The Federal Deposit Insurance Corporation must update its IT security systems, according to a new audit from the Government Accountability Office.
The GAO found that the banking regulator does not adequately separate its financial systems from other areas of the network, nor does it “ensure that users would be held accountable for the use of a key privileged account, or establish a single, accurate listing of all IT assets in its environment.”
Ultimately, the recommendation handed down from the GAO requested that FDIC Chairman Martin J. Gruenberg direct the corporation’s CIO to “update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users’ supervisor.”
The GAO surveyed the FDIC’s financial and information systems as a part of an annual audit but comes just more than a year after an employee leaving the agency inadvertently downloaded the the banking information of 44,000 customers to a personal device. The FDIC is an independent agency whose primary function is to insure deposits at U.S. banks.
The congressional watchdog also evaluated the FDIC’s ability to protect and access its sensitive data, noting that the agency has begun to implement a security framework. The report said the FDIC defined security categories, assessed the risk of control deficiencies and conducted a disaster recovery test of its support systems and critical applications.
The GAO found issue, however, with the FDIC’s failure to fully integrate and implement security and control deficiencies.
The FDIC failed to act on the Office of the Inspector General’s finding that the corporation sometimes unnecessarily delayed identifying and reporting on “major security incidents,” and excluded crucial information from procedures relating to key financial applications.
All together, these shortcomings represent an “increased risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction” of the financial information and resources of the FDIC.
A separate GAO report, not available to the public, included six additional recommendations for the FDIC, which addressed new vulnerabilities in configuration management and access, a spokesperson told FedScoop.