Information Security: Federal Deposit Insurance Corporation Needs
to Sustain Progress Improving Its Program (18-MAY-07,
GAO-07-351).
The Federal Deposit Insurance Corporation (FDIC) has a demanding
responsibility enforcing banking laws, regulating financial
institutions, and protecting depositors. As part of its audit of
the calendar year 2006 financial statements, GAO assessed (1) the
progress FDIC has made in correcting or mitigating information
security weaknesses previously reported and (2) the effectiveness
of FDIC's system integrity controls to protect the
confidentiality and availability of its financial information and
information systems. To do this, GAO examined pertinent security
policies, procedures, and relevant reports. In addition, GAO
conducted tests and observations of controls in operation.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-351
ACCNO: A69767
TITLE: Information Security: Federal Deposit Insurance
Corporation Needs to Sustain Progress Improving Its Program
DATE: 05/18/2007
SUBJECT: Computer security
Data integrity
Data transmission
Federal corporations
Financial statement audits
Financial statements
Information security
Information systems
Insurance
Internal controls
Physical security
Policy evaluation
Risk assessment
Risk management
Systems evaluation
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-351
* [1]PDF6-Ordering Information.pdf
* [2]Order by Mail or Phone
United States Government Accountability Office
GAO
Report to the Chief Financial Officer
and Chief Operating Officer, Federal Deposit Insurance Corporation
May 2007
INFORMATION SECURITY
Federal Deposit Insurance Corporation Needs to Sustain Progress Improving Its
Program
GAO-07-351
INFORMATION SECURITY
Federal Deposit Insurance Corporation Needs to Sustain Progress Improving
Its Program
What GAO Found
FDIC has made substantial progress in correcting previously reported
weaknesses in its information security controls. Specifically, it has
corrected or mitigated 21 of the 26 weaknesses that GAO had reported as
unresolved at the completion of the calendar year 2005 audit. Actions FDIC
has taken include developing and implementing procedures to prohibit the
transmission of mainframe user and administrator passwords in readable
text across the network, implementing procedures to change vendersupplied
account/passwords, and improving mainframe security monitoring controls.
Although FDIC has made important progress improving its information system
controls, old and new weaknesses could limit the corporation's ability to
effectively protect the integrity, confidentiality, and availability of
its financial and sensitive information and systems. In addition to the
five previously reported weaknesses that are in the process of being
mitigated, GAO identified new weaknesses in controls related to (1) e-mail
security, (2) physical security, and (3) configuration management.
Although these weaknesses do not pose significant risk of misstatement of
the corporation's financial statements, they do increase preventable risk
to the corporation's financial and sensitive systems and information.
In addition, FDIC has not fully integrated its new financial system--the
New Financial Environment (NFE)--into its information security program.
For example, it did not fully implement key control activities for the
NFE. Until FDIC fully integrates the NFE with the information security
program, its ability to maintain adequate system controls over its
financial and sensitive information will be limited.
United States Government Accountability Office
Contents
Letter 1
Results in Brief 2
Background 3
Objectives, Scope, and Methodology 6
FDIC Has Made Substantial Progress Correcting Previously Reported
Weaknesses 8
FDIC Has Made Progress in Information System Controls, However Some
Weaknesses Remain 9
NFE Not Fully Integrated into the Corporation's Information Security
Program 11
Conclusions 14
Recommendations for Executive Action 15
Agency Comments and Our Evaluation 16
Appendix I Status of Previously Reported Weaknesses
Appendix II Comments from the Federal Deposit Insurance Corporation
Appendix III GAO Contact and Staff Acknowledgments
Abbreviations
CSIRT Computer Security Incident Response Team
BIF Bank Insurance Fund
DIF Deposit Insurance Fund
FDIC Federal Deposit Insurance Corporation
FISMA Federal Information Security Management Act
FSLIC Federal Savings and Loan Insurance Corporation
NFE New Financial Environment
NIST National Institute of Standards and Technology
SAIF Savings Association Insurance Fund
SAS Statement on Auditing Standards
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office Washington, DC 20548
May 18, 2007
To the Chief Financial Officer and Chief Operating Officer, Federal
Deposit Insurance Corporation
The Federal Deposit Insurance Corporation (FDIC) has a demanding
responsibility enforcing banking laws, regulating banking institutions,
and protecting depositors. In carrying out its financial and
mission-related operations, FDIC relies extensively on computerized
systems. Because FDIC plays an important role in maintaining public
confidence in the nation's financial system, issues that affect the
integrity, confidentiality, and availability of sensitive information
maintained on its systems--such as personnel and regulatory
information--are of paramount concern. In particular, effective
information security controls^1 are essential to ensure that FDIC systems
and information are adequately protected from inadvertent or deliberate
misuse, fraudulent use, improper disclosure, or destruction.
