 19 and is taking action to 
resolve the 3 that remain. In addition, the corporation corrected the 
one[Footnote 16] weakness still open from our 2002 audit.[Footnote 17] 
FDIC's actions included resolving weaknesses related to its key access 
controls, network security, and monitoring capabilities. For example, 
the corporation: 

* restricted user access to critical financial and sensitive data and 
programs;

* strengthened security configurations of network devices, including 
firewalls, routers, switches, and servers; and: 

* enhanced its monitoring of security-relevant events by fully 
implementing its intrusion detection system to monitor its computer 
network traffic for unusual or suspicious access activities. 

In addition to addressing previously reported weaknesses, FDIC took 
other steps to improve information security. For example, the 
corporation strengthened its oversight of contractor connections to its 
network by requiring contractors to develop security plans to protect 
these connections and to perform periodic inspections of contractor 
facilities to ensure security effectiveness. Further, FDIC established 
certification and accreditation[Footnote 18] guidelines that outline 
requirements for performing this process as part of each system's life 
cycle and certified and accredited each of its key systems. In 
addition, the corporation updated its disaster recovery procedures and 
has been routinely performing different types of tests of its disaster 
recovery plan. 

Weaknesses in Information System Controls: 

Although FDIC made substantial improvements in its information system 
controls, we identified 20 additional weaknesses that diminish its 
ability to effectively protect the integrity, confidentiality, and 
availability of its financial and sensitive information and information 
systems. Specifically, we identified weaknesses in electronic access 
controls, network security, physical security, segregation of computer 
functions, and application change controls. Although these information 
system control weaknesses do not pose significant risks to FDIC's 
financial and sensitive systems, they warrant management's action to 
decrease the risk of unauthorized modification of data and programs, 
inappropriate disclosure of sensitive information, or disruption of 
critical operations. 

Electronic Access Controls: 

A basic management control objective for any organization is the 
protection of its information systems and critical data from 
unauthorized access. Organizations accomplish this objective by 
granting employees the authority to read, create, or modify only those 
programs and data that they need to perform their duties. Effective 
electronic access controls should be designed to restrict access to 
computer programs and data and detect unauthorized access. These 
controls include assigning user access rights and permissions and 
reviewing audit logs to ensure that access privileges are used 
appropriately. 

Although FDIC restricted access to programs and information, we found 
instances in which access was not sufficiently controlled. For example, 
about 250 users were inadvertently granted access to read, create, or 
modify critical production programs and data for financial, payroll/ 
personnel, and bank regulatory systems. The risk of weakening security 
access was further heightened because the access activities of these 
users were not being logged for review. In addition, emergency access 
accounts with broad system access to all critical system and security 
resources intended to be used solely to manage problems or emergencies 
that interrupt the system's 24-hour-a-day operation were routinely used 
by four system and operations staff. Further, FDIC did not configure 
security software to appropriately restrict, log, and monitor access to 
certain sensitive system software libraries. As a result, increased 
risk exists that individuals could circumvent security controls to 
read, create, or modify critical or sensitive programs and data, 
possibly without detection. 

In response to these weaknesses, FDIC's Chief Information Officer said 
that they have taken steps to restrict access to critical financial 
data and program and related sensitive information. Further, the 
corporation stated that it has restricted access to sensitive system 
software libraries and plans to generate monthly audit reports for 
review and follow-up action as needed. 

Network Security: 

Networks are a series of interconnected devices and software that allow 
individuals to share data and computer programs. Because sensitive 
programs and data are stored on network servers or transmitted along 
networks, effectively securing networks is essential to protecting 
computing resources and data from unauthorized access, manipulation, 
and use. Organizations secure their networks, in part, by installing 
and configuring network devices that permit authorized network service 
requests and deny unauthorized requests and by limiting the services 
that are available on the network. Network devices include (1) 
firewalls designed to prevent unauthorized access to and from the 
network, (2) routers that filter and forward data along the network, 
(3) switches that forward information among parts of a network, and (4) 
servers that host applications and data. Network services consist of 
protocols for transmitting data between network devices. In addition, 
effective network controls, such as passwords, should be established to 
authenticate authorized users who access the network from local and 
remote locations. Since networks often provide the entry point for 
access to electronic information assets, failure to secure them 
increases the risk of unauthorized use of sensitive data and systems. 

