Endpoint Security , Governance & Risk Management , IT Risk Management
Audit Slams FDIC for Inadequate Mobile Device Security
OIG Outlines Shortcomings, Recommends FixesThe Federal Deposit Insurance Corp. has failed to properly update its policies for mobile device usage, conduct regular control assessments of its mobile device management solution or adequately log and monitor mobile cybersecurity practices, according to a new report from the FDIC's Office of the Inspector General.
The FDIC, which deploys nearly 4,600 smartphones and more than 150 tablets to its employees and contractor personnel, was only partially effective in awareness training, billing analysis and configuration management, according to the audit, which covered the period from July 2019 to April 2021. But the reports says it implemented effective controls in the areas of asset management, incident response and data protection.
Improvement Needed
OIG auditors made nine recommendations to the FDIC. For example, it recommended the agency:
- Fully assess risks, establish policies and guidance consistent with NIST and require signed service agreements;
- Define roles, responsibilities and procedures for MDM log reviews and routinely report device usage information to business units, suspending or terminating devices no longer used;
- Develop and implement written roles, responsibilities and procedures for testing mobile software updates.
The FDIC concurred with all nine OIG recommendations and plans to complete corrective actions by May 30, 2022.
Policies and Procedures
The FDIC's mobile security policies, procedures and guidance, the report finds, did not reflect current business practices, nor did they mirror important NIST guidance.
The agency did not properly implement a BYOD program or adequately address the risks associated with personal use of FDIC-furnished devices, the report notes.
In May 2019, the FDIC began allowing its bank examiners the option of using personal smartphones for work, the report notes. The FDIC developed a set of "frequently asked questions" about BYOD security requirements, but it failed to adopt a written policy, it adds.
In addition, the agency has not defined "acceptable use" of mobile applications, and many employees have downloaded non-work-related apps, the OIG audit determined. That creates a security risk because some apps can track, access and share a user's activity for third-party use.
Logging and Monitoring
The report also states that the FDIC's logging and monitoring practices were not guided by written procedures and did not provide for adequate separation of duties.
"The absence of written procedures for reviewing audit logs increased the operational risk associated with staff turnover because [the agency's Division of Information Technology] was dependent on the knowledge and experience of a key administrator to perform this function," the report states.
Software Testing
The OIG report says the agency did not test software updates for its mobile devices before users downloaded and installed them.
"The approach presents an operational risk that users will install a software update that causes a widespread IT interoperability issue," auditors say.
For example, the report says that after an OS software update was installed in certain smartphones in 2019, some users were not able to sync their device's mobile hot spot capabilities to the agency's network on their work laptops. That's because the software was not fully compatible with the software on the FDIC's laptops.
"Had [the agency] completed its functional testing before allowing users to download the software update, [it] could have identified and remediated the hot spot connectivity issue before users started calling the help desk," the OIG states.
Auditors recommended the FDIC configure its MDM solution to prevent users from downloading and installing updates until they are properly tested.
Although the agency has since implemented a three-day download/install delay to allow time for testing, auditors say the change has not been reflected in the FDIC's policies.
Training and Reporting
Although the FDIC requires employees to complete annual information security and privacy training, auditors found the program contained limited information on mobile device threats, including the use of unsecured public Wi-Fi, and how to identify suspicious activity. The auditors recommend adherence to NIST's Mobile Threat Catalog.
The OIG report says the FDIC also did not routinely report usage information for its mobile devices and mobile Wi-Fi hot spot routers to business units - including information on zero usage - potentially presenting a wider attack surface.
The FDIC's CIO and CPO, Sylvia Burns, wrote to the OIG, concurring with the findings.
"The issues identified in the report represent opportunities for the FDIC to improve the mobile device management program and better ensure policies and procedures are applied consistent with OMB policy, NIST guidance, and internal security policies," Burns wrote.
An FDIC spokesperson declined to comment further on the OIG's findings.