Federal mortgage watchdog agency struggles with its information security

Federal Housing Finance Agency is weak on logical and phisical access controls, GAO says

The Federal Housing Finance Agency, a fledgling organization created in 2008 to oversee federal mortgage activities, has not fully implemented an information security program, resulting in weaknesses in its information technology security, according to the Government Accountability Office.

“FHFA has made important progress in developing and documenting its policies and procedures for the agency’s information security program,” GAO concluded in its report. “However, policies, procedures, plans, and technical standards related to information security did not always reflect the current agency operating environment; and FHFA did not always effectively monitor its systems.”

GAO found that FHFA did not always maintain authorization records for network and system access, and did not enforce least-privilege policies for system and application users. It also did not have adequate physical security and environmental safety controls for facilities housing IT resources.

“Until the agency strengthens its logical access and physical access controls and fully implements an information security program that includes policies and procedures reflecting the current agency environment, increased risk exists that sensitive information and resources will not be sufficiently protected from inadvertent or deliberate misuse, improper disclosure, or destruction,” GAO concluded.

FHFA expects to have final access control procedures in place by June that will restrict access to administrators, application users and others authorized by the information owners.

“We are moving forward expeditiously to strengthen and complete implementation of FHFA’s information security program,” Acting Director Edward DeMarco wrote in response to the GAO findings.

The Housing and Recovery Act of 2008 established FHFA to oversee the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corp. (Freddie Mac), and the government’s 12 federal home loan banks. It was created by merging the Federal Housing Finance Board and the Office of Federal Housing Enterprise Oversight. It is a small independent agency with about 430 employees.

“Fiscal year 2009 was a tremendously challenging year for FHFA,” DeMarco wrote. “In addition to the agency’s focus on stabilizing the housing market in the midst of financial market turmoil, FHFA was also creating the infrastructure for a new agency, including a new financial accounting system, new policies and procedures, and new internal controls.”

The agency has integrated its e-mail system, consolidated software licenses, eliminated many duplicated services, and unified its customer service operations. It also has implemented requirements for complex passwords and for two-factor authentication for remote access and has restricted wireless access inside its facilities.

In the area of physical security, the agency has effectively secured some sensitive areas and equipment and has taken steps to provide environmental safety. It has issued electronic badges to help control access to many of its sensitive and restricted areas and has drafted procedures for securing office space and protecting sensitive information.

But the physical controls are not complete, and “deficiencies in controlling logical access diminished the effectiveness of these controls and placed information resources at risk,” GAO found. The agency did not always maintain authorization records for network and system access, enforce the most restrictive access needed by users on shared network files and directories, or restrict access to sensitive resources. “Further, the agency has not yet developed, documented, and implemented sufficient policies and procedures to ensure that the activities performed by external third parties are monitored for compliance with FHFA’s policies,” GAO found.

GAO made a number of recommendations, with which DeMarco agreed, to improve logical and physical access controls and to improve its information security program.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above