FHFA Comes Up Short in GAO Audit

Controls Insufficient to Protect Confidentiality of Financial Data
FHFA Comes Up Short in GAO Audit
Implementing security controls and implementing the proper security controls aren't always the same thing.

That's the problem at the Federal Housing Finance Agency, according to an audit by the Government Accountability Office. The controls the FHFA implemented during fiscal year 2009 were insufficient to protect the confidentiality, integrity and availability of financial information stored on and transmitted over its key financial systems, databases, and computer networks, the GAO said.

In particular, according to the audit, FHFA failed to consistently maintain authorization records for network and system access, enforce the most restrictive access needed by users on shared network files and directories and enforce the most restrictive set of rights needed by users to perform their assigned duties. FHFA also didn't effectively implement physical protection and environmental safety controls over its facilities and information technology resources. GAO identified numerous instances in which FHFA facilities were not adequately secured and was able to obtain unauthorized access from outside agency facilities into the agency's interior space containing sensitive information and information technology equipment.

"A key reason for the control deficiencies in FHFA's financial system computing environment is that the agency has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively," GAO's Gregory Wilshusen, director of information security issues, and Nabajyoti Barkakati, director of the Center for Technology and Engineering, wrote in a 30-page report.

Other findings of the audit:

  • Written policies, procedures, and technical standards do not reflect the current operating environment.

  • The agency has not yet developed, documented and implemented sufficient policies and procedures to ensure that the activities performed by external third parties are monitored for compliance with FHFA's policies.

"Although these deficiencies were not considered significant deficiencies for financial reporting purposes, if left uncorrected they unnecessarily increase the risk that sensitive and financial information is subject to unauthorized disclosure, modification, or destruction," the GAO auditor reported.

GAO recommends that the acting director of the FHFA take steps to mitigate control deficiencies and fully implement a comprehensive information security program.

FHFA, in commenting on a draft of the GAO report, agreed with the findings and said it intends to address the identified deficiencies.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.