FDIC Information Security: Improvements Made but Weaknesses Remain (07/15/2002, GAO-02-689}
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-02-689
TITLE: FDIC Information Security: Improvements Made but Weaknesses Remain
DATE: 07/15/2002
This is the accessible text file for GAO report number GAO-02-689
entitled 'FDIC Information Security: Improvements Made but Weaknesses
Remain' which was released on July 15, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products� accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to [email protected].
United States General Accounting Office:
GAO: Report to the Board of Directors, Federal Deposit Insurance
Corporation:
July 2002:
FDIC information security:
Improvements Made but Weaknesses Remain:
GAO-02-689:
Contents:
Letter:
Results in Brief:
Background:
Objective, Scope, and Methodology:
Security Improvements Made, but System Vulnerabilities Remain:
Access to Data and Programs Was Not Adequately Controlled:
Other Information System Controls Were Ineffective:
Progress Made, but Full Implementation of Computer Security Management
Program Not Yet Achieved:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Comments from the Federal Deposit Insurance Corporation:
Appendix II: GAO Contact and Staff Acknowledgements:
GAO Contact:
Acknowledgments:
Letter:
July 15, 2002:
To the Board of Directors
Federal Deposit Insurance Corporation:
We reviewed information systems general controls[Footnote 1] in
connection with our calendar year 2001 financial statement audits of
the Federal Deposit Insurance Corporation�s (FDIC) Bank Insurance Fund,
Savings Association Insurance Fund, and FSLIC (Federal Savings and Loan
Insurance Corporation) Resolution Fund.[Footnote 2] Effective
information system controls are essential to ensuring that financial
information is adequately protected from inadvertent or deliberate
misuse, fraudulent use, improper disclosure, or destruction. Such
controls also affect the security and reliability of nonfinancial
information, such as personnel and bank examination information
maintained by FDIC. Our evaluation included a follow-up review of the
information security weaknesses identified at FDIC in our financial
statement audits for calendar year 2000.[Footnote 3]
This report summarizes weaknesses in information systems controls over
FDIC�s computer systems. We are also issuing a report designated for
�Limited Official Use Only,� which describes in more detail the
computer security weaknesses identified and offers specific
recommendations for correcting them.
Results in Brief:
FDIC made progress in correcting the information security weaknesses
previously identified and has taken other steps to improve security.
For example, it has limited access to critical information, tested
disaster recovery plans, and established a security awareness program.
Nevertheless, we identified new weaknesses in its information systems
controls that affect the corporation�s ability to safeguard electronic
access to critical financial and other sensitive information. These
weaknesses place critical FDIC financial and sensitive personnel and
bank examination information at risk of unauthorized disclosure,
critical financial operations at risk of disruption, and assets at risk
of loss.
FDIC did not adequately limit access to data and programs by
controlling mainframe access authority, providing sufficient network
security, or establishing a comprehensive program to monitor access
activities. Further, other information systems control weaknesses were
identified that could hinder FDIC�s ability to provide adequate
physical security for its computer facility, appropriate segregation of
computer functions, effective control of system software changes, or
ensure continuity of operations.
As we have previously reported, the primary reason for FDIC�s
information system control weaknesses was that the corporation had not
yet fully implemented a comprehensive corporate program to manage
computer security. An effective program would include assessing risks,
establishing appropriate policies and related controls, raising
awareness of prevailing risks and mitigating controls, and evaluating
the effectiveness of established controls. While FDIC has implemented a
security awareness program, updated its security policies and guidance,
and taken other actions to improve security management, it has not
fully addressed all key elements of a computer security management
program. These elements include (1) clearly defined roles and
responsibilities for its corporate information security managers and
guidance for coordinating and collaborating with central security, (2)
an ongoing risk assessment process to determine computer security
needs, (3) technical security standards for all computer platforms, and
(4) an ongoing program of tests and evaluations to ensure that policies
and controls are appropriate and effective.
To improve information system controls over FDIC financial operations,
we are recommending that FDIC correct the security weaknesses
identified and take additional actions to fully implement an effective
corporate computer security management program. The acting chief
information officer (CIO) stated that she has agreed to correct the
identified weaknesses and act to fully implement such a program. The
acting CIO�s comprehensive corrective action plan to address each
weakness will, she said, be completed by December 31 of this year. We
will evaluate the effectiveness of these corrective actions during our
2002 financial statement audits.
In providing written comments on a draft of this report, the Acting
Chief Financial Officer of FDIC agreed with our recommendations. He
reported that FDIC plans to address the identified weaknesses and that
significant progress has already been made.
Background:
Congress created FDIC in 1933 to restore and maintain public confidence
in the nation�s banking system. In 1989 the Financial Institutions
Reform, Recovery, and Enforcement Act was enacted to reform,
recapitalize, and consolidate the federal deposit insurance system. It
created the Bank Insurance Fund and the Savings Association Insurance
Fund, which are responsible for protecting insured bank and thrift
depositors, respectively, from loss due to institution failures. The
act also created the FSLIC Resolution Fund to finalize the affairs of
the former FSLIC and liquidate the assets and liabilities transferred
from the former Resolution Trust Corporation. It also designated FDIC
as the administrator of these funds. As part of this function FDIC has
an examination and supervision program to monitor the safety of
deposits held in member institutions.