Although FDIC's network controls were generally effective, we 
identified instances where FDIC did not adequately secure specific 
network services and devices or protect passwords. For example, 
database server configurations for some of the corporation's financial 
applications were not adequately secured. These servers had insecure 
settings that could have allowed an unauthorized user to gain access 
without providing authentication. In addition, FDIC did not have 
controls in place to consistently ensure that data transmitted between 
network devices were secure. Further, the passwords of local network 
administrators who had broad system access privileges were not 
adequately secured. As a result, increased risk exists that a malicious 
user could gain unauthorized access to some of FDIC's sensitive network 
systems, read and modify sensitive system data, and disrupt or deny 
computer processing services to corporation employees. 

In response to these weaknesses, FDIC's Chief Information Officer said 
that the corporation had taken steps to improve network security 
including strengthening server settings, data transmission, and 
administrator passwords. 

Physical Security: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls involve restricting physical access to computer 
resources, usually by limiting access to the buildings and rooms in 
which the resources are housed and by periodically reviewing access 
rights granted to ensure that access continues to be appropriate based 
on criteria established for granting it. At FDIC, physical access 
control measures (such as guards, badges, and locks, used either alone 
or in combination) are vital to protecting computing resources and the 
sensitive data it processes from external and internal threats. 

Although FDIC had taken numerous actions to strengthen its physical 
security over its computing environment, certain weaknesses reduced its 
effectiveness in protecting and controlling physical access to 
sensitive work areas. For example, 4 employees and contractors had 
access to the computer data center even though they had changed their 
job responsibilities and no longer required this access. As a result, 
there is an increased risk that unauthorized individuals could gain 
access to sensitive computing resources and data and inadvertently or 
deliberately misuse or destroy them. 

In response, FDIC's management plans to update procedures to ensure 
that physical access to the data center is limited to authorized 
individuals. 

Segregation of Computer Functions: 

Segregation of computer functions refers to the policies, procedures, 
and organizational structure that helps ensure that one individual 
cannot independently control all key aspects of a process or computer- 
related operation and, thereby, gain unauthorized access to assets or 
records. Often segregation of computer functions is achieved by 
dividing responsibilities among two or more organizational groups. 
Dividing duties among two or more individuals or groups diminishes the 
likelihood that errors and wrongful acts will go undetected because the 
activities of one individual or group will serve as a check on the 
activities of the others. Inadequate segregation of computer functions 
increases the risk that erroneous or fraudulent transactions could be 
processed, improper program changes implemented, and computer resources 
damaged or destroyed. 

Although computer responsibilities were generally properly segregated 
at FDIC, we identified one instance in which responsibilities were not 
adequately segregated: system administrators were also serving as 
database administrators for systems that maintained FDIC's key 
financial information. The risk associated with this weakness was 
further heightened because these administrators could take full control 
over the financial applications and databases that include audit and 
reconciliation data. Consequently, there is an increased risk that 
these individuals could perform unauthorized system activities without 
being detected. 

In response to this weakness, FDIC's Chief Information Officer said 
that the corporation plans to segregate the duties of system and 
database administrator functions. 

Application Change Controls: 

It is important to ensure that only authorized and fully tested 
application programs are placed in operation. To ensure that changes to 
application programs are needed, work as intended, and do not result in 
the loss of data or program integrity, such changes should be 
authorized, tested, and independently reviewed. 

Although FDIC had application change control procedures for its general 
ledger and accounts payable mainframe applications, it did not have 
procedures for documenting tests performed or independent reviews made 
for changes made to other key mainframe and client/server financial 
applications. In addition, the corporation did not have a process for 
authorizing changes to Web-based financial applications. Without 
adequate application change control procedures, changes may be 
implemented that are not authorized, tested, or independently reviewed. 

In response, FDIC's Chief Information Officer plans to establish 
procedures for documenting tests performed and independent reviews made 
for application software changes made to all mainframe and client/ 
server application software. In addition, the corporation plans to 
establish a process for authorizing changes to Web-based financial 
applications. 

