Security weaknesses identified by congressional investigators in the Federal Deposit Insurance Corp.'s IT systems place critical FDIC financial and sensitive examinations information at risk of unauthorized disclosure, disruption of operations, and loss of assets.
Specifically, the General Accounting Office said in a 25-page report made public Friday that the FDIC has neither adequately limited the access granted to all authorized users nor completely secured access to its network. The risk created by these access weaknesses is heightened because the FDIC hasn't completed a program to fully monitor access activity to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. As a result, GAO said, critical financial and sensitive personnel and bank examination information is at risk.
A key reason for the FDIC's continuing weaknesses in IS controls, according to GAO, is that it hasn't yet fully established a comprehensive security-management program to ensure that effective controls are instituted and maintained, and that IT receives significant management attention. The FDIC, which insures deposits at U.S. banks, only recently established a program to test and evaluate its computer-control environment. This program has yet to include adequate provisions to ensure that all key computer resources supporting the agency's financial environment are routinely reviewed and tested, weaknesses detected are analyzed for systemic solutions, corrective actions are independently tested, and newly identified weaknesses or emerging security threats are incorporated into the testing and evaluation process.
GAO's conclusion was based on an audit conducted last year. It wasn't the first time the investigative and audit arm of Congress audited the FDIC's computer security. After audits in 2001 and 2002, the FDIC addressed nearly all the computer security weaknesses GAO pointed out. Yet, security weaknesses continued.
To establish an effective information system controls environment, GAO recommends that the FDIC's CIO, the agency's top manager for computer security, correct a number of IS weaknesses, including strengthening the testing and evaluation element of its computer-security-management program.
In a written response, FDIC CFO Steven App agreed with GAO's recommendations, saying the agency plans to correct the IS control weaknesses and strengthen the testing and evaluation elements of its computer-management program by Dec. 31. Already, App said, significant progress has been made in addressing the identified flaws.