As part of our audit of the calendar year 2006 financial statements of the
Deposit Insurance Fund^2 (DIF) and the Federal Savings & Loan Insurance
Corporation (FSLIC) Resolution Fund,^3 we assessed (1) the progress FDIC
has made in correcting or mitigating information system control weaknesses
reported as unresolved at the completion of our 2005 review^4 and (2) the
effectiveness of the corporation's information system controls
for protecting the confidentiality, integrity, and availability of its
information and information systems.
^1Information system internal controls affect the overall effectiveness and
security of computer operations and are not unique to specific computer
applications. These controls include security management, operating
procedures, software security features, and physical protections designed
to ensure that access to data is appropriately restricted, that only
authorized changes to computer programs are made, that incompatible
computer-related duties are segregated, and that backup and recovery plans
are adequate to ensure the continuity of operations.
^2Bank Insurance Fund (BIF) and the Savings Association Insurance Fund
(SAIF) merged to become the DIF.
^3GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2006
and 2005 Financial Statements, [3]GAO-07-371 (Washington, D.C.: Feb. 13,
2007).
^4GAO, Information Security: Federal Deposit Insurance Corporation Needs
to Improve Its Program, [4]GAO-06-620 (Washington, D.C.: Aug. 31, 2006)
and GAO, Information Security: Federal Deposit Insurance Corporation Needs
to Improve Its Program (Limited Official Use Only), GAO-06-619SU
(Washington, D.C.: Aug. 31, 2006).
In our audit report^5 on the calendar year 2006 financial statements of
the FDIC's funds, we concluded that issues related to information security
controls do not constitute a significant deficiency.^6 We also stated in
that report that continued management commitment to an effective
information security program will be essential to ensure that the
corporation's financial and sensitive information will be adequately
protected.
We performed our review at the FDIC computer facility in Arlington,
Virginia, from September 2006 through February 2007. Our review was
performed in accordance with generally accepted government auditing
standards.
Results in Brief
FDIC has made substantial progress in correcting previously reported
weaknesses. Specifically, it has corrected or mitigated 21 of the 26
weaknesses that we had reported as unresolved at the completion of our
calendar year 2005 audit. Actions that FDIC has taken include developing
and implementing procedures to prohibit the transmission of mainframe user
and administrator passwords in plaintext across the network, implementing
procedures to change vendor-supplied account/passwords, and improving
mainframe security monitoring controls.
Although it has made important progress improving its information system
controls, weaknesses exist that could limit FDIC's ability to effectively
protect the confidentiality, integrity, and availability of its financial
and sensitive information and systems. In addition to the five previously
reported weaknesses that are in process of being addressed, we identified
new information security weaknesses. For example, the corporation did not
consistently implement controls related to (1) e-mail security, (2)
physical security, and (3) configuration management. Although these
weaknesses do not pose a significant risk of misstatement of the
corporation's financial statements, they do increase preventable risk to
the corporation's financial and sensitive systems and information.
^5 [5]GAO-07-371.
^6A significant deficiency is a control deficiency, or combination of
deficiencies, that adversely affects the entity's ability to initiate,
authorize, record, process, or report financial data reliably in
accordance with generally accepted accounting principles such that there
is more than a remote likelihood that a misstatement of the entity's
financial statements that is more than inconsequential will not be
prevented or detected. As a result of Statement on Auditing Standards
(SAS) 112, the term reportable condition is no longer used.
In addition, FDIC has not fully integrated its new financial
system--called the New Financial Environment (NFE)--into its information
security program. Although FDIC had developed, documented, and implemented
a corporate information security program, it did not fully implement key
control activities for the NFE. For example, FDIC had not sufficiently
assessed risks, updated the security plan, reported certain security
incidents, or updated the contingency plan. Until FDIC fully integrates
the NFE with the information security program, its ability to maintain
adequate system controls over its financial and sensitive information will
be limited.
We are recommending that the FDIC Chief Financial Officer and Chief
Operating Officer take actions to address the control weaknesses and to
fully integrate the NFE into the corporation's information security
program.
In written comments on a draft of this report (which are reprinted in app.
II), FDIC's Deputy to the Chairman and Chief Financial Officer stated that
FDIC concurred with seven of our recommendations and has implemented or
will implement them in the coming year. FDIC partially concurred with our
remaining five recommendations and, based on the Deputy's comments, we
have made revisions to and clarified one of the recommendations. The
Deputy stated that the corporation has developed or implemented plans to
adequately address the underlying risks that prompted these five
recommendations, in some instances through alternative corrective actions.
If the corporation effectively implements these corrective actions, it
will have satisfied the intent of our recommendations.
Background
Information security is a critical consideration for any organization that
depends on information systems and computer networks to carry out its
mission or business. It is especially important for government agencies,
where maintaining the public's trust is essential. The dramatic expansion
in computer interconnectivity and the rapid increase in the use of the
Internet have changed the way our government, the nation, and much of the
world communicate and conduct business. However, without proper
safeguards, systems are unprotected from individuals and groups with
malicious intent to intrude and use the access to obtain sensitive
information, commit fraud, disrupt operations, or launch attacks against
other computer systems and networks. This concern is well-founded for a
number of reasons, including the dramatic increase in reports of security
incidents, the ease of obtaining and using hacking tools, the steady
advance in the sophistication and effectiveness of attack technology, and
the dire warnings of new and more destructive attacks to come.
