Summary
Effective controls over information systems are essential to ensuring the protection of financial and personnel information and the security and reliability of bank examination data maintained bythe Federal Deposit Insurance Corporation (FDIC). As part of GAO's 2002 financial statement audits of the three FDIC funds, we assessed (1) the corporation's progress in addressing computer security weaknesses found in GAO's 2001 audit, and (2) the effectiveness of FDIC's controls.
FDIC has made progress in correcting information system controls since GAO's 2001 review. Of the 41 weaknesses identified that year, FDIC has corrected or has specific action plans to correct all of them. GAO's 2002 audit nonetheless identified 29 new computer security weaknesses. These weaknesses reduce the effectiveness of FDIC's controls to safeguard critical financial and other sensitive information. Based on our review, mainframe access was not sufficiently restricted, network security was inadequate, and a program to fully monitor access activities was not implemented. Additionally, weaknesses in areas including physical security, application software, and service continuity further increased the risk to FDIC's computing environment. The primary reason for these continuing weaknesses is that FDIC has not yet completed development and implementation of a comprehensive program to manage computer security across the organization. FDIC has, among other things, established a security management structure, but still has not fully implemented a process for assessing and managing risk on a continuing basis or an ongoing program of testing and evaluating controls. The corporation's acting chief information officer has agreed to complete actions intended to address GAO's outstanding recommendations by December 31 of this year.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: To establish an effective information system control environment, in addition to completing actions to resolve prior year weaknesses that remain open, the Chairman should instruct the acting CIO, as the corporation's key official for computer security, to correct the 29 information system control weaknesses related to mainframe access, network security, access monitoring, physical access, application software, and service continuity identified in our current (calendar year 2002) audit. We are also issuing a report designated for "Limited Official Use Only," which describes in more detail the computer security weaknesses identified and offers specific recommendations for correcting them.
Agency Affected: Federal Deposit Insurance Corporation
Status: Implemented
Comments: Based on its calendar year 2003 financial audit, GAO concluded that FDIC substantially completed actions to correct the 29 information system control weaknesses related to mainframe access, network security, access monitoring, physical access, application software, and service continuity identified in GAO's 2002 audit.
Recommendation: To establish an effective information system control environment, in addition to completing actions to resolve prior year weaknesses that remain open, the Chairman should instruct the acting CIO, as the corporation's key official for computer security, to fully develop and implement a computer security management program. Specifically, this would include (1) developing and implementing a process for performing risk assessments and (2) establishing an effective ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.
Agency Affected: Federal Deposit Insurance Corporation
Status: Implemented
Comments: FDIC developed and implemented a computer security management program. Specifically, the corporation developed a framework for assessing and managing risk on a continuing basis. This framework specifies (1) how the assessments should be initiated and conducted, (2) who should participate in the assessments, (3) how disagreements should be resolved, (4) what approvals are needed, and (5) how these assessments should be documented and maintained. FDIC has performed risk assessments on all of its major systems. In addition, FDIC established an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. This program includes annual self-assessments of general and application controls and quarterly tests of information controls, including both network and mainframe systems.
