Skip to main content

Information Security: FDIC Needs to Improve Controls over Financial Systems and Information

GAO-17-436 Published: May 31, 2017. Publicly Released: May 31, 2017.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Federal Deposit Insurance Corporation (FDIC) implemented numerous information security controls intended to protect its key financial systems. However, further actions are needed to address weaknesses in access controls—including boundary protection, identification and authentication, and authorization controls—and in configuration management controls. For example, the corporation did not sufficiently isolate financial systems from other parts of its network, ensure that users would be held accountable for the use of a key privileged account, or establish a single, accurate listing of all IT assets in its environment.

The corporation established a comprehensive framework for its information security program and implemented many aspects of its program. For example, FDIC (1) defined security categories for the general support systems we reviewed based on risk; (2) assessed the risk from control deficiencies identified during security control tests; and (3) conducted a disaster recovery test of its general support systems and mission-critical applications. In addition, FDIC addressed 15 of the 21 previously reported weaknesses that were unresolved as of December 31, 2015, as indicated in the following table.

Status of GAO Information Security Recommendations to FDIC as of December 2016

Information security control area

Not implemented at the beginning of 2016

Implemented during 2016

Actions still in progress

Access controls

15

13

2

Other controls

4

1

3

Information security program

2

1

1

Total

21

15

6

Source: GAO analysis of FDIC information. | GAO-17-436

However, an underlying reason for many of the information security weaknesses identified during GAO's review was that FDIC did not fully implement other aspects of its program. For example, the corporation did not (1) include necessary information in procedures for granting access to a key financial application and (2) fully address the FDIC Office of the Inspector General's finding that the corporation did not always identify and report major security incidents in a timely manner.

Until FDIC takes the necessary steps to address both new and previously reported control deficiencies, its sensitive financial information and resources will remain at increased risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction. The combination of the continuing and new information security control deficiencies in access and configuration management controls, considered collectively, represent a significant deficiency in FDIC's internal control over financial reporting as of December 31, 2016.

Why GAO Did This Study

FDIC has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of FDIC's reliance on information systems, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

As part of its audit of the 2016 and 2015 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund, which are administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.

Recommendations

GAO is recommending that FDIC take one action to more fully implement its information security program. In a separate report with limited distribution, GAO made six recommendations to FDIC to address newly identified weaknesses in access and configuration management controls. In commenting on a draft of this report, FDIC agreed with GAO’s recommendation and stated that corrective actions to implement the recommendation will be completed by July 2017.

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Deposit Insurance Corporation To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.
Closed – Implemented
FDIC agreed with our recommendation and has taken steps to implement it. Specifically, in January 2018, we determined that FDIC had appropriately limited access for its key financial systems to authorized personnel.

Full Report

GAO Contacts

Nick Marinos
Managing Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Computer securityFinancial management systemsInformation resources managementInformation securityInformation systemsInternal controlsFinancial systemsFinancial reportingCritical infrastructure vulnerabilitiesRisk assessmentRisk managementPolicies and proceduresAccess control