January 27, 2022

News

News Network

Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data

6 min read
<div>What GAO FoundAlthough FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed and tested contingency plans for major systems, and improved mainframe logging controls. However, the corporation had not always (1) required strong passwords on financial systems and databases; (2) reviewed user access to financial information in its document sharing system in accordance with policy; (3) encrypted financial information transmitted over and stored on its network; and (4) protected powerful database accounts and privileges from unauthorized use. In addition, other weaknesses existed in FDIC’s controls that were intended to appropriately segregate incompatible duties, manage system configurations, and implement patches.An underlying reason for the information security weaknesses is that FDIC had not always implemented key information security program activities. To its credit, FDIC had developed and documented a security program and had completed actions to correct or mitigate 26 of the 33 information security weaknesses that were previously identified by GAO. However, the corporation had not assessed risks, documented security controls, or performed periodic testing on the programs and data used to support the estimates of losses and costs associated with the servicing and disposal of the assets of failed institutions. Additionally, FDIC had not always implemented its policies for restricting user access or for monitoring the progress of security patch installation.Because FDIC had made progress in correcting or mitigating previously reported weaknesses and had implemented compensating management and reconciliation controls during 2010, GAO concluded that FDIC had resolved the significant deficiency in internal control over financial reporting related to information security that was reported in GAO’s 2009 audit, and that the remaining unresolved issues and the new issues identified did not individually or collectively constitute a material weakness or significant deficiency in 2010. However, if left unaddressed, these issues will continue to increase FDIC’s risk that its sensitive and financial information will be subject to unauthorized disclosure, modification, or destruction.Why GAO Did This StudyThe Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of FDIC’s work, effective information security controls are essential to ensure that the corporation’s systems and information are adequately protected from inadvertent misuse, fraudulent use, or improper disclosure.As part of its audits of the 2010 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund administrated by FDIC, GAO assessed the effectiveness of the corporation’s controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To perform the audit, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed key FDIC personnel.</div>

What GAO Found

Although FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed and tested contingency plans for major systems, and improved mainframe logging controls. However, the corporation had not always (1) required strong passwords on financial systems and databases; (2) reviewed user access to financial information in its document sharing system in accordance with policy; (3) encrypted financial information transmitted over and stored on its network; and (4) protected powerful database accounts and privileges from unauthorized use. In addition, other weaknesses existed in FDIC’s controls that were intended to appropriately segregate incompatible duties, manage system configurations, and implement patches.

An underlying reason for the information security weaknesses is that FDIC had not always implemented key information security program activities. To its credit, FDIC had developed and documented a security program and had completed actions to correct or mitigate 26 of the 33 information security weaknesses that were previously identified by GAO. However, the corporation had not assessed risks, documented security controls, or performed periodic testing on the programs and data used to support the estimates of losses and costs associated with the servicing and disposal of the assets of failed institutions. Additionally, FDIC had not always implemented its policies for restricting user access or for monitoring the progress of security patch installation.

Because FDIC had made progress in correcting or mitigating previously reported weaknesses and had implemented compensating management and reconciliation controls during 2010, GAO concluded that FDIC had resolved the significant deficiency in internal control over financial reporting related to information security that was reported in GAO’s 2009 audit, and that the remaining unresolved issues and the new issues identified did not individually or collectively constitute a material weakness or significant deficiency in 2010. However, if left unaddressed, these issues will continue to increase FDIC’s risk that its sensitive and financial information will be subject to unauthorized disclosure, modification, or destruction.

Why GAO Did This Study

The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of FDIC’s work, effective information security controls are essential to ensure that the corporation’s systems and information are adequately protected from inadvertent misuse, fraudulent use, or improper disclosure.

As part of its audits of the 2010 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund administrated by FDIC, GAO assessed the effectiveness of the corporation’s controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To perform the audit, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed key FDIC personnel.