FDIC insures deposits in excess of $3.2 trillion for about 10,000
institutions. Together the three funds have about $49 billion in
assets. FDIC had a budget of about $1.2 billion for calendar year 2001
to support its activities in managing the three funds. For that year,
it processed more than 2.7 million financial transactions.
FDIC relies extensively on computerized systems to support its
financial operations and store the sensitive information it collects.
These systems are interconnected by FDIC�s local and wide area
networks. To support its financial management functions, it relies on
several financial systems to process and track financial transactions
that include premiums paid by its member institutions and disbursements
made to support operations. In addition, FDIC supports other systems
that maintain personnel information on its employees, examination data
on selected financial institutions, and legal information on closed
institutions. At the time of our review, there were about 5,400
authorized users on FDIC�s systems.
Objective, Scope, and Methodology:
Our objective was to evaluate the effectiveness of information systems
general controls over the financial systems maintained and operated by
FDIC during our 2001 financial statement audits.[Footnote 4] These
information systems controls also affect the security and reliability
of other sensitive data, including personnel, legal, and bank
examination information maintained on the same computer systems as the
corporation�s financial information.
Specifically, we evaluated information systems controls intended to:
* protect data and application programs from unauthorized access;
* prevent the introduction of unauthorized changes to application and
system software;
* provide segregation of duties involving application programming,
system programming, computer operations, information security, and
quality assurance;
* ensure recovery of computer processing operations in case of disaster
or other unexpected interruption; and:
* ensure an adequate information security management program.
To evaluate these controls, we identified and reviewed FDIC�s policies
and procedures, conducted tests and observations of controls in
operation, and held discussions with FDIC staff to determine whether
information systems controls were in place, adequately designed, and
operating effectively. In addition, we reviewed corrective actions
taken by FDIC to address vulnerabilities identified in our calendar
year 2000 audit. Our evaluation was based on (1) our Federal
Information System Controls Audit Manual, which contains guidance for
reviewing information systems controls that affect the integrity,
confidentiality, and availability of computerized data; and (2) our May
1998 report[Footnote 5] on security management best practices at
leading organizations, which identifies key elements of an effective
information security program.
We performed our work at FDIC from October 2001 through April 2002. Our
work was performed in accordance with generally accepted government
auditing standards.
Security Improvements Made, but System Vulnerabilities Remain:
In our audit of FDIC�s calendar year 2001 financial
statements,[Footnote 6] we found that FDIC made progress in correcting
previously identified weaknesses. For instance, in our 2000 financial
statement audits,[Footnote 7] we determined that FDIC had not
adequately limited access of authorized users, restricted physical
access to computer facilities, performed comprehensive tests of the
disaster recovery plan, implemented a computer security incident
response process, established a security awareness program, developed
security plans, and performed independent security reviews. These
weaknesses placed critical corporation operations, such as financial
management, personnel, and other operations, at greater risk of misuse
and disruption.
Except for actions still needed to fully implement a computer security
management program, which are discussed later in this report, FDIC made
progress in addressing our previously reported computer security
weaknesses. For example, in our 2001 audits, we found that FDIC has:
* limited access of its system programmers and security staff to
certain critical resources;
* developed corporate access authorization procedures;
* restricted modem connections and use of generic log on IDs to its
network;
* improved physical security to its computer center by limiting access
through the adjoining FDIC hotel;
* developed and performed tests of its computer center disaster
recovery plans, including its network and designated remote facilities,
to provide backup support for the corporation�s network and other
operations;
* established a computer security awareness program for its employees
and contractors;
* developed security plans for its general support systems and
applications; and:
* implemented a requirement and process for independent security
reviews to be performed at least every 3 years.
In addition to correcting previously identified weaknesses, FDIC
initiated other steps to improve computer security. These efforts
included
(1) reviews of system software, (2) improvements in physical security,
including the use of guard service to provide security surveillance to
its computer rooms, (3) completed management authorizations for major
financial applications and general support systems, and (4) assessments
of the sensitivity of corporate data to determine the level of security
needed to protect it.
However, we found additional control weaknesses in FDIC�s information
systems in connection with our calendar year 2001 financial statement
audits. Specifically, FDIC has not adequately limited access to data
and programs by controlling mainframe access authority, providing
sufficient network security, or establishing a comprehensive program to
monitor access activities. Other information system control weaknesses
were also identified that could likewise hinder FDIC�s ability to
provide adequate physical security for its computer facility,
appropriate segregation of computer functions, effective control of
system software changes, or ensure continuity of operations.
Consequently, financial, and personnel programs and data maintained by
FDIC are at risk of inadvertent or deliberate misuse, fraudulent use,
and unauthorized alteration or destruction, which may occur without
detection.
