GAO Identifies Weakness in FDIC InfoSecAuditors Also Note Problems at Treasury Unit Managing U.S. Debt
Two separate audits by the Government Accountability Office show information security weaknesses at the Federal Deposit Insurance Corp. and significant deficiencies in information system controls at the Treasury Department unit that manages the federal debt.
The FDIC, the government-owned corporation that insures bank deposits, failed to fully implement controls to authenticate its system users' identities, restrict access to sensitive systems and data, encrypt sensitive data, complete background re-investigations for employees and audit and monitor system access, according to the report issued late last week.
GAO says the shortcomings do not constitute a material weakness or significant deficiency for financial reporting purposes. "Nevertheless," auditors say, "unless FDIC takes further steps to mitigate these weaknesses, the corporation's sensitive financial information and resources will remain exposed to unnecessary risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure or destruction."
The report says an underlying reason for many of these weaknesses is that FDIC failed to fully or consistently implement aspects of its information security program. Specifically, the GAO says, FDIC did not fully document and implement information security controls, ensure that employees and contractors received security awareness training, conduct continuing assessments of security controls for all systems and remediate agency identified weaknesses in a timely manner.
GAO, the investigative arm of Congress, recommends FDIC's CIO do a more thorough job documenting security controls; maintain a description for each common control in an appropriate document; ensure that those with administrative-level access have completed the requisite rules-of-behavior training; and perform control assessments for the Federal Financial Institutions Examination Council central data depository and data communications.
FDIC Chief Financial Officer Steven App says the agency concurs with the recommended corrective actions and will complete them by Dec. 31.
Bureau of Fiscal Service
In a July 18 letter to Sheryl Morrow, commissioner of Treasury's Bureau of the Fiscal Service, Gary Engel, GAO director of financial management and assurance, says GAO examiners identified a "significant deficiency" in Fiscal Services' internal control over financial reporting. This deficiency does not create a material weakness but is important enough to merit the attention of those who run the Treasury unit, Engel says.
In its audit of fiscal year 2013 information systems controls, GAO identified 14 general control deficiencies related to security management, access control and configuration management.
Details about the deficiencies were contained in a private report sent to Morrow.
"These new and continuing deficiencies impair management's ability to obtain reasonable assurance regarding the effectiveness of controls, including change management controls, and increase the risk of unauthorized access, modification, or disclosure of sensitive data and programs, which could result in the disruption of critical operations and therefore warrant the attention and action of management," Engel says.
Morrow acknowledges the deficiencies in a private message to GAO and pledges to move forward to address them, according to the report.