Although the FDIC has made strides in mitigating weaknesses from the past, the Government Accountability Office (GAO) determined in an August 2011 report that the organization has more work to do in that area.
The GAO addressed its report, Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions are Needed to Protect Financial Data, to Martin Gruenberg, the FDIC’s acting chairman. The report disclosed results of an audit the GAO conducted to discern the integrity of the FDIC’s security controls.
The GAO claimed that the FDIC hasn’t always:
- required strong passwords on financial systems and databases;
- reviewed user access to financial information in its document sharing system in accordance with policy;
- encrypted financial information transmitted over and stored on its network; and
- protected database accounts and privileges from unauthorized use.
The FDIC did, however, develop and document a security program to mitigate 26 of 33 security weaknesses the GAO identified in a previous audit. But the GAO cited that the FDIC failed to assess risks, document security controls or conduct periodic testing on programs and data used to support estimates of losses and costs associated with servicing and disposal of the institution’s assets.
“When an institution fails, they have to gather all the assets and try to sell them or get rid of them, and when they do that, those who buy it may incur loss and the loss is shared,” said Nabajyoti Barkakati, the GAO’s chief technologist.
Barkakati said the GAO released the public report and another one privately to the FDIC with more in-depth explanation of the audit and analysis. He also cited the organization’s improvements on the weaknesses mentioned in last year’s audit.
In the public report, the GAO recommended that Gruenberg direct employees to implement security activities in the loss-share loss estimation process, including assessing and mitigating risks, managing program and database configuration, and making sure that data and programs can be recovered after disruptions. The public report also mentioned that the GAO was issuing 38 new recommendations to address 37 new findings in the private report.
The report included a letter signed by Steven App, the FDIC’s deputy to the chairman and chief financial officer, with the FDIC’s initial response to the audit’s conclusions. App wrote that his organization had already started reviewing and improving internal controls while the GAO had begun the audit, and that the process will continue through December.
“The FDIC is currently taking steps to improve role-based access control, data integrity and configuration management on data repositories and shared network resources that contain end-user commodity tools used to augment the loss-share estimation process,” App wrote.