The following sections summarize the results of our review. A separate
report designated for �Limited Official Use Only� details specific
weaknesses in information systems controls that we identified, provides
our recommendations for correcting each weakness, and indicates FDIC�s
planned actions or those already taken for each weakness. An evaluation
of the adequacy of this action plan will be part of our planned work at
FDIC.
Access to Data and Programs Was Not Adequately Controlled:
A basic management control objective for any organization is to protect
data supporting its critical operations from unauthorized access, which
could lead to improper modifications, disclosure, or deletion.
Organizations can protect this critical information by granting
employees the authority to read or modify only those programs and data
that they need to perform their duties and by periodically reviewing
access granted to ensure that it is appropriate. In addition, effective
network security controls should be established to authenticate local
and remote users and include a program to monitor the access activities
of the network and mainframe systems.
Although progress was made in limiting access, FDIC�s information
systems controls were not adequately protecting financial and sensitive
information. Specifically, FDIC had not appropriately limited mainframe
access authority, sufficiently secured its network, or established a
comprehensive program to monitor access activities. These weaknesses
place the corporation�s information systems at risk of unauthorized
access, which could lead to the improper disclosure, modification, or
deletion of sensitive information and the disruption of critical
operations.
Mainframe Access Authority Was Not Appropriately Limited for All Users:
Effective mainframe access controls should be designed to prevent,
limit, and detect access to computer programs and data. These controls
include access rights and permissions, system software controls, and
software library management.
While FDIC restricted access to many users who previously had broad
access to critical programs, software, and data, we identified
instances in which the corporation had not sufficiently restricted
access to legitimate users. A key weakness in FDIC�s controls was that
its data center did not sufficiently restrict user access, as described
below.
* Hundreds of users had access privileges that allowed them to modify
financial software and read, modify, or copy financial data. This risk
was further heightened because the corporation was not actively
monitoring the access activities of these users.
* Many users had unnecessary access to powerful commands. About 55
users had access to a specific transaction command that could be used
to circumvent the security of sensitive FDIC information, including its
bank examination files. These users included 26 help-desk employees and
14 database staff, users who do not need this access to perform their
daily job functions.
* About 15 users outside of the system programming function had access
privileges to one sensitive system software library that is allowed to
perform system functions that can be used to circumvent all security
controls. Such access increases the risk that users can bypass security
controls to alter or delete any computer data or programs on the
system. Typically such access privileges are limited to system
programmers.
* About 30 users had access to powerful operator commands that could be
used to circumvent system security or compromise the operational
integrity of the system. Prior to the completion of our work, the
acting CIO told us that this access privilege had been removed for
these users.
One reason for FDIC�s user access vulnerabilities was that not all
access authority granted based on job responsibility was being
collectively reviewed. Instead, individual access privileges were
reviewed by data owners but only to determine the appropriateness of
each user�s access to a data owner�s resource. As a result, there was
no comprehensive review to determine the appropriateness of all access
granted to any one user. Such reviews would have allowed FDIC to
identify and correct inappropriate access.
FDIC said that it was reviewing staff access and would limit this
access to that required to carry out job responsibilities. Further, the
corporation plans to develop and implement procedures to
comprehensively review all access granted and ensure that access
remains appropriate.
Network Security Not Sufficient:
Network security controls are key to ensuring that only authorized
individuals gain access to sensitive and critical agency data. These
controls include a variety of tools such as user passwords, intended to
authenticate authorized users who access the network from local and
remote locations. In addition, network controls provide safeguards to
ensure that the system software is adequately configured to prevent
users from bypassing network access controls or causing network
failures.
The risks introduced by the weaknesses we identified in access controls
were compounded by network security weaknesses. While FDIC had taken
major steps to secure its network through the installation of a
firewall and other security measures, weaknesses in the way the
corporation configured its network servers, managed user IDs and
passwords, provided network services, and secured its network
connectivity were nonetheless still present. As a result, financial
information processed on the network is at increased risk that
unauthorized modification or disclosure could occur without detection.
Because of FDIC�s interconnected environment, these network control
weaknesses also increase the risk of unauthorized access to financial
and sensitive information (such as bank examination, personnel, and
financial management information) maintained on the FDIC mainframe
computer. For example:
* One system had default accounts that were not removed during
installation of remote access software. Information on default settings
and passwords is available in vendor-supplied manuals, which are
available to hackers. Other systems had dormant accounts that could be
used by hackers with a lower risk of detection.
* The network had system software configuration weaknesses that could
allow users to bypass access controls and gain unauthorized access to
FDIC�s networks or cause network system failures. For instance, certain
network system configuration settings allowed unauthorized users to
connect to the network without entering a valid user ID and password
combination. This could allow unauthorized individuals to obtain access
to system information describing the network environment, including
user IDs and password information.
* Potentially dangerous services were available on several network
systems. Because of the availability of these services, a greater risk
exists that an unauthorized user could exploit them to gain high-level
access to the system and applications, obtain information about the
system, or deny system services.
