Information Security:
Federal Deposit Insurance Corporation Needs to Improve Its Program
GAO-06-620: Published: Aug 31, 2006. Publicly Released: Aug 31, 2006.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
FDIC has made progress in correcting previously reported weaknesses. Specifically, the corporation has corrected or mitigated 18 of the 24 weaknesses that GAO previously reported as unresolved at the time of the last review. Among actions FDIC has taken are developing and implementing procedures to comply with its computer file naming convention standards and developing and implementing automated procedures for limiting access to sensitive information. Nevertheless, FDIC has not consistently implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to the remaining six previously reported weaknesses for which FDIC has not completed corrective actions, GAO identified 20 new information security weaknesses. Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information. In addition, weaknesses exist in other information security controls relating to segregation of duties and application change controls. A key reason for these weaknesses is that FDIC has not fully implemented elements of its information security program. For example, it has not consistently implemented its security-related policies, addressed security plans for certain applications, provided specialized training to individuals with significant security responsibilities, implemented remedial action plans for resolving known weaknesses, and updated or tested continuity plans in light of its implementation of the new financial environment. As a result, financial and sensitive information are at increased risk of unauthorized access, modification, and/or disclosure, possibly without detection. Because of this, GAO reported information system control weaknesses to be a reportable condition in 2005.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: FDIC has implemented or accurately reported the status of its remedial actions.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should report weaknesses as closed in remedial action plans only when corrective actions have been completed.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has provided specialized training to all employees with significant security responsibility. FDIC tracks employee training and those that miss training are required to view the training DVD in its entirety and certify that they have completely reviewed the training material.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should provide specialized training to individuals with significant security responsibilities.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has incorporated non-major systems in a security plan.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should include security plans or requirements for nonmajor applications into the plans for general support systems.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has consistently implemented various policies and procedures related to information security.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should consistently implement the corporation's documented policies and procedures related to information security.
Agency Affected: Federal Deposit Insurance Corporation
Status: Closed - Implemented
Comments: FDIC has updated the continuity of operations plan. FDIC has tested selected functions of NFE.
Recommendation: To help fully implement the corporation's information security program, the FDIC Chairman should update continuity of operations plans and test them for the New Financial Environment.
Agency Affected: Federal Deposit Insurance Corporation
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Sep 5, 2018
Community Banks:
Effect of Regulations on Small Business Lending and Institutions Appears Modest, but Lending Data Could Be ImprovedGAO-18-312: Published: Aug 6, 2018. Publicly Released: Sep 5, 2018.
Jul 19, 2018
-
Export-Import Bank:
The Bank Needs to Continue to Improve Fraud Risk ManagementGAO-18-492: Published: Jul 19, 2018. Publicly Released: Jul 19, 2018.
Jul 18, 2018
-
Securities Regulation:
SEC Inspections of Financial Industry Regulatory Authority's Governance Were Consistent with Internal GuidanceGAO-18-522: Published: Jul 18, 2018. Publicly Released: Jul 18, 2018.
Jun 26, 2018
-
Bank Secrecy Act:
Further Actions Needed to Address Domestic and International Derisking ConcernsGAO-18-642T: Published: Jun 26, 2018. Publicly Released: Jun 26, 2018.
Mar 22, 2018
-
Financial Technology:
Additional Steps by Regulators Could Better Protect Consumers and Aid Regulatory OversightGAO-18-254: Published: Mar 22, 2018. Publicly Released: Mar 22, 2018. -
Climate-Related Risks:
SEC Has Taken Steps to Clarify Disclosure RequirementsGAO-18-188: Published: Feb 20, 2018. Publicly Released: Mar 22, 2018.
Mar 16, 2018
-
Community Reinvestment Act:
Options for Treasury to Consider to Encourage Services and Small-Dollar Loans When Reviewing FrameworkGAO-18-244: Published: Feb 14, 2018. Publicly Released: Mar 16, 2018.
Mar 15, 2018
-
Commercial Real Estate Lending:
Banks Potentially Face Increased Risk; Regulators Generally Are Assessing Banks' Risk Management PracticesGAO-18-245: Published: Mar 15, 2018. Publicly Released: Mar 15, 2018.
Feb 27, 2018
-
Analyzing Regulatory Burden:
Policies and Analyses under the Regulatory Flexibility Act and Retrospective Reviews Could Be ImprovedGAO-18-404T: Published: Feb 27, 2018. Publicly Released: Feb 27, 2018. -
Community Banks and Credit Unions:
Regulators Could Take Additional Steps to Address Compliance BurdensGAO-18-213: Published: Feb 13, 2018. Publicly Released: Feb 27, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Financial Markets and Institutions
Explore our other Key Issues here