FDIC Has Made Substantial Progress Implementing Information Security 
Program but Has Not Completed Key Element: 

A key reason for FDIC's weaknesses in information system controls is 
that it had not fully implemented a complete test and evaluation 
process, which is a key element of a comprehensive agency information 
security program. Our May 1998 study[Footnote 19] of security 
management best practices determined that a comprehensive information 
security program is essential to ensuring that information system 
controls work effectively on a continuing basis. Also, FISMA,[Footnote 
20] consistent with our study, requires an agency's information 
security program to include certain key elements. These elements 
include: 

* a central information security management structure to provide 
overall security policy and guidance along with oversight to ensure 
compliance with established policies and reviews of the effectiveness 
of the information security environment;

* periodic assessments of the risk and magnitude of the harm that could 
result from unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems;

* policies and procedures that (1) are based on risk assessments, (2) 
cost effectively reduce risks, (3) ensure that information security is 
addressed throughout the life cycle of each system, and (4) ensure 
compliance with applicable requirements;

* security awareness training to inform personnel, including 
contractors and other users of information systems, of information 
security risks and their responsibilities in complying with agency 
policies and procedures; and: 

* a process of tests and evaluations of the effectiveness of 
information security policies, procedures, and practices relating to 
management, operational, and technical controls of every major 
information system identified in the agency's inventories. 

FDIC has made substantial progress in establishing a comprehensive 
information security program. The corporation strengthened its central 
information security management structure by providing additional staff 
resources to oversee the program. Further, the corporation initiated a 
program to routinely perform risk assessments on all major systems. In 
addition, FDIC updated its overall security policies covering network 
security, computer center access, and security management and it 
developed security plans for all key systems. Also, the corporation 
continued to enhance its security awareness program by adding 
specialized training for selected technical staff. 

Although FDIC enhanced its process to test and evaluate its information 
system controls, it did not ensure that all key control areas 
supporting the corporation's financial environment were routinely 
reviewed and tested. These areas included electronic access controls, 
network security, and audit logging. During the past year, FDIC 
strengthened its test and evaluation process to cover additional key 
information system control areas, provide for independent tests of 
corrective actions, and assess and test newly-identified weaknesses and 
emerging security threats. Although FDIC established a process to test 
and evaluate network and mainframe information system controls, its 
program did not include routine evaluations of network desktop and 
database application controls. Further, the process did not include 
comprehensive tests to ensure that electronic access to key financial 
programs and data (1) were restricted to only those users who need it 
to perform their job functions and (2) had appropriate audit logs 
maintained to record security-relevant events for subsequent review. 
Without routine tests and evaluations of all key information system 
control areas, FDIC will have limited assurance that its financial and 
sensitive information is adequately protected. 

Incorporating these key areas into its test and evaluation process 
should allow FDIC to better identify and correct security problems, 
such as those identified in our 2004 audit. Further, the corporation's 
implementation of new financial systems in the coming year will 
significantly change the nature of its information systems environment 
and of the related information systems controls necessary for their 
effective operation. Consequently, a comprehensive test and evaluation 
process that includes these areas will be essential to ensure that the 
corporation's financial and sensitive information will be adequately 
protected in this new environment. 

In response, FDIC's Chief Information Officer said that the corporation 
will continue to take steps to enhance its overall test and evaluation 
process to ensure an effective security environment. 

Conclusions: 

FDIC has made significant progress in correcting the information system 
control weaknesses we previously identified and has taken other steps 
to improve information security. Although we identified weaknesses in 
information system controls involving electronic access, network 
security, segregation of computer functions, physical security, and 
application change control, these weaknesses do not pose significant 
risks to FDIC's financial and sensitive systems. Accordingly, we 
concluded that weaknesses in information system controls at the 
corporation no longer constitute a reportable condition,[Footnote 21] 
as stated in our audit of the calendar year 2004 financial statements 
for FDIC's three funds.[Footnote 22] However, they warrant action by 
the FDIC management to decrease the risk of unauthorized modification 
of data and programs, inappropriate disclosure of sensitive 
information, or disruption of critical operations. 

