Bank regulator still has security holes in IT systems, GAO find
FDIC moves to tighten access controls and improve continuous monitoring
- By William Jackson
- Dec 02, 2010
The Federal Deposit Insurance Corporation is tightening access controls on its IT systems and databases and strengthening its continuous monitoring program to correct information system security weaknesses identified by the Government Accountability Office.
In a recent follow-up study of the bank regulator, GAO found that although FDIC has made progress in implementing its security program, key information security program activities still had holes in them, leaving some areas at risk.
“FDIC did not always fully implement key information security program activities, such as effectively developing, documenting, and implementing security policies, and implementing an effective continuous monitoring program,” GAO said in its report. “Until these weaknesses and program deficiencies are corrected, the corporation will not have sufficient assurance that its financial information and assets are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.”
Federal mortgage watchdog agency struggles with its information security
US-CERT systems riddled with vulnerabilities, audit finds
FDIC CFO Steven App, in response to GAO's recommendations, said FDIC would have access control improvements in place by March 31, 2011, and that plans documenting the current status of the continuous monitoring system and describing near-term improvements will be laid out by June 30. FDIC acquired monitoring tools this year that now are being phased in.
“FDIC recognizes that a continuous monitoring program, by its very nature, is an evolving program and will continue to build upon the processes now in place by targeting the highest risk areas,” App wrote.
The GAO study found that FDIC had mitigated information security weaknesses identified in earlier audits in 2007 and 2009, which GAO concluded were significant deficiencies. But new shortcomings were identified this year. Specifically, FDIC did not always:
- Sufficiently restrict user access to systems.
- Ensure strong system boundaries.
- Consistently enforce strong controls for identifying and authenticating users.
- Encrypt sensitive information.
- Audit and monitor security-relevant events.
Despite inconsistencies, FDIC has implemented elements of a configuration management process, GAO found. It has documented policy and procedures for identifying systems and elements for controlling configuration changes and has developed a change request process and a baseline for its systems. But FDIC did not always implement key configuration management controls. There were critical end-of-life systems not supported by their manufacturers, so that patches or updates for emerging threats were not available. Patch levels for third-party software running on two Unix servers were not current, and an obsolete version of third-party software was running on a Windows server.
GAO specifically recommended that FDIC develop and document policies and procedures for assigning access to systems and databases where application controls could be compromised. It also urged FDIC to complete the implementation of an effective continuous monitoring program.