FDIC dinged again for inadequate infosec

GAO finds that the Federal Deposit Insurance Corporation needs to improve its information security controls and do more to separate its financial systems from the rest of its network.

 

The Federal Deposit Insurance Corporation needs to improve its information security controls, and do more to separate its financial systems from the rest of its network, according to a recent Government Accountability Office report.

FDIC "relies extensively" on computerized systems to store sensitive financial information and to carry out its mission to enforce banking laws, regulate banking institutions and protect customers, auditors wrote.

And while FDIC has made some progress in shoring up its systems, auditors noted that resolving these remaining information security weaknesses is essential for FDIC to carry out its mission to enforce banking laws, regulate banking institutions and protect customers.

The remaining weaknesses represent "a significant deficiency in FDIC's internal control over financial reporting systems," and increase the risk of improper data access, the report states.

GAO reported that the "underlying reason for many of the information security weaknesses" was that six previous recommendations -- two regarding access controls, one regarding the information security program and three "other controls" -- remain unfulfilled.

Specifically, auditors found that FDIC did not consistently implement controls over authorization, that the agency's review process did not include all accounts on the mainframe and that one-fifth of accounts had privileges that had not received authorization from users' supervisors.

GAO noted that because FDIC lacked a complete list of its IT assets, the agency could not consistently apply management controls to track them. Further, GAO noted FDIC still falls short of having a FISMA-compliant information security program, and still has shortcomings in its incident response process -- particularly in the timely identifying and reporting of security incidents.

GAO also reported that FDIC lacked strong encryption on connections to its main network.

Sensitive data including user IDs and passwords, "continue to be transmitted over the network in clear text, exposing them to potential compromise," auditors wrote.

Additionally, FDIC did not scan all of its servers for vulnerabilities, nor did the agency review changes to critical files at a granular enough level to identify which accounts were making the changes.

This is not the first time security at FDIC has attracted the attention of oversight bodies. The agency topped the Office of Management and Budget's Federal Information Security Modernization Act report for fiscal year 2016, tallying 10 of 16 major information security incidents.

In this report, GAO recommended that FDIC update the procedure for granting users access and to detail the duties and steps to ensure that access is granted by the proper supervisors. In a separate report, GAO made six further recommendations to bolster internal controls over financial reporting data, systems and networks.

FDIC agreed with the recommendations, and stated that corrective actions will be completed by July 2017.