A key reason for FDIC's weaknesses in information system controls is 
that it had not fully implemented a complete test and evaluation 
process, which is a key element of a comprehensive agency information 
security program. Although the corporation has made substantial 
progress in implementing its information security program and enhanced 
its process to test and evaluate its information system controls, it 
did not ensure that all key control areas supporting its financial 
environment were routinely reviewed and tested. These areas included 
electronic access controls, network security, and audit logging. Until 
FDIC fully implements a comprehensive test and evaluation process, its 
ability to maintain adequate information system controls over its 
financial and sensitive information will be limited. This will be 
especially crucial as the corporation implements new financial systems 
in the coming year. 

Recommendation for Executive Action: 

To strengthen FDIC's information security program, we recommend that 
the Chairman direct the Chief Information Officer to broaden its 
process of tests and evaluations to ensure that all key control areas 
supporting FDIC's financial environment are routinely reviewed and 
tested. This process should include routine tests and evaluations of 
key control areas such as electronic access, network security, and 
audit logging. 

We are also making recommendations in a separate report designated for 
"Limited Official Use Only." These recommendations address actions 
needed to correct specific information security weaknesses related to 
electronic access, network security, physical security, segregation of 
computer functions, and application change controls. 

Agency Comments: 

In providing written comments on a draft of this report, FDIC's Chief 
Financial Officer (CFO) agreed with our recommendations. His comments 
are reprinted in appendix I of this report. Specifically, FDIC plans to 
correct all weaknesses identified and broaden the testing and 
evaluation element of its computer management program by February 28, 
2006. According to the CFO, significant progress has already been made 
in addressing the identified weaknesses. 

We are sending copies of this report to the Chairman and Ranking 
Minority Member of the Senate Committee on Banking, Housing, and Urban 
Affairs; the Chairman and Ranking Minority Member of the House 
Committee on Financial Services; members of the FDIC Audit Committee; 
officials in FDIC's divisions of information resources management, 
administration, and finance; and the FDIC inspector general. We also 
will make copies available to others upon request. In addition, this 
report will be available at no charge on the GAO Web site at 
[Hyperlink, http://www.gao.gov]. 

If you have any questions regarding this report, please contact me at 
(202) 512-6244 or David W. Irvin, Assistant Director, at (214) 777- 
5716. We can also be reached by e-mail at [Hyperlink, 
wilshuseng@gao.gov] and [Hyperlink, irvind@gao.gov], respectively. Key 
contributors to this report are listed in appendix II. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section]

Appendixes: 

Appendix I: Comments from the Federal Deposit Insurance Corporation: 

Federal Deposit Insurance Corporation: 
Deputy to the Chairman and Chief Financial Officer: 

550 17th Street, NW, 
Washington, DC 20429: 

May 9, 2005: 

Mr. Gregory C. Wilshusen, Director: 
Information Security Issues:
U.S. Government Accountability Office: 
441 G Street, NW:
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to respond to the draft reports entitled, 
Information Security: Federal Deposit Insurance Corporation Needs to 
Sustain Progress, dated April 26, 2005. We appreciate the generally 
positive tone of these reports, particularly in the Government 
Accountability Office's (GAO's) acknowledgement of the significant 
improvements made and the lengthy discussion of a number of the 
internal controls we have implemented. We were also pleased to have GAO 
acknowledge that, although the weaknesses identified warrant attention, 
they do not pose significant risks to FDIC's financial and sensitive 
systems. 

While recognizing that FDIC has made significant progress in correcting 
the prior year information security weaknesses and has taken other 
steps to improve security, GAO did identify new internal control 
matters. These weaknesses were characterized as being the result of 
FDIC not having a complete test and evaluation process. We appreciate 
the detailed information technology audit work completed by the GAO 
team. We believe that this work and your report will help us as we 
continue our efforts to improve the FDIC's information security 
program. 

Overall the FDIC agrees with the results represented in the referenced 
draft reports and recognizes the need to broaden its test and 
evaluation program. In response to the recommendations for executive 
action, the FDIC will, by December 31, 2005: 

* Complete corrective action for two of the remaining control 
weaknesses identified in the 2003 review;

* Correct the 20 information systems control weaknesses identified in 
this year's review; and: 

* Broaden the Corporation's computer security test and evaluation 
program to ensure that all key areas supporting FDIC's financial 
environment are routinely reviewed and tested. 

Corrective action for the remaining 2003 information systems control 
weakness, which we consider low risk, will be completed by February 28, 
2006. Specific corrective action plans were provided separately. 