More from:

News Network

  • Andorra Travel Advisory
    In Travel
    Reconsider travel to [Read More…]
  • Man Pleads Guilty to the Sexual Abuse of a Two-Year-Old and a Seven-Year-Old Child in Order to Produce Images of the Abuse
    In Crime News
    A Maryland man pleaded guilty today to two counts of production of child pornography and one count of possession of child pornography, in connection with his sexual abuse of two minor children.
    [Read More…]
  • Nord Stream 2 and European Energy Security 
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Deputy Secretary Sherman’s Participation in Roundtable on Apprenticeship in Switzerland
    In Crime Control and Security News
    Office of the [Read More…]
  • Macroprudential Oversight: Principles for Evaluating Policies to Assess and Mitigate Risks to Financial System Stability
    In U.S GAO News
    GAO is providing a framework for evaluating macroprudential policy—that is, activities designed to assess and mitigate risks to financial system stability. The framework presents six general components of macroprudential policy and 18 principles (see table), as well as related standards, for establishing the foundation of such policy and putting it into operation. Government actors—such as the Financial Stability Oversight Council (FSOC) and its member agencies—are responsible for meeting or contributing to framework principles as they relate to the actors' individual areas of macroprudential responsibility or authority. GAO refers to government actors with collective macroprudential policy responsibilities as the macroprudential entity. GAO Framework for Evaluating Macroprudential Policy Component Principles The macroprudential entity should: Mandate and scope Have a clear mandate Have a scope of responsibilities that extends across the financial system Establish measurable and specific intermediate objectives reflecting the full scope of its responsibilities Governance Have a governance structure promoting willingness to mitigate risks to financial stability in a timely manner Have authorities promoting ability to act consistent with mandate and scope Have transparency requirements promoting the effectiveness, legitimacy, and predictability of macroprudential policy Risk assessment Establish a risk-assessment program corresponding to the scope of the financial system and the entity’s intermediate objectives Identify and analyze potential sources of systemic risk Develop criteria to evaluate significance of risk Establish policies and procedures to conduct systematic risk assessments Risk mitigation Develop a range of macroprudential tools consistent with mandate and scope of responsibilities Develop policies and procedures for conducting risk-mitigation activities Evaluation Evaluate effectiveness of its efforts Document and communicate evaluation findings and promptly remediate issues Data and information Use quality data Develop useful information for decision-making Document information appropriately Establish policies and procedures for sharing data and information Source: GAO. | GAO 21 230SP The Dodd-Frank Wall Street Reform and Consumer Protection Act established FSOC to identify and respond to threats to financial stability in the United States. Other countries have created similar entities, and a growing body of research has developed around these macroprudential structures and approaches. This report presents a principles-based framework to serve as criteria for assessing the financial stability efforts of FSOC and its member agencies. It is intended as a resource for GAO and other auditors, FSOC and its member agencies, and Congress. It also may be useful to others, both domestically and internationally. In developing this framework, GAO reviewed literature on macroprudential policy, prior GAO reports, relevant laws and regulations, and international risk-management guidelines. GAO also interviewed or held discussion groups with representatives of FSOC and its member agencies; international financial stability entities, supreme audit institutions, and international organizations; public interest and industry groups; former regulators and civil servants; and academic and regulatory experts. For more information, contact Michael E. Clements at (202) 512-8678 or ClementsM@gao.gov.
    [Read More…]
  • Public Schedule – July 15, 2021
    In Crime Control and Security News
    Office of the [Read More…]
  • DRL Combating Corruption in the Northern Triangle
    In Human Health, Resources and Services
    Bureau of Democracy, [Read More…]
  • Texas Clinic Owner and Clinic Employee Sentenced to Prison for Conspiring to Unlawfully Prescribe Hundreds of Thousands of Opioids
    In Crime News
    A Houston-area pain clinic owner and a clinic employee who posed as a physician were sentenced to 240 months and 96 months in prison, respectively, today for their roles at a “pill mill” where they and their co-conspirator illegally prescribed hundreds of thousands of doses of opioids and other controlled substances.
    [Read More…]
  • Statement of Attorney General Merrick B. Garland on World Elder Abuse Awareness Day
    In Crime News
    U.S. Attorney General Merrick B. Garland today made the following statement in honor of World Elder Abuse Awareness Day:
    [Read More…]
  • Burkina Faso Travel Advisory
    In Travel
    Do not travel to Burkina [Read More…]
  • Two Foreign Nationals Arrested for Trafficking Ivory and Rhinoceros Horn as Part of International Operation with the Democratic Republic of the Congo
    In Crime News
    Herdade Lokua, 23, and Jospin Mujangi, 31, of Kinshasa, Democratic Republic of Congo (DRC), were arrested on Nov. 3 outside of Seattle, Washington, and were indicted by a federal grand jury for conspiracy, money laundering, smuggling and Lacey Act violations for trafficking elephant ivory and white rhinoceros horn from DRC to Seattle.