Further, FDIC did not have a process in place to actively review the
network connections maintained by its contractors to ensure that only
authorized network access paths were being used. Such network security
weaknesses increase the risk that those with malicious intent could
misuse, improperly disclose, or destroy financial and other sensitive
information.
In response to our findings, FDIC�s acting CIO said that the
corporation had developed and implemented policies and procedures to
periodically review (1) user accounts on all servers to ensure that
they are required and appropriately used, (2) system configuration
settings for vulnerabilities, and (3) services used on the network to
ensure that only those that are needed are maintained. She further said
that FDIC had taken steps to tighten network security for its
contractor connections and was in the process of reviewing all new
contractor connections to the network to ensure appropriate access.
Program to Monitor Access Activities Not Complete:
The risks created by these access control problems were heightened
because FDIC did not fully establish a comprehensive program to monitor
user access. A monitoring program is essential to ensuring that
unauthorized attempts to access critical program and data are detected
and investigated. Such a program would include routinely reviewing user
access activity and investigating failed attempts to access sensitive
data and resources, as well as unusual and suspicious patterns of
successful access to sensitive data and resources. Such a program is
critical to ensuring that improper access to sensitive information is
detected.
To effectively monitor user access, it is critical that logs of user
activity be maintained for all critical system processing activities.
This includes collecting and monitoring access activities on all
critical systems, including mainframes, network servers, and routers.
Because the volume of security information is likely to be too large to
review routinely, the most effective monitoring techniques selectively
target specific actions. These efforts should include provisions to
identify unusual activities, such as changes to sensitive system files
that were not made by system programmers, or updates to security files
that were not made by security staff. A comprehensive monitoring
program should, further, include an intrusion-detection system to
automatically log unusual activity, provide necessary alerts, and
terminate sessions when necessary.
While FDIC logged access activity for many of its systems and developed
programs to target unusual or suspicious activities, it did not take
sufficient steps to ensure that it was recording or monitoring the
access activities of all key systems, including the following:
* Special system services on the FDIC mainframe were not being logged
because the audit trail that records the access activity was not
enabled. As a consequence, adverse access events may not be detected
that could potentially disrupt system operations or result in
information system being unavailable to the corporation.
* Logging was not enabled to monitor successful or unsuccessful
attempts to access sensitive router and switch configuration files on
the network. Unauthorized access to these resources could enable an
intruder or unauthorized user to read or modify configuration files
containing security settings such as router passwords, user names, or
access control listings. With the ability to read or write to these
files, a malicious user could seriously disable or disrupt network
operations by taking control of the routers and switches.
While FDIC has installed and implemented a network-based intrusion-
detection system to monitor for unusual or suspicious access
activities, it has not yet configured the host-based system parameters
so that notifications (such as e-mail and/or pager) are sent to the
computer security incident response team. FDIC is in the process of
testing the host-based system to determine the most appropriate
parameter configuration. Without full implementation of such a system
and more effective logging and monitoring of system access activities,
FDIC reduces its ability to identify and investigate unusual or
suspicious access to its financial and sensitive information.
According to the acting CIO, the corporation has implemented security
reporting for its test environment. In addition, it established
procedures to provide for system logging and review of these logs for
unusual or suspicious activities. Further, FDIC plans to have its
intrusion-detection system fully implemented by July 31 of this year.
Other Information System Controls Were Ineffective:
In addition to the information system access controls discussed, other
important controls should be in place to ensure the integrity and
reliability of an organization�s data. These controls include policies,
procedures, and control techniques to physically protect computer
resources and restrict access to sensitive information, provide
appropriate segregation of duties of computer personnel, prevent
unauthorized changes to system software, and ensure the continuation of
computer processing operations in case of disaster. FDIC had weaknesses
in each of these areas.
Physical Security Controls Insufficient:
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and theft.
These controls involve restricting physical access to computer
resources, usually by limiting access to the buildings and rooms in
which they are housed and periodically reviewing access granted to
ensure that it continues to be appropriate based on criteria
established for granting such access. At FDIC, physical access control
measures (such as guards, badges, and alarms, used alone or in
combination) are vital to safeguarding critical financial and sensitive
personnel and banking information and computer operations from internal
and external threats.
Although FDIC took measures to improve its physical perimeter security
and access to its computer rooms, its process for granting and
reviewing physical access to the computer center is not adequately
controlled. For example, there were instances in which records of
access granted to staff were not available. Further, staff who no
longer required access to the computer center still retained such
access. This included personnel who (1) had transferred out of computer
operations, (2) no longer worked for FDIC, or (3) never or rarely
visited the computer room. FDIC has neither established criteria for
granting physical access to its computer center, nor developed
procedures to periodically review staff access to determine continued
need. Without adequate criteria and periodic review, FDIC increases the
risk of unauthorized access to the corporation�s systems and disruption
of services.
At our request, FDIC reviewed its list of staff with access to the
computer center, reducing the number of authorized staff from 270 to
227. Specifically, it determined that it had no record of access
granted to 18 staff, and that access was no longer needed by 25
individuals.
