Summary
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Effective information security controls are essential to ensure that FDIC systems and information are adequately protected from inadvertent misuse, fraudulent, or improper disclosure. As part of its audit of FDIC's 2007 financial statements, GAO assessed (1) the progress FDIC has made in mitigating previously reported information security weaknesses and (2) the effectiveness of FDIC's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do this, GAO examined security policies, procedures, reports, and other documents; observed controls over key financial applications; and interviewed key FDIC personnel.
FDIC has made significant progress in mitigating previously reported information security weaknesses. Specifically, it has corrected or mitigated 16 of the 21 weaknesses that GAO had previously reported as unresolved at the completion of the 2006 audit. For example, FDIC has improved physical security controls over access to its Virginia Square computer processing facility, instructed personnel to use more secure e-mail methods to protect the integrity of certain accounting data transferred over an internal communication network, and updated the security plan and contingency plan of a key financial system. In addition, FDIC stated it has initiated and completed some actions to mitigate the remaining five prior weaknesses. However, we have not verified that these actions have been completed. Although FDIC has made significant progress improving its information system controls, old and new weaknesses could limit the corporation's ability to effectively protect the confidentiality, integrity, and availability of its financial systems and information. In addition to the five previously reported weaknesses that remain unresolved, newly identified weaknesses in access controls and configuration management controls introduce risk to two key financial systems. For example, FDIC did not always implement adequate access controls. Specifically, multiple FDIC users shared the same login ID and password, had unrestricted access to application source code, and used passwords that were not adequately encrypted. In addition, FDIC did not adequately (1) maintain a full and complete baseline for system requirements; (2) assign unique identifiers to configuration items; (3) authorize, document, and report all configuration changes; and (4) perform configuration audits. Although these weaknesses do not pose significant risk of misstatement of the corporation's financial statements, they do increase preventable risk to the corporation's financial systems and information. A key reason for these weaknesses is that FDIC did not always fully implement key information security program activities. For example, it did not adequately conduct configuration control testing or complete the remedial action plan in a timely manner and did not include necessary and key information. Until FDIC fully performs key information security program activities, its ability to maintain adequate control over its financial systems and information will be limited.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that New Financial Environment (NFE) users do not share login ID and password accounts.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that Assessment Information Management System II (AIMS II) users do not have full access to application source code, unless they have a legitimate business need.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve access controls by ensuring that the database connection is adequately encrypted with passwords that comply with Federal Information Processing Standard 140-2.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that full and complete requirement baselines are developed and implemented.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that configuration items have unique identifiers.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that configuration changes are properly authorized, documented, and reported.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that physical configuration audits verify and validate that all items are under configuration management control, all changes made are approved by the configuration control board, and that teams are assigning unique identifiers to configuration items.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve NFE and AIMS II configuration management by ensuring that functional configuration audits verify and validate that requirements have bidirectional traceability and can be traced from various documents.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve the security management of NFE and AIMS II by ensuring that users adequately test configuration management controls as part of the system test and evaluation process.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the Chief Operating Officer should direct the CIO to improve the security management of NFE and AIMS II by ensuring that users develop in a timely manner a detailed plan of action and milestones to include who will be responsible for the corrective action, when the action will be closed, and status of the action for NFE.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