I believe that significant progress has already been made in addressing 
the weaknesses identified in the draft reports. We understand that a 
sustained effort is needed through substantial resources and strong 
executive involvement to address the multitude of new vulnerabilities 
posed by the rapidly changing information technology industry. To that 
end, the FDIC remains committed to improving our corporate-wide 
security program. We look forward to continuing our productive dialogue 
with the GAO as we continue to enhance our security program. 

If you have questions relating to the FDIC management response, please 
contact James Angel, Director, Office of Enterprise Risk Management, at 
202-736-0138. 

Sincerely,

Signed by: 

Steven O. App: 

Deputy to the Chairman and Chief Financial Officer: 

cc: John Bovenzi; 
Michael Bartell; 
James H. Angel, Jr.; 
Audit Committee:  

[End of section]

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David W. Irvin, (214) 777-5716: 

Staff Acknowledgments: 

In addition to the individual named above, Edward Alexander Jr., Gerald 
Barnes, Jason Carroll, Lon Chin, Debra Conner, Anh Dang, Kristi Dorsey, 
Edward Glagola Jr., Nancy Glover, Rosanna Guerrero, David Hayes, Harold 
Lewis, Leena Mathew, Kevin Metcalfe, Duc Ngo, Eugene Stevens, Charles 
Vrabel, and Christopher Warweg made key contributions to this report. 

(310552): 

FOOTNOTES

[1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2004 and 2003 Financial Statements, GAO-05-281 (Washington, D.C.: Feb. 
11, 2005). 

[2] GAO, Information Security: Improvements Made but Existing 
Weaknesses Place Data at Risk, GAO-03-630 (Washington, D.C.: June 18, 
2003). 

[3] GAO, FDIC Information Security: Information System Controls at the 
Federal Deposit Insurance Corporation, GAO-04-630 (Washington, D.C.: 
May 28, 2004). 

[4] Information system general controls affect the overall 
effectiveness and security of computer operations as opposed to being 
unique to any specific computer application. These controls include 
security management, operating procedures, software security features, 
and physical protection designed to ensure that access to data is 
appropriately restricted, that only authorized changes to computer 
programs are made, that computer security duties are segregated, and 
that backup and recovery plans are adequate to ensure the continuity of 
operations. 

[5] Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89, § 
8. 

[6] Pub. L. No. 101-73 (Aug. 9, 1989). 

[7] See, for example, GAO, High-Risk Series: An Update, GAO-05-207 
(Washington, D.C.: January 2005). 

[8] Pub. L. No. 107-347 (Dec. 17, 2002). 

[9] GAO-03-630. 

[10] GAO-04-630. 

[11] GAO, Federal Information System Controls Audit Manual, Volume I-- 
Financial Statements Audits, GAO/AIMD-12.19.6 (Washington, D.C.: 
January 1999). 

[12] GAO, Information Security Management: Learning from Leading 
Organizations, GAO/AIMD-98-68 (Washington, D.C.: May 1998). 

[13] GAO-03-630. 

[14] GAO-04-630. 

[15] GAO-04-630. 

[16] GAO identified 29 weaknesses in the 2002 review; FDIC corrected 28 
of those weaknesses before our 2004 review. In addition, GAO 
indentified 41 weaknesses in the 2001 review that were also corrected 
before our 2004 review. 

[17] GAO-03-630. 

[18] Certification is the comprehensive evaluation of the management, 
operational, technical, and security controls in an information system 
to determine the effectiveness of these controls and identify existing 
vulnerabilities. Accreditation is the official management decision to 
authorize operation of an information system. This authorization 
explicitly accepts the risk remaining after the implementation of an 
agreed-upon set of security controls. 

[19] GAO/AIMD-98-68. 

[20] FISMA requires each agency to develop, document, and implement an 
agencywide information security program to provide information security 
for the information and systems that support the operations and assets 
of the agency, using a risk-based approach to information security 
management. 

[21] Reportable conditions involve matters coming to the auditor's 
attention that, in the auditor's judgment, should be communicated 
because they represent significant deficiencies in the design or 
operation of internal control and could adversely affect FDIC's ability 
to meet the control objectives. 

[22] GAO-05-281. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: