Information Security: Federal Deposit Insurance Corporation Needs to Sustain Progress
GAO-05-486
Published: May 19, 2005. Publicly Released: May 19, 2005.
Skip to Highlights
Highlights
The Federal Deposit Insurance Corporation (FDIC) relies extensively on computerized systems to support its financial and mission-related operations. As part of GAO's audit of the calendar year 2004 financial statements for the three funds administered by FDIC, GAO assessed (1) the progress FDIC has made in correcting or mitigating information system control weaknesses identified in our audits for calendar years 2002 and 2003 and (2) the effectiveness of the corporation's information system general controls.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Federal Deposit Insurance Corporation | To strengthen FDIC's information security program, the Chairman should direct the Chief Information Officer to broaden its process of tests and evaluations to ensure that all key control areas supporting FDIC's financial environment are routinely reviewed and tested. This process should include routine tests and evaluations of key control areas such as electronic access, network security, and audit logging. |
Closed – Implemented
FDIC has since developed a comprehensive system testing and evaluation process in 2005 with the New Financial Environment (NFE) System Test and Evaluation (ST&E), which follows and incorporates all of the National Institute of Standards and Technology (NIST) requirements, and includes key control areas such as electronic access, network security, and audit logging. Federal Information Security Management Act (FISMA) requires that the corporation perform annual re-testing of such controls. The FISMA submission or self assessment qualifies for the re-testing.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityFinancial statement auditsInformation securityInformation systemsInternal controlsReporting requirementsRisk managementStrategic planningBank examinationInformation security management