Information Security: Opportunities Exist for the Federal Deposit Insurance Corporation to Improve Controls

What GAO Found

Although the Federal Deposit Insurance Corporation (FDIC) had implemented numerous controls intended to protect its key financial systems, it had not always fully implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. FDIC had implemented controls to monitor access to certain sensitive user accounts, restricted access to database administration functions, ensured that passwords for sensitive user accounts were regularly changed, developed and tested contingency plans for major systems, and enabled logging controls on its network devices. However, weaknesses in access and other controls continue to challenge the corporation in its efforts to ensure the confidentiality, integrity, and availability of financial and sensitive information. For example, FDIC had not always (1) implemented controls for identifying and authenticating users, such as requiring strong passwords for administrative users on certain systems; (2) appropriately restricted access to sensitive financial information on its network; (3) ensured that sensitive data were encrypted when transmitted; (4) implemented controls to separate incompatible functions; or (5) ensured that key applications were updated with security patches. In addition, deficiencies in FDIC’s procedures for managing and controlling changes to the computer programs used in deriving its estimates of losses from shared loss agreements allowed significant errors in the shared loss estimate to occur and not be detected or corrected. Specifically, the Division of Resolutions and Receiverships had not documented change management procedures for the shared loss programs, had not stored all key programs in FDIC’s software configuration management library, and had not adequately tested changes to the programs. These deficiencies occurred because the division had not applied FDIC’s corporate policies and guidance for software configuration management when controlling and testing changes to the programs. These deficiencies, considered collectively, contributed to GAO’s determination that FDIC had a significant deficiency in internal control over financial reporting in 2011.

A key reason for these information security weaknesses is that FDIC had not always implemented key information security program activities. Although FDIC had developed and documented many elements of its information security program and had addressed 33 of the 47 weaknesses previously reported by GAO, it had not always fully implemented its information security policies and had not yet completed actions to address 14 weaknesses previously reported by GAO. Until FDIC further mitigates known information security weaknesses in access controls and other information system controls and ensures that its corporate change management policies are implemented in the shared loss estimation process, the corporation will continue to face an increased risk that sensitive financial information and resources will not be sufficiently protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.