According to the acting CIO, the corporation has revised its computer
center access procedures to include criteria for granting and retaining
access to the center, and established other procedures to provide
access to information on employee reassignments and other actions that
could affect the need for access to the computer center. Further, she
said, the corporation has developed reports on employee access
activities to further assist it in monitoring physical access to the
computer center.
Computer Duties Largely but Not Always Properly Segregated:
Another fundamental technique for safeguarding programs and data is to
segregate the duties and responsibilities of computer personnel to
reduce the risk that errors or fraud will occur and go undetected.
Incompatible duties that should be separated include application and
system programming, production control, database administration,
computer operations, and data security. Once policies and job
descriptions supporting the principles of segregation of duties have
been developed, it is important to ensure that adequate supervision is
provided or mitigating controls established to provide the necessary
monitoring and oversight to ensure that employees perform only those
tasks that have been authorized for their job functions.
Although computer duties are generally properly segregated at FDIC, we
identified instances in which duties were not adequately segregated.
For example, 24 application developers were authorized to make
modifications to financial programs and data that were in production.
Typically, developer access is limited to program code in the
development environment. While it may be appropriate at times to grant
developers access to both production programs and data, it should only
be done when mitigating controls have been established. However, the
corporation had not established mitigating controls, such as logging
and monitoring system access activities of the developers to ensure
that they were performing only authorized actions.
Similarly, FDIC assigned two staff members to monitor and review the
access activities on its production platforms; they were also
authorized to make changes to programs and data that they were
responsible for reviewing. Yet, FDIC did not provide supervisory
oversight or establish other mitigating controls to ensure that these
staff members performed only authorized functions. Because adequate
mitigating controls had not been established in either instance, the
risk is increased that FDIC financial or other sensitive information
could be inadvertently or intentionally modified, or unauthorized
transactions processed.
FDIC plans to enhance its system monitoring of developers by targeting
logging and monitoring activities to sensitive production data and
programs by December 31 of this year. Further, FDIC will augment its
monitoring and review of access to its production environment by
designating a security person to independently review these activities.
Development and Changes to System Software Not Completely Controlled:
A standard information systems control practice is to ensure that only
authorized and fully tested system software or related modifications
are placed in operation. To ensure that newly developed system software
or changes are needed, work as intended, and do not result in the loss
of data and program integrity, the system software or changes should be
documented, authorized, tested, and independently reviewed.
Strong security practices provide that a structured approach be used to
control the development, review, and approval of system software
exits.[Footnote 8] This process includes requirements for documenting
the purpose of the exit, performing a technical review of the software,
and approving the implementation of this software. System software
exits are used to provide installations with additional processing
capabilities. These exits increase the risk of integrity exposures,
since the code is usually implemented with authorized privileges that
allow it to bypass security and gain access to financial programs or
data.
However, we identified weaknesses in the system software development
and change control process at FDIC. System software exits developed by
FDIC were not adequately controlled. None of the nine locally developed
system software exits maintained by FDIC were documented to reflect
their purpose. Further, there was no documented evidence of review by
technical management or formal approval for these exits. FDIC did not
develop procedures for documenting, reviewing, or approving locally
developed system software exits. Without a formally documented review
and approval process, an increased risk exists that the exit will not
work as intended, and could result in the loss of data or program
integrity.
In addition, although FDIC established a process for system software
change control and used an automated system to document changes, it did
not establish procedures for performing and approving tests of system
software changes or develop minimum documentation requirements for
tests performed. In a sample of 20 system software changes reviewed,
none had documentation of the tests performed or evidence that tests
performed had been approved. As a result, the risk increases that
unauthorized or not adequately tested system software could be placed
into operation.
FDIC�s acting CIO said that the corporation would develop a process for
documenting, reviewing, and approving locally developed system software
exits. Further, the corporation plans to revise its requirements for
documenting system software changes, provide specific requirements for
testing these changes, and establish a process, by August 31 of this
year to ensure compliance.
Service Continuity Planning Incomplete:
An organization must take steps to ensure that it is adequately
prepared to cope with the loss of operational capability due to
earthquake, fire, accident, sabotage, or any other disruption. An
essential element in preparing for such catastrophes is an up-to-date,
detailed, and fully tested service continuity plan covering all key
computer operations, and including plans for business continuity. Such
a plan is critical for helping to ensure that information system
operations and data, such as financial processing and related records,
can be promptly restored in the event of a disaster. To ensure that it
is complete and fully understood by all key staff, the service
continuity plan should be tested, to include surprise tests, and the
test plans and results documented to provide a basis for improvement.
In addition, backup sites should be reviewed and selected on the basis
of their ability to provide assurance that an organization will be able
to maintain continuity of operations.
While FDIC has updated and conducted tests of its service continuity
plan, improvements are still needed in some areas. Service continuity
weaknesses include the following:
* The lack of unannounced tests or walk-throughs of its service
continuity plan. Instead, all tests have been planned, with
participants fully aware of the disaster recovery scenario. In an
actual disaster, of course, there is usually little or no warning.
