INFORMATION SECURITY: FDIC Needs to Improve Controls over Financial Systems and Information
GAO-17-436: Published: May 31, 2017. Publicly Released: May 31, 2017.
What GAO Found
The Federal Deposit Insurance Corporation (FDIC) implemented numerous information security controls intended to protect its key financial systems. However, further actions are needed to address weaknesses in access controls—including boundary protection, identification and authentication, and authorization controls—and in configuration management controls. For example, the corporation did not sufficiently isolate financial systems from other parts of its network, ensure that users would be held accountable for the use of a key privileged account, or establish a single, accurate listing of all IT assets in its environment.
The corporation established a comprehensive framework for its information security program and implemented many aspects of its program. For example, FDIC (1) defined security categories for the general support systems we reviewed based on risk; (2) assessed the risk from control deficiencies identified during security control tests; and (3) conducted a disaster recovery test of its general support systems and mission-critical applications. In addition, FDIC addressed 15 of the 21 previously reported weaknesses that were unresolved as of December 31, 2015, as indicated in the following table.
Access the full report here.