Information Security:
Federal Deposit Insurance Corporation Needs to Improve Its Program
GAO-06-620: Published: Aug 31, 2006. Publicly Released: Aug 31, 2006.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
FDIC has made progress in correcting previously reported weaknesses. Specifically, the corporation has corrected or mitigated 18 of the 24 weaknesses that GAO previously reported as unresolved at the time of the last review. Among actions FDIC has taken are developing and implementing procedures to comply with its computer file naming convention standards and developing and implementing automated procedures for limiting access to sensitive information. Nevertheless, FDIC has not consistently implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to the remaining six previously reported weaknesses for which FDIC has not completed corrective actions, GAO identified 20 new information security weaknesses. Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information. In addition, weaknesses exist in other information security controls relating to segregation of duties and application change controls. A key reason for these weaknesses is that FDIC has not fully implemented elements of its information security program. For example, it has not consistently implemented its security-related policies, addressed security plans for certain applications, provided specialized training to individuals with significant security responsibilities, implemented remedial action plans for resolving known weaknesses, and updated or tested continuity plans in light of its implementation of the new financial environment. As a result, financial and sensitive information are at increased risk of unauthorized access, modification, and/or disclosure, possibly without detection. Because of this, GAO reported information system control weaknesses to be a reportable condition in 2005.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: FDIC has consistently implemented various policies and procedures related to information security.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should consistently implement the corporation's documented policies and procedures related to information security.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has incorporated non-major systems in a security plan.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should include security plans or requirements for nonmajor applications into the plans for general support systems.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has provided specialized training to all employees with significant security responsibility. FDIC tracks employee training and those that miss training are required to view the training DVD in its entirety and certify that they have completely reviewed the training material.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should provide specialized training to individuals with significant security responsibilities.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has implemented or accurately reported the status of its remedial actions.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should report weaknesses as closed in remedial action plans only when corrective actions have been completed.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has updated the continuity of operations plan. FDIC has tested selected functions of NFE.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should update continuity of operations plans and test them for the New Financial Environment.
Agency Affected: Federal Deposit Insurance Corporation
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Jan 28, 2021
Macroprudential Oversight:
Principles for Evaluating Policies to Assess and Mitigate Risks to Financial System StabilityGAO-21-230SP: Published: Jan 28, 2021. Publicly Released: Jan 28, 2021.
Dec 16, 2020
-
Financial Stability:
Agencies Have Not Found Leveraged Lending to Significantly Threaten Stability but Remain Cautious Amid PandemicGAO-21-167: Published: Dec 16, 2020. Publicly Released: Dec 16, 2020.
Dec 10, 2020
-
Federal Reserve Lending Programs:
Use of CARES Act-Supported Programs Has Been Limited and Flow of Credit Has Generally ImprovedGAO-21-180: Published: Dec 10, 2020. Publicly Released: Dec 10, 2020. -
Financial Assistance:
Lessons Learned from CARES Act Loan Program for Aviation and Other Eligible BusinessesGAO-21-198: Published: Dec 10, 2020. Publicly Released: Dec 10, 2020.
Sep 22, 2020
-
Anti-Money Laundering:
Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks' Costs to Comply with the Act VariedGAO-20-574: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 4, 2020
-
Bank Supervision:
FDIC Could Better Address Regulatory Capture RisksGAO-20-519: Published: Sep 4, 2020. Publicly Released: Sep 4, 2020.
Jul 21, 2020
-
Financial Company Bankruptcies:
Congress and Regulators Have Updated Resolution Planning RequirementsGAO-20-608R: Published: Jul 21, 2020. Publicly Released: Jul 21, 2020.
Jul 6, 2020
-
Public Companies:
Disclosure of Environmental, Social, and Governance Factors and Options to Enhance ThemGAO-20-530: Published: Jul 2, 2020. Publicly Released: Jul 6, 2020.
Apr 30, 2020
-
Priority Open Recommendations:
Department of the TreasuryGAO-20-549PR: Published: Apr 23, 2020. Publicly Released: Apr 30, 2020.
Apr 27, 2020
-
Priority Open Recommendations:
Board of Governors of the Federal Reserve SystemGAO-20-499PR: Published: Apr 20, 2020. Publicly Released: Apr 27, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Financial Markets and Institutions
Explore our other Key Issues here
