FDIC's IT Systems at Elevated Risk
GAO: FDIC Failed to Implement Key IT Security ProgramsThat's according to Tuesday's Government Accountability Office report, Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses, that also cited unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information and disruption of critical operations that put the FDIC systems at risk.
FDIC also failed to implement sufficiently access and other controls intended to protect the confidentiality, integrity and availability of its financial systems and information. For example, GAO said, the FDIC didn't always:
- Sufficiently restrict user access to systems,
- Ensure strong system boundaries,
- Enforce consistently strong controls for identifying and authenticating users,
- Encrypt sensitive information, or
- Audit and monitor security-relevant events.
The 29-page audit also said the FDIC didn't have policies, procedures and controls to ensure the appropriate segregation of incompatible duties, adequately manage the configuration of its financial information systems and update contingency plans.
"A key reason for these weaknesses is that FDIC did not always fully implement key information security program activities such as effectively developing, documenting, and implementing security policies, and implementing an effective continuous monitoring program," wrote Gregory Wilshusen, GAO director of information security issues. "Until these weaknesses and program deficiencies are corrected, the corporation will not have sufficient assurance that its financial information and assets are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction."
Still, Wilshusen credited the FDIC for its past efforts, saying the organization that insures bank deposits mitigated each of the IT security weaknesses previously reported by GAO. "To its credit," Wilshusen said, "the corporation has made improvements to its configuration management controls and aspects of its security management."
GAO recommended that the FDIC improve key information activities to enhance the corporation's information security program. FDIC generally agreed with the recommendations and told GAO that it plans to address the identified weaknesses