GAO Report Addresses Weaknesses in FDIC Information Security Controls

FDIC GAO

On June 29, the GAO published a report titled “Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed.” According to the report, notwithstanding recent efforts to implement effective information security controls to protect sensitive information and systems, the FDIC “continues to have unremediated weaknesses.” After examining the FDIC’s security systems, the GAO found that the FDIC’s user-authorization controls, although improved, remain vulnerable because the corporation failed to (i) implement an effective process for performing periodic reviews of user access rights; (ii) consistently disable inactive accounts; (iii) regularly document authorized modifications to user access; and (iv) identify authorization and recertification deficiencies. The report emphasizes that weaknesses in the user authorization controls “increase the risk that individuals may have greater access to financial data” than necessary. The report further notes that the corporation failed to fully implement, among other things, (i) encryption for all mainframe connections compliant with Federal Information Processing Standards Publications; (ii) effective audit and monitoring controls; (iii) procedures for controlling physical access to facilities; and (iv) management controls of security features for all hardware and software components to control for changes during a system’s life cycle. The GAO recommends that the FDIC improve its information security program by updating and implementing “access control procedures” and implementing additional monitoring of its “critical files.”