* The lack of a business continuity plan for all its facilities. While
FDIC has implemented a plan for its Washington, D.C., facility, it has
yet to implement similar plans for its suburban computer center and
eight regional offices.
* The potential unavailability of one of FDIC�s designated computer
backup facilities. This facility is in an area that could have limited
accessibility in an event like September 11, 2001.
FDIC plans to develop and implement procedures for performing
unannounced walk-throughs of its disaster recovery plan by September
30, 2002, and conduct and complete tests of its business recovery plans
by December 31, 2002. Further, FDIC has moved all disaster recovery
hardware and software from Washington, D.C., to a regional office.
Progress Made, but Full Implementation of Computer Security Management
Program Not Yet Achieved:
A key reason for FDIC�s continuing weaknesses in information systems
controls is that it has not yet fully developed and implemented a
comprehensive security management program to ensure that effective
controls are established and maintained, and that computer security
receives adequate attention. Our May 1998 study of security management
best practices[Footnote 9] determined that a comprehensive computer
security management program is essential to ensuring that information
system controls work effectively on a continuing basis. Specifically,
an effective computer security management program includes:
* establishing a central security management structure with clearly
delineated security roles and responsibilities;
* performing periodic risk assessments;
* establishing appropriate policies, procedures, and technical
standards;
* raising security awareness; and:
* establishing an ongoing program of tests and evaluations of the
effectiveness of policies and controls.
FDIC has taken action related to each of the key elements described
above, including the implementation of a comprehensive security
awareness program for all its employees. However, aside from security
awareness, the steps taken to address the other key elements of a
comprehensive computer security management program were not sufficient
to ensure continuing success.
The first key element of effective computer security management is the
establishment of a central security group with clearly defined roles
and responsibilities. This provides overall security policy and
guidance, along with the oversight to ensure compliance with
established policies and procedures; further, it reviews the
effectiveness of the security environment. The central security group
often is supplemented by individual security staff designated to assist
in the implementation and management of the organizations security
program. To ensure the effectiveness of the security program, clearly
defined roles and responsibilities for all security staff should be
established, and coordination responsibilities between individual
security staff and central security should be developed.
While FDIC has established a central security function and is in the
process of designating information security managers for each of its
divisions, it has not clearly defined these managers� roles and
responsibilities. Further, FDIC has not established guidance to ensure
that these managers coordinate and collaborate with the central
security function in addressing security related issues. Without a
formally defined and coordinated program, FDIC�s computer security
program risks fragmentation and the lack of a corporate focus, which is
needed to adequately secure its highly interconnected computer
environment.
The second key aspect of computer security management is periodic risk
assessment. Regular risk assessments assist management in making
decisions on necessary controls by helping to ensure that security
resources are effectively distributed to minimize potential loss. And,
by increasing awareness of risks, these assessments generate support
for the adopted policies and controls, which help ensure that the
policies and controls operate as intended. Further, the Office of
Management and Budget Circular A-130, appendix III, prescribes that
risk be assessed when significant changes are made to the system or at
least every 3 years.
FDIC has not yet fully implemented a risk assessment process. While it
requires a risk-based approach to security management, to date it has
focused on conducting independent security reviews of its key
applications and general support systems. However, these reviews do not
address certain key elements for managing risk, such as identifying,
analyzing, and understanding the threats to the computer environment;
determining business impact when risks are exploited; and mitigating
risks in a cost-effective manner. Also, FDIC has not developed a
complete framework for assessing risk when significant changes are made
to a facility or its computer systems. During the past year, FDIC
replaced its mainframe hardware and upgraded its mainframe operating
system. Either of the changes could have introduced new vulnerabilities
into FDIC�s computer system thus warranting a need for a risk
assessment.
A third key element of effective security management is having
established policies, procedures, and technical standards governing a
complete computer security program. Such policies and procedures should
integrate all security aspects of an organization�s interconnected
environment, including local area network, wide area network, and
mainframe security. In addition, technical security standards are
needed to provide a consistent control framework for each computer
environment. The integration of network and mainframe security is
particularly important as computer systems become more interconnected.
FDIC has completed security plans for its general support systems and
major financial applications. It has also developed and implemented
overall security policies and procedures for its computer environment.
While it has established technical security standards for several of
its network platforms and its mainframe security software, it has not
developed technical security standards for implementing network routers
and maintaining operating system integrity on its mainframe system.
Such standards would not only help ensure that appropriate computer
controls are established consistently for these systems, but would also
facilitate periodic reviews of the controls.
A fourth key area of security management is promoting security
awareness. Computer attacks and security breakdowns often occur because
computer users fail to take appropriate security measures. For this
reason, it is vital that employees who use computer systems in their
day-to-day operations be aware of the importance and sensitivity of the
information they handle, as well as the business and legal reasons for
maintaining confidentiality and integrity. In accepting responsibility
for security, employees should, for example, devise effective
passwords, change them frequently, and protect them from disclosure. In
addition, employees should help maintain physical security over their
assigned areas.
