FDIC lacks a comprehensive IT security program, GAO finds
- By William Jackson
- Jun 01, 2004
The latest audit of the Federal Deposit Insurance Corp. revealed weaknesses in network access controls that could expose sensitive information to risk, according to the General Accounting Office.
FDIC has been playing catch-up with IT security, correcting problems found in earlier annual audits. But a lack of adequate oversight has resulted in new vulnerabilities continuing to surface, GAO concluded.
'A key reason for FDIC's continuing weaknesses in information system controls is that it had not yet fully established a comprehensive security management program,' the report
FDIC has begun putting a testing and evaluation program in place, and pledged by the end of the year to:
- Ensure key financial IT systems are routinely reviewed and tested
- Analyze new weaknesses for systematic solutions
- Independently test all corrective actions
- Incorporate newly discovered weaknesses into the testing and evaluation process.
'We understand that a sustained effort is needed through substantial resources and strong executive involvement' to correct the problems, chief financial officer Steven A. App said in his response to the audit.
FDIC oversees deposit insurance programs for 9,200 federally regulated banks, and savings and loan associations. The programs have assets of $49.5 billion insuring more than $3.3 trillion in deposits.
GAO's evaluation of IT controls was part of the corporation's regular financial statement audit for 2003. Earlier audits in 2001 and 2002 had identified 70 IT security problems. GAO praised FDIC for having corrected 69 of these, but found additional problems.
Most of these problems involved access control, including:
- Many users with unnecessary access to production systems
- Improper access to a key user ID and password that would allow transfer of data
- Unrestricted read access for many users to sensitive bank information.
'Access vulnerabilities continue because the corporation has not yet fully established a process for reviewing the appropriateness of individual access privileges,' the audit found.
It also found that FDIC was not keeping up with patching vulnerabilities in the corporation's networks, a common problem in enterprises both in and out of government.
William Jackson is a Maryland-based freelance writer.