FDIC Information Security: Improvements Made but Weaknesses Remain
GAO reviewed information systems general controls in the calendar year 2001 financial statement audits of the Federal Deposit Insurance Corporation's (FDIC) Bank Insurance Fund, Savings Association Insurance Fund, and Federal Savings and Loan Insurance Corporation Resolution Fund. FDIC made progress in correcting information security weaknesses previously identified and has taken steps to improve security. Nevertheless, GAO identified new weaknesses in its information systems controls that affect the corporation's ability to safeguard electronic access to critical financial and other sensitive information. FDIC did not adequately limit access to data and programs by controlling mainframe access authority, providing sufficient network security, or establishing a comprehensive program to monitor access activities. Further, other information systems control weaknesses were identified that could hinder FDIC's ability to provide physical security for its computer facility, appropriate segregation of computer functions, effective control of system software changes, or continuity of operations.
Recommendations for Executive Action
|Federal Deposit Insurance Corporation||To establish an effective information systems control environment, FDIC should instruct the acting Chief Information Officer (CIO), as FDIC's key official responsible for computer security, to correct the information systems control weaknesses related to access authority, network security, access monitoring, physical access, segregation of duties, system software, service continuity, and security management. These specific weaknesses are described in a separate report designated for "Limited Official Use Only," also issued today.||
Based on its calendar year 2003 financial audit at FDIC, GAO concluded that FDIC had completed corrective actions on the 22 information security weaknesses that remained open at the end of GAO's 2001 calendar year audit. Specifically, FDIC corrected information security weaknesses related to access authority, network security, access monitoring, physical access, segregation of duties, system software, service continuity, and security management.
|Federal Deposit Insurance Corporation||To establish an effective information systems control environment, FDIC should instruct the acting CIO, as FDIC's key official responsible for computer security, to fully develop and implement a computer security management program. Specifically, this would include (1) establishment clearly defined roles and responsibilities for FDIC's information security managers and guidance for coordinating and collaborating with central security, (2) developing a program for performing periodic risk assessments to determine computer security needs, (3) developing and implementing technical security standards for all computer platforms, and (4) establishing an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.||
FDIC established a computer security management program. Specifically, FDIC established a central security management group to provide security guidance and oversight of the corporation's computer security environment. This included establishing defined roles and responsibilities for each of its information security managers and developing guidance for coordinating and collaboration of the work of these managers with the efforts performed by the central security group. Further, FDIC established a framework for performing risk assessments and has initiated a process of conducting risk assessments on a scheduled basis. In addition, FDIC has developed and implemented technical security standards for each of its network platforms, mainframe, and security software. Finally, FDIC established an ongoing program to test and evaluate its information system controls and to ensure compliance with established policies and procedures.
|Federal Deposit Insurance Corporation||FDIC should instruct the acting CIO to report periodically on progress in implementing FDIC's corrective action plans.||
FDIC established a process for the CIO to provide monthly status briefings on progress made to correct the security weaknesses and implement GAO recommendations. These briefings include representatives from FDIC's senior management, board of directors, and audit committee.