    [Read More…]
  • Secretary Antony J. Blinken Remarks at the Virtual 2022 U.S.-Japan Security Consultative Committee Meeting with Defense Secretary Lloyd Austin, Japanese Foreign Minister Hayashi Yoshimasa, and Japanese Defense Minister Kishi Nobuo
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Secretary Pompeo’s Call with Foreign Minister Mahuta 
    In Crime Control and Security News
    Office of the [Read More…]
  • Indian Independence Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Statement from Attorney General William P. Barr on Introduction of Lawful Access Bill in the House of Representatives
    In Crime News
    Today, Attorney General William P. Barr issued the following statement on the introduction of a bill in the U.S. House of Representatives that would give law enforcement access to encrypted data with court approval in order to protect user privacy. The legislation was introduced by Representative Ann Wagner.
    [Read More…]
  • U.S.-Based Promoter of Foreign Cryptocurrency Companies Charged in over $11 Million Securities Fraud Scheme
    In Crime News
    A California man was charged in a complaint unsealed today for his alleged participation in a coordinated cryptocurrency and securities fraud scheme that used purported digital currency platforms and foreign-based financial accounts.
    [Read More…]
  • Thirteen Charged in Federal Court Following Riot at the United States Capitol
    In Crime News
    Thirteen individuals have been charged so far in federal court in the District of Columbia related to crimes committed at the U.S. Capitol in Washington, D.C, on Wednesday, Jan. 6, 2021. In addition to those who have been charged, additional complaints have been submitted and investigations are ongoing.
    [Read More…]
  • Joint Statement on the Ministerial Meeting on Syria
    In Crime Control and Security News
    Office of the [Read More…]
  • Military Air Support: DOD Has Increased Its Use of Contracts to Meet Training Requirements
    In U.S GAO News
    What GAO Found Department of Defense (DOD) components use air support contracts for certain training activities. Such contracts have supported DOD training at locations in the United States, Europe, and Japan (see figure). DOD Training Locations with Air Support Contracts Since fiscal year 2015, DOD components have increased the availability of air support contract flying hours and expanded the number of training locations to address some training needs (see figure). The Air Force, Navy, and Marine Corps have used air support contracts to replicate adversary air forces to train new fighter pilots and to support training exercises. DOD components have also used the contracts to train air controllers on close air support procedures. DOD Available Flying Hours and Number of Training Locations for Air Support Contracts Note: Figures include data for available flying hours and training locations for the contract award year, and do not reflect the cumulative total of the available flying hours or locations across all contracts in a fiscal year, which would be greater. DOD components have taken steps to gain greater efficiencies in the use of air support contracts. These steps included consolidating contract administration to reduce redundant costs, among others. DOD components have also established processes to monitor the performance of air support contracts to meet established contracted requirements. The Air Force, Navy, and Marine Corps have taken steps to determine the effectiveness of these contracts, including evaluating the role of air support contracts among other future options for their adversary air training programs. In particular, the services are determining the appropriate mix of training capabilities, to include contract aircraft, as well as affordability and timeframes to modernize U.S. military adversary air capabilities. These reviews, to be completed in fiscal year 2022, are expected to affect future investments in air support contracts, according to DOD officials. Why GAO Did This Study DOD components awarded almost $8 billion for air support contracts in fiscal years 2015 through 2020. These contracts provide non-military aircraft and personnel to replicate the role of combat aircraft for various training activities. The components used the contracts to meet training needs, address shortages in available military aircraft, and manage costs. House Report 116-442, accompanying a bill for the National Defense Authorization Act for Fiscal Year 2021, included a provision for GAO to review the use of air support contracts during military training. This report describes (1) how DOD has used air support contracts for training to replicate adversary air forces and to provide aircraft for close air support since fiscal year 2015, and (2) what steps DOD has taken to gain efficiencies and determine the effectiveness of air support contracts. GAO reviewed documentation on air support contracts for fiscal years 2015 through 2021, including performance work statements, task orders, and invoices; analyzed the increase or decrease in the use of air support contracts, including the number of contracts and operating locations; and interviewed officials to determine factors contributing to any increases or decreases in the use of the contracts. GAO also reviewed documentation on specific initiatives DOD components have taken since 2015 to gain greater efficiencies and to determine the effectiveness of air support contracts in achieving training requirements. For more information, contact Cary Russell at (202) 512-5431 or russellc@gao.gov.
    [Read More…]
  • Spitzer Telescope Reveals the Precise Timing of a Black Hole Dance
    In Space
    The recently retired [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.