FDIC has established a comprehensive security awareness program for all
employees. Specifically, it developed a computer-based security
awareness program that all employees were required to complete
annually. FDIC has also established procedures to monitor compliance
with this requirement.
The final key area of an overall computer security management program
is an ongoing program of tests and evaluations of the effectiveness of
policies and controls. Such a program includes processes for (1)
monitoring compliance with established information system control
policies and procedures, (2) testing the effectiveness of information
system controls, and (3) improving information system controls based on
the results of these activities.
While FDIC established an independent security program to review
compliance with application and general support system security plans
on a 3-year cycle, it has not established a program to routinely
monitor and test the effectiveness of information systems controls.
Such a program would allow FDIC to ensure that policies remain
appropriate and that controls accomplish their intended purpose.
Monitoring is key. Weaknesses discussed in this report could have been
identified and corrected if the corporation had been monitoring
compliance with established procedures. For example, if FDIC had a
process to review all access authority granted to each user to ensure
that the access was limited to that needed to complete job
responsibilities, it would have been able to discover and limit the
inappropriate access authority granted to hundreds of users, as
discussed in this report.
A program to regularly test information systems controls would also
have allowed FDIC to detect additional network security weaknesses. For
example, using network analysis software designed to detect network
vulnerabilities, we identified user accounts and services that could
provide hackers with information to exploit the network and launch an
attack on FDIC systems. Corporation staff could have identified this
exposure using similar network analysis software already available to
them.
In response, FDIC�s acting CIO said that the corporation would develop
policies and procedures to define the roles and responsibilities of its
information security managers. These procedures would include
requirements for coordinating security activities with the central
security function. In addition, the corporation is updating its risk
management directive to address the need to perform periodic risk
assessments and to conduct these assessments when significant changes
occur. FDIC also intends to develop and implement technical security
standards for its mainframe operating system and network routers. In
addition, it expects to develop and implement an ongoing security
oversight program to include provisions for monitoring compliance with
established procedures and testing the effectiveness of the
corporation�s controls. All of these initiatives are expected to be
completed no later than December 31 of this year.
Conclusions:
While FDIC has made progress in correcting previously identified
computer security weaknesses, additional ones have been identified in
its information systems control environment. Specifically, FDIC had not
appropriately limited user access authority, sufficiently secured its
network, or established a program to monitor access activity. Also,
FDIC was not adequately providing physical security, segregating
computer duties, controlling system software, or ensuring that all
aspects of its service continuity needs were addressed. Such weaknesses
place sensitive FDIC information at risk of disclosure, financial
operations at risk of disruption, and assets at risk of loss.
A primary reason for FDIC�s information systems control problems is
that it has not yet fully implemented a comprehensive program to manage
computer security. While FDIC has clearly taken steps in many of these
areas, more remains to be done. A comprehensive program for computer
security management is essential for achieving an effective information
system general control environment. Effective implementation of such a
program provides for (1) periodically assessing risks; (2) implementing
effective controls for restricting access based on job requirements and
proactively reviewing access activities; (3) communicating the
established policies and controls to those who are responsible for
their implementation; and, perhaps most important, (4) evaluating the
effectiveness of policies and controls to ensure that they remain
appropriate and accomplish their intended purpose.
Recommendations for Executive Action:
To establish an effective information systems control environment, we
recommend that you instruct the acting CIO, as the corporation�s key
official responsible for computer security, to ensure that the
following actions are completed.
* Correct the information systems control weaknesses related to access
authority, network security, access monitoring, physical access,
segregation of duties, system software, service continuity, and
security management. These specific weaknesses are described in a
separate report designated for �Limited Official Use Only,� also issued
today.
* Fully develop and implement a computer security management program.
Specifically, this would include (1) establishing clearly defined roles
and responsibilities for FDIC�s information security managers and
guidance for coordinating and collaborating with central security, (2)
developing a program for performing periodic risk assessments to
determine computer security needs, (3) developing and implementing
technical security standards for all computer platforms, and (4)
establishing an ongoing program of tests and evaluations to ensure that
policies and controls are appropriate and effective.
In addition, we recommend that you instruct the acting CIO to report
periodically to you, or your designee, on progress in implementing
FDIC�s corrective action plans.
Agency Comments:
In providing written comments on a draft of this report, the Acting
Chief Financial Officer of FDIC agreed with our recommendations. His
comments are reprinted in appendix I of this report. He reported that
significant progress has already been made in addressing the weaknesses
identified. Specifically, FDIC plans to correct the information systems
control weaknesses related to access authority, network security access
monitoring, physical access, segregation of duties, systems software,
service continuity, and security management by December 31, 2002.
We are sending copies of this report to the Chairman and Ranking
Minority Member of the Senate Committee on Banking, Housing, and Urban
Affairs; the Chairman and Ranking Minority Member of the House
Committee on Financial Services; the members of the FDIC Audit
Committee; officials in FDIC�s divisions of information resources
management, administration, and finance; and the FDIC inspector
general. We will also make copies available to others upon request. In
addition, the report will be available at no charge on the GAO Web site
at http://www.gao.gov.
