Summary
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. As part of its audit of the calendar year 2006 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of FDIC's system integrity controls to protect the confidentiality and availability of its financial information and information systems. To do this, GAO examined pertinent security policies, procedures, and relevant reports. In addition, GAO conducted tests and observations of controls in operation.
FDIC has made substantial progress in correcting previously reported weaknesses in its information security controls. Specifically, it has corrected or mitigated 21 of the 26 weaknesses that GAO had reported as unresolved at the completion of the calendar year 2005 audit. Actions FDIC has taken include developing and implementing procedures to prohibit the transmission of mainframe user and administrator passwords in readable text across the network, implementing procedures to change vender-supplied account/passwords, and improving mainframe security monitoring controls. Although FDIC has made important progress improving its information system controls, old and new weaknesses could limit the corporation's ability to effectively protect the integrity, confidentiality, and availability of its financial and sensitive information and systems. In addition to the five previously reported weaknesses that are in the process of being mitigated, GAO identified new weaknesses in controls related to (1) e-mail security, (2) physical security, and (3) configuration management. Although these weaknesses do not pose significant risk of misstatement of the corporation's financial statements, they do increase preventable risk to the corporation's financial and sensitive systems and information. In addition, FDIC has not fully integrated its new financial system--the New Financial Environment (NFE)--into its information security program. For example, it did not fully implement key control activities for the NFE. Until FDIC fully integrates the NFE with the information security program, its ability to maintain adequate system controls over its financial and sensitive information will be limited.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that e-mail containing or transmitting accounting data be secured to protect the integrity of the accounting data. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should train security personnel to implement the corporation's policy on physical security of the facility. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should instruct FDIC personnel to lock rooms that contain sensitive software. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should develop a configuration item index of all configuration items for NFE using a consistent and documented naming convention. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that significant changes to the system, such as parameter changes, go through a formal change management process. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should implement patches in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should require that the NFE project team review status accounting reports and perform complete functional and physical configuration audits. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should adequately control the NFE documents so that they are up-to-date and accurately reflect the current environment. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the NFE risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluation. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the NFE security plan to clearly identify all common security controls. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should develop procedures to review events occurring in the NFE to determine whether the events are computer security incidents. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: In order to sustain progress to its program, the FDIC Chief Financial Officer and Chief Operating Officer should update the contingency plan to reflect the new disaster recovery site and servers that are in use. This should be performed in a timely manner.
Agency Affected: Federal Deposit Insurance Corporation
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
