FDIC Cited for Repeated Security Weaknesses

Audit Report Finds Holes in Agency's Internal Security Management Practices
FDIC Cited for Repeated Security Weaknesses
The Federal Deposit Insurance Corporation (FDIC) has made progress with its internal security controls, but still needs to make significant improvements to its security management practices.

This is the key finding of a recent report issued by the Government Accountability Office (GAO) in an audit of the banking regulatory agency's 2007 financial statements (See full report: GAO: FDIC Sustains Progress but Needs to Improve Configuration Management of Key Financial Systems). According to Greg Wilshusen, GAO's director of Information Security Issues and author of the report, the FDIC, which examines and supervises about 5,250 U.S. banks, has made "significant progress" correcting 16 of 21 previously identified security weaknesses - including improving the physical security of its computer processing facility and procedures re: internal emails.

But there remain significant vulnerabilities that, in the GAO's estimation, "could limit the corporation's ability to effectively protect the confidentiality, integrity and availability of its financial systems and information."

Among these weaknesses:

Multiple FDIC users shared the same login ID and password, had unrestricted access to application source code, and used passwords that were not adequately encrypted;
FDIC did not adequately authorize, document, and report all configuration changes, or even perform configuration audits;
The agency did not adequately conduct configuration control testing or complete the remedial action plan in a timely manner; and did not include necessary and key information.

"Until FDIC fully performs key information security program activities," Wilshusen writes, "its ability to maintain adequate control over its financial systems and information will be limited."

FDIC 'One of the Better' Agencies
This report is an auxiliary statement to the larger audit completed on the FDIC by the GAO, which is responsible for auditing the financial statements of 24 federal agencies. As part of the audit process, the GAO conducts tests on the information security controls and system controls. "The GAO has the opportunity to follow up and check on their progress every year," Wilshusen says.

Wilshusen didn't want to compare the FDIC to other audited agencies, but says "The control weaknesses we identified at the FDIC did not rise to the level of a significant control deficiency, for the purposes of reporting on our audit report of their financial statements."

He adds that 20 out of the 24 agencies reported "significant deficiencies or weaknesses" in their information security controls. "{The FDIC} would be one of the better organizations in regards to implementing appropriate controls over its financial systems," Wilshusen says.

In response to the report, Ned Goldberg, Chief Information Security Officer of the FDIC, says the agency may disagree "here and there" in terms of the report, "but we take everything they say as something to be dealt with strongly."

Most of the cited weaknesses surround process issues, he says, adding that the FDIC has activities in place for every one of those areas.

As to how seriously the FDIC takes the GAO recommendations, Goldberg says, "Every year we close out most, if not all of GAO's findings or observations. We have a very aggressive information security program at the FDIC."

Each of these weaknesses should be completed before the next audit starts in October, Goldberg says.

Reaction: 'Little Bit Adverse'
Doug Johnson, Vice President and Senior Advisor, Risk Management Policy at the American Bankers Association, sees the GAO report as a "little bit adverse," but notes that it relates to the financial systems, rather than the information security within examination modules.

The FDIC does take its information security program seriously, Johnson says. "What we found is that they really practice what they preach," he explains, adding that the FDIC is responsive to GAO reports and he envisions that they will amend their program "pretty quickly."

Regarding some of the specific findings:

Shared Logins and Passwords -- "You're only as good as your weakest link," Johnson says. "The human factors of shared passwords and other related issues will require further education and training on the part of FDIC to make sure that it doesn't occur in the future."
The Need for Additional Security Training of FDIC staff -- "I don't think that we can say we are in a different boat than they are in," he says. "Employee awareness and education is always important."

Johnson does see a bright spot in the GAO report: The integrity of the FDIC's financial systems. "There is no indication or implication that somehow the veracity of the numbers associated with the FDIC's financial systems could be in question based on these information security findings," he says. This is important to the industry because the tabulation of those numbers has a direct bottom line impact to financial institutions, as they affect premiums paid to the FDIC by member institutions.

About the FDIC
The FDIC was created in 1933, charged with insuring deposits in banks and thrift institutions in response to the bank failures symptomatic of the Great Depression.

The agency directly examines and supervises its 5,250 institutions in such areas as safety and soundness, trust, information technology and compliance.

Receiving no federal budget, the FDIC is funded entirely by premiums that member institutions pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. With an insurance fund totaling more than $49 billion, the FDIC insures more than $3 trillion of deposits in U.S. institutions.

Headquartered in Washington, D.C., the FDIC currently employs about 4,500 people in six regional offices and in field offices around the country.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.