GAO: FDIC Fiscal Data at RiskAuditors See Improvements But More Must Be Done
GAO said FDIC had made progress in correcting or mitigating previously reported weaknesses and had implemented compensating management and reconciliation controls during 2010. Auditors concluded that FDIC had resolved the significant deficiency in internal control over financial reporting related to information security reported in GAO's 2009 audit.
"That that the remaining unresolved issues and the new issues identified did not individually or collectively constitute a material weakness or significant deficiency in 2010," the 22-page report said. "However, if left unaddressed, these issues will continue to increase FDIC's risk that its sensitive and financial information will be subject to unauthorized disclosure, modification or destruction."
GAO said FDIC hasn't always implemented key information security program activities, an underlying reason for IT security weakness at the agency. "To its credit," the audit said. "FDIC had developed and documented a security program and had completed actions to correct or mitigate 26 of the 33 information security weaknesses that were previously identified by GAO."
But, GAO said, the FDIC hadn't assessed risks, documented security controls or performed periodic testing on the programs and data used to support the estimates of losses and costs associated with the servicing and disposal of the assets of failed institutions. In addition, auditors pointed out that the FDIC hadn't always implemented its policies for restricting user access or for monitoring the progress of security patch installation.
FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed and tested contingency plans for major systems, and improved mainframe logging controls. Still, GAO said, the corporation hadn't always:
- Required strong passwords on financial systems and databases.
- Reviewed user access to financial information in its document sharing system in accordance with policy.
- Encrypted financial information transmitted over and stored on its network.
- Protected powerful database accounts and privileges from unauthorized use.
Other weaknesses existed in FDIC's controls that were intended to appropriately segregate incompatible duties, manage system configurations and implement patches, GAO said.
GAO recommended that FDIC take two actions to enhance its comprehensive information security program by:
- Developing, documenting and implementing appropriate information security activities in the loss-share loss estimation process, such as assessing and mitigating risks, managing and controlling the configurations of programs and databases, evaluating the effectiveness of security controls and ensuring that data and programs can be recovered after a disruption.
- Having the FDIC chief information officer to work with the external web service provider to obtain a more timely delivery of the provider's SSAE 16 report or other means of assurance of internal controls. (Independent auditors typically prepare SSAE 16 reports after reviewing the controls relevant to user's internal controls over financial reporting.)
In a written response, FDIC Chief Financial Officer Steven App said the FDIC has taken action or plans to review and improve controls over the loss-share loss estimation process, to obtain timely delivery of appropriate audit reports from current and future service providers and to conduct additional due diligence activities to obtain assurance of the service provider's internal controls.