If you have any questions regarding this report, please contact me at
(202) 512-3317 or David W. Irvin, assistant director, at (214) 777-
5716. We can also be reached by e-mail at [email protected] and
[email protected], respectively. Key contributors to this report are
listed in appendix II.
Robert F. Dacey
Director, Information Security Issues:
Signed by Robert F. Dacey:
FOOTNOTES
[1] Information system general controls affect the overall
effectiveness and security of computer operations as opposed to being
unique to any specific computer application. They include security
management, operating procedures, software security features, and
physical protection designed to ensure that access to data is
appropriately restricted, that only authorized changes to computer
programs are made, that computer security duties are segregated, and
that backup and recovery plans are adequate to ensure the continuity of
essential operations.
[2] U.S. General Accounting Office, Financial Audit: Federal Deposit
Insurance Corporation�s 2001 and 2000 Financial Statements, GAO-02-633
(Washington, D.C.: May 21, 2002).
[3] U.S. General Accounting Office, Financial Audit: Federal Deposit
Insurance Corporation�s 2000 and 1999 Financial Statements, GAO-01-635
(Washington, D.C.: May 9, 2001).
[4] GAO-02-633.
[5] U.S. General Accounting Office, Information Security Management:
Learning From Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.:
May 1998).
[6] GAO-02-633.
[7] GAO-01-635.
[8] A system software exit is a software program that provides an
entity with flexibility to customize processing, but it also can be
used to bypass security controls.
[9] GAO/AIMD-98-68.
[End of section]
Appendix I Comments from the Federal Deposit Insurance Corporation:
FDIC Federal Deposit Insurance Corporation:
801 17th Street NW, Washington, D.C. 20434:
Office of the Director, Division of Finance & Acting Chief Financial
Officer:
June 17, 2002:
Mr. Joel C. Willemssen, Managing Director Information Technology
Issues:
U.S. General Accounting Office:
441 G Street, NW:
Washington, D.C. 20548:
Dear Mr. Willemssen:
Thank you for the opportunity to the draft report entitled, FDIC
Information Security Improvements Made But Weaknesses Remain, dated
June
5, 2002. While recognizing that FDIC has made progress in correcting
the
information security weaknesses previously identified and has taken
other
steps to improve security, the General Accounting Office (GAO) did not
identify internal control matters in five areas: corporate-wide
security
program, access controls, segregation of duties, service continuity,
and
systems software. We appreciate the detailed information technology
audit
work completed by the GAO team. We believe that it will help us as we
continue our efforts to improve the FDIC�s information security
program.
Overall, the FDIC agrees with the results represented in the referenced
draft reports. Specifically, in response to the recommendations for
executive action, the FDIC will, by December 31, 2002, correct the
information systems control weaknesses related to access authority,
network
security access monitoring, physical access, segregation of duties,
systems
software, service continuity, and security management. Specific
corrective
actions to be taken were provided separately.
The corrective actions include:
(1) establishing clearly defined roles and responsibilities for FDIC�s
information security managers and guidance for coordinating and
collaborating with central security.
(2) developing a program for performing periodic risk assessments to
determine computer security needs.
(3) developing and implementing technical security standards for all
computer platforms.
(4) establishing an ongoing program of tests and evaluations to ensure
that policies and controls are appropriate and effective.
In addition, the Chief Information Officer and the Director of Internal
Control Management will periodically report to the Chief Operating
Office
on the progress made on implementing corrective action plans.
We are pleased to report that significant progress has already been
made
in addressing the weaknesses identified in the draft reports. Further,
we
understand that through substantial resources and strong executive
involvement, a sustained effort is needed to address both well
documented
security risks and the multitude of new vulnerabilities posed by the
rapidly changing technology industry. To that end, the FDIC remains
committed to establishing and improving every aspect of our corporate-
wide
security program. As we progress through our 2002 corrective action
plans,
we look forward to continuing our productive dialogue with the GAO.
If you have questions relating to the management responses, please
contact
Vijay G. Deshpande, Director, Office of Internal Control Management, at
202-736-3014.
Sincerely,
Fred Selby, Director of Finance & Acting Chief Financial Officer:
Signed by Fred Selby:
cc: Carol Heindel, Vijay Deshpande, James D. Collins:
[End of section]
Appendix II GAO Contact and Staff Acknowledgments:
GAO Contact:
David W. Irvin, (214) 777-5716:
Acknowledgments:
In addition to the person named above, Edward Alexander, Gerald Barnes,
Nicole Carpenter, Lon Chin, West Coile, Debra Conner, Kristi Dorsey,
Denise Fitzpatrick, Edward Glagola, Brian Howe, Jeffrey Knott, Harold
Lewis, Suzanne Lightman, Duc Ngo, Tracy Pierson, Rosanna Villa, and
Charles Vrabel made key contributions to this report.
[End of Section]
GAO�s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO�s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO�s Web site ( www.gao.gov ) contains
abstracts and full- text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as �Today�s Reports,� on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select �Subscribe to daily E-mail alert for newly
released products� under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, [email protected] (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: