GAO reviewed information systems general controls in the calendar year 2001 financial statement audits of the Federal Deposit Insurance Corporation's (FDIC) Bank Insurance Fund, Savings Association Insurance Fund, and Federal Savings and Loan Insurance Corporation Resolution Fund. FDIC made progress in correcting information security weaknesses previously identified and has taken steps to improve security. Nevertheless, GAO identified new weaknesses in its information systems controls that affect the corporation's ability to safeguard electronic access to critical financial and other sensitive information. FDIC did not adequately limit access to data and programs by controlling mainframe access authority, providing sufficient network security, or establishing a comprehensive program to monitor access activities. Further, other information systems control weaknesses were identified that could hinder FDIC's ability to provide physical security for its computer facility, appropriate segregation of computer functions, effective control of system software changes, or continuity of operations.
Recommendations for Executive Action
|Federal Deposit Insurance Corporation||To establish an effective information systems control environment, FDIC should instruct the acting Chief Information Officer (CIO), as FDIC's key official responsible for computer security, to correct the information systems control weaknesses related to access authority, network security, access monitoring, physical access, segregation of duties, system software, service continuity, and security management. These specific weaknesses are described in a separate report designated for "Limited Official Use Only," also issued today.|
|Federal Deposit Insurance Corporation||To establish an effective information systems control environment, FDIC should instruct the acting CIO, as FDIC's key official responsible for computer security, to fully develop and implement a computer security management program. Specifically, this would include (1) establishment clearly defined roles and responsibilities for FDIC's information security managers and guidance for coordinating and collaborating with central security, (2) developing a program for performing periodic risk assessments to determine computer security needs, (3) developing and implementing technical security standards for all computer platforms, and (4) establishing an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.|
|Federal Deposit Insurance Corporation||FDIC should instruct the acting CIO to report periodically on progress in implementing FDIC's corrective action plans.|