Economic crisis puts pressure on FDIC computer systems
The Federal Deposit Insurance Corp. received generally good marks in the latest review of its IT security posture, but the Government Accountability Office found that security policies and controls were not consistently applied.
“Until all key elements of its information security program are fully implemented, FDIC may not have assurance that controls over its financial systems and information are appropriately designed and operating effectively,” GAO said it its report.
Part of the problem found in the FDIC’s Division of Resolutions and Receiverships was traced to the press of business created by the current financial crisis. The division developed IT processes independently to manage the large increase in bank failures and the extensive use of loss-sharing agreements resulting from the crisis. “In doing so, the division . . . had not used FDIC’s existing IT management framework . . . to develop and manage the process," the report said.
:State at odds with GAO over its pioneering security systemWireless networks still vulnerable to intruders
The resulting weaknesses in access and other security controls creates a risk that sensitive financial information is not adequately protected from misuse, improper disclosure or destruction, GAO concluded.
FDIC CFO Steven O. App said in a written response that the FDIC takes these concerns seriously, as is indicated by improvements in overall security noted by GAO. But rather than deal with the division’s security weaknesses with separate documentation and processes, it will continue to improve implementation of agency-wide policy within the division.
“FDIC is currently taking steps to improve role-based access control, data integrity, and configuration management on data repositories and shared network resources,” App wrote. “The process to review and improve controls began while the GAO audit team was on site and will continue through December 2011.”
FDIC since 2006 has insured deposits both in banks and savings and loan associations and also helps to oversee the stability of the institutions as well as manage losses and resolve banking failures. Because of these responsibilities, the “confidentiality, integrity, and availability of the sensitive information maintained on its systems are of paramount concern,” GAO said.
Significant deficiencies were found during GAO’s 2009 security audit, which had been resolved by 2010. The most recent assessment concluded that the remaining issues and the new issues identified did not constitute a material weakness or significant deficiency.
The FDIC had developed and documented a security program and had corrected or mitigated 26 of the 33 previously identified information security weaknesses. But risks had not been assessed, security controls documented, or support programs and data regularly tested. “Additionally, FDIC had not always implemented its policies for restricting user access or for monitoring the progress of security patch installation,” GAO found.
Specific weaknesses included:
· Strong passwords were not always required on financial systems and databases.
· User access to financial information was not reviewed according to policy.
· Financial information transmitted over and stored on its network was not always encrypted.
· Powerful database accounts and privileges were not always protected from unauthorized use.
· Privileges associated with incompatible duties were not always segregated.
· System configuration and patching was not always properly managed.
“FDIC has made significant progress in correcting or mitigating previously reported information security weaknesses, but other control weaknesses continue to unnecessarily put FDIC’s systems at an increased risk from internal and external threats,” GAO said.