Audit: Vulnerabilities, poor monitoring hurting FDIC’s security


Written by

The Federal Deposit Insurance Corp. lacks encryption to protect user IDs and passwords, according to watchdog audit released Wednesday.

Even though the FDIC’s cybersecurity has greatly improved in recent years, it hasn’t done enough, according to a Government Accountability Office report

The corporation currently suffers from vulnerable data and poor oversight, hurting its ability to ensure “confidentiality, integrity, and availability of its information and information systems,” the audit said.

“By mitigating known information security weaknesses and ensuring that information security controls are consistently applied, FDIC could continue to reduce risks and better protect its sensitive financial information and resources from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction,” the report said. 

Those weaknesses, however, are not severe enough to be considered “a material weakness or a significant deficiency for financial reporting purposes,” the audit found. Instead, the issues should give FDIC “limited assurance” in its sensitive financial info.

The audit comes a year after the FDIC reviewed its security policies and strategies to improve user access rights and increase its vulnerability defense. 

Many of the problems GAO found relate to the FDIC’s oversight and management of its information security office. According to the report, the FDIC does not have an effective process to review user access rights, cannot disable certain user accounts for financial systems and ineffectively monitors security logs. In one case, the FDIC failed to remove data center access for four individuals in a timely manner after a review discovered they shouldn’t have had those controls.

Furthermore, the FDIC has yet to address nine of the 16 recommendations from a 2014 report by the government watchdogs. 

The report recommends the FDIC update its policies behind security monitoring and access rights. The corporation agreed, promising to complete part of it by later this year.

“FDIC recognizes the important role a strong information security program plays in maintaining good fiscal management and remains dedicated to strengthening this area of its operations,” Steven App, FDIC deputy to the chairman and CFO, said in a response letter to GAO. 

Contact the reporter on this story via email: Follow him on Twitter @JeremyM_Snow. Sign up for the Daily Scoop — all the federal IT news you need in your inbox every morning — here:

-In this Story-

Congress, Cybersecurity, Defense & Intelligence, Federal Deposit Insurance Corporation (FDIC), Government Accountability Office (GAO), Government IT News, Tech
TwitterFacebookLinkedInRedditGoogle Gmail