Information Security: Federal Deposit Insurance Corporation Needs to Sustain Progress Improving Its Program
GAO-07-351
Published: May 18, 2007. Publicly Released: May 18, 2007.
Skip to Highlights
Highlights
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. As part of its audit of the calendar year 2006 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of FDIC's system integrity controls to protect the confidentiality and availability of its financial information and information systems. To do this, GAO examined pertinent security policies, procedures, and relevant reports. In addition, GAO conducted tests and observations of controls in operation.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that e-mail containing or transmitting accounting data be secured to protect the integrity of the accounting data. This should be performed in a timely manner. |
Closed – Implemented
FDIC has required that e-mail containing or transmitting accounting data be secured to protect the integrity of the accounting data.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should train security personnel to implement the corporation's policy on physical security of the facility. This should be performed in a timely manner. |
Closed – Implemented
FDIC has trained security personnel to implement the corporation's policy on physical security of the facility.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should instruct FDIC personnel to lock rooms that contain sensitive software. This should be performed in a timely manner. |
Closed – Implemented
FDIC has instructed personnel to lock rooms that contain sensitive software.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should develop a configuration item index of all configuration items for NFE using a consistent and documented naming convention. This should be performed in a timely manner. |
Closed – Implemented
FDIC has develop a configuration item index of all configuration items for NFE using a consistent and documented naming convention.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that significant changes to the system, such as parameter changes, go through a formal change management process. This should be performed in a timely manner. |
Closed – Implemented
FDIC has ensured that significant changes to the system, such as parameter changes, go through a formal change management process.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should implement patches in a timely manner. |
Closed – Implemented
FDIC has implemented patches in a timely manner.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that the NFE project team review status accounting reports and perform complete functional and physical configuration audits. This should be performed in a timely manner. |
Closed – Implemented
FDIC is able to review some status accounting reports and has conducted physical and functional configuration audits for NFE.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should adequately control the NFE documents so that they are up-to-date and accurately reflect the current environment. This should be performed in a timely manner. |
Closed – Implemented
FDIC has adequately controlled the NFE documents (risk assessment, security plan, contingency plan) so that they are up-to-date and accurately reflect the current environment.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the NFE risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluation. This should be performed in a timely manner. |
Closed – Implemented
FDIC has updated the NFE risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluation.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the NFE security plan to clearly identify all common security controls. This should be performed in a timely manner. |
Closed – Implemented
FDIC has updated the NFE security plan to clearly identify all common security controls.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should develop procedures to review events occurring in the NFE to determine whether the events are computer security incidents. This should be performed in a timely manner. |
Closed – Implemented
FDIC has developed procedures to review events to determine whether they are computer security incidents.
|
| Federal Deposit Insurance Corporation | In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the contingency plan to reflect the new disaster recovery site and servers that are in use. This should be performed in a timely manner. |
Closed – Implemented
FDIC provided an updated NFE contingency plan that reflects the new disaster recovery site and servers.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityData integrityData transmissionFederal corporationsFinancial statement auditsFinancial statementsInformation securityInformation systemsInsuranceInternal controlsPhysical securityPolicy evaluationRisk assessmentRisk managementSystems evaluation