04:50 PM

GAO: FDIC Security Weaknesses Put Key Data At Risk

The General Accounting Office says in a report that the agency hasn't adequately limited the access granted to all authorized users or completely secured access to its network.

Security weaknesses identified by congressional investigators in the Federal Deposit Insurance Corp.'s IT systems place critical FDIC financial and sensitive examinations information at risk of unauthorized disclosure, disruption of operations, and loss of assets.

Specifically, the General Accounting Office said in a 25-page report made public Friday that the FDIC has neither adequately limited the access granted to all authorized users nor completely secured access to its network. The risk created by these access weaknesses is heightened because the FDIC hasn't completed a program to fully monitor access activity to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. As a result, GAO said, critical financial and sensitive personnel and bank examination information is at risk.

A key reason for the FDIC's continuing weaknesses in IS controls, according to GAO, is that it hasn't yet fully established a comprehensive security-management program to ensure that effective controls are instituted and maintained, and that IT receives significant management attention. The FDIC, which insures deposits at U.S. banks, only recently established a program to test and evaluate its computer-control environment. This program has yet to include adequate provisions to ensure that all key computer resources supporting the agency's financial environment are routinely reviewed and tested, weaknesses detected are analyzed for systemic solutions, corrective actions are independently tested, and newly identified weaknesses or emerging security threats are incorporated into the testing and evaluation process.

GAO's conclusion was based on an audit conducted last year. It wasn't the first time the investigative and audit arm of Congress audited the FDIC's computer security. After audits in 2001 and 2002, the FDIC addressed nearly all the computer security weaknesses GAO pointed out. Yet, security weaknesses continued.

To establish an effective information system controls environment, GAO recommends that the FDIC's CIO, the agency's top manager for computer security, correct a number of IS weaknesses, including strengthening the testing and evaluation element of its computer-security-management program.

In a written response, FDIC CFO Steven App agreed with GAO's recommendations, saying the agency plans to correct the IS control weaknesses and strengthen the testing and evaluation elements of its computer-management program by Dec. 31. Already, App said, significant progress has been made in addressing the identified flaws.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.