The GAO faults the FDIC for not implementing a number of information security measures, including requiring strong passwords on financial systems and databases, reviewing user access to financial information in its document sharing system, encrypting financial information transmitted over and stored on its network, and protecting powerful database accounts and privileges from unauthorized use.
“An underlying reason for the information security weaknesses is that FDIC had not always implemented key information security program activities….The corporation had not assessed risks, documented security controls, or performed periodic testing on the programs and data used to support the estimates of losses and costs associated with the servicing and disposal of the assets of failed institutions. Additionally, FDIC had not always implemented its policies for restricting user access or for monitoring the progress of security patch installation”, the GAO argued.
The government watchdog recommended that the FDIC implement stronger information security controls over its loss-share loss estimation process and work with the agency’s external web service provider to deliver its required information security report in a timely manner.
The FDIC responded to the GAO audit by noting that it had already taken steps to improve the information security of the loss-share loss estimation process. “FDIC is currently taking steps to improve role-based access control, data integrity, and configuration management (i.e., version control) on data repositories and shared network resources that contain end-user commodity tools used to augment the loss-share estimation processes. The process to review and improve controls began while the GAO audit team was on site and will continue through December 2011.”