Computer-supported federal operations are likewise at risk. Our previous
reports and those of agency inspectors general describe persistent
information security weaknesses that place a variety of federal operations
at risk of disruption, fraud, and inappropriate disclosure. Thus, we have
designated information security as a governmentwide high-risk area since
1997,^7 a designation that remains today.^8
Recognizing the importance of securing federal agencies' information and
systems, Congress enacted the Federal Information Security Management Act
of 2002 (FISMA) to strengthen the security of information and systems
within federal agencies.^9 FISMA requires each agency to use a risk-based
approach to develop, document, and implement a departmentwide information
security program for the information and systems that support the
operations and assets of the agency.
FDIC Is a Key Protector of Bank and Thrift Depositors
Congress created FDIC in 1933^10 to restore and maintain public confidence
in the nation's banking system. The Financial Institutions Reform,
Recovery, and Enforcement Act of 1989 sought to reform, recapitalize, and
consolidate the federal deposit insurance system.^11 The act designated
FDIC as the administrator of two funds responsible for protecting insured
bank and thrift depositors--BIF and the SAIF. The act also designated FDIC
as the administrator of the FSLIC Resolution Fund, which was created to
complete the affairs of the former FSLIC and liquidate the
assets and liabilities transferred from the former Resolution Trust
Corporation. On February 8, 2006, the President signed into law the
Federal Deposit Insurance Reform Act of 2005. Among its provisions, the
act calls for the merger of the BIF and SAIF into the DIF.^12 FDIC
completed this merger on March 31, 2006. In managing these funds, the
corporation has an examination and supervision program to monitor the
safety of deposits held in member institutions.
^7GAO, High-Risk Series: Information Management and Technology,
[6]GAO/HR-97-9 (Washington, D.C.: February 1997).
^8GAO, High-Risk Series: An Update, [7]GAO-07-310 (Washington, D.C.:
January 2007).
^9FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No.
107-347 (Dec.17, 2002).
^10 Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89, S 8.
^11Pub. L. No. 101-73, (Aug. 9,1989).
FDIC insures deposits in excess of $4 trillion for its 8,693 member
institutions. FDIC had a budget of about $1.06 billion for calendar year
2006 to support its activities in managing the funds. For that year, it
processed almost 21 million financial transactions.
FDIC Reliance on Computer Systems
FDIC relies extensively on computerized systems to support its financial
operations and store the sensitive information that it collects. Its local
and wide area networks interconnect these systems. To support its
financial management functions, the corporation relies on the NFE and
several financial systems that process and track financial transactions,
including premiums paid by its member institutions and disbursements made
to support operations. Other systems maintain personnel information for
employees, examination data for financial institutions, and legal
information on closed institutions. At the time of our review, there were
about 5,629 users on FDIC systems.
Federal law delineates responsibilities for the management of computer
systems at FDIC. Under FISMA, the Chairman of FDIC is responsible for,
among other things, (1) providing information security protections
commensurate with the risk and magnitude of the harm resulting from
unauthorized access, use, disclosure, disruption, modification, or
destruction of the agency's information systems and information; (2)
ensuring that senior agency officials provide information security for the
information and information systems that support the operations and assets
under their control; and (3) delegating to the agency's Chief Information
Officer the authority to ensure compliance with the requirements imposed
on the agency under FISMA.
Two deputies to the Chairman--the Chief Financial Officer and Chief
Operating Officer--also have information security responsibilities. The
Chief Financial Officer is responsible for the preparation of financial
statements and ensures that they are fairly presented and demonstrate
discipline and accountability. The Chief Financial Officer is part of a
senior management group that oversees the NFE. The group receives monthly
system progress updates from the NFE project team.
^12Pub. L. No. 109-171, S2102 (Feb. 8, 2006).
The Chief Operating Officer is responsible for planning, coordinating,
evaluating, and improving programs and resource management. He is also in
charge of the Chief Information Officer, who is responsible for developing
and maintaining a departmentwide information security program and for
developing and maintaining information security policies, procedures, and
control techniques that address all applicable requirements.
Objectives, Scope, and Methodology
The objectives of our review were to assess (1) the progress FDIC has made
in correcting or mitigating remaining information system control and
Methodology weaknesses reported as unresolved at the time of our prior
review in
2005^13 and (2) the effectiveness of the corporation's information system
controls for protecting the confidentiality, integrity, and availability
of
financial and sensitive data. An integral part of our objectives was to
support the opinion on internal control in GAO's 2006 financial statement
audit by assessing the degree of security over systems that support the
generation of the FDIC funds' financial statements.
Our scope and methodology was based on our Federal Information System
Controls Audit Manual,^14 which contains guidance for reviewing
information system controls that affect the confidentiality, integrity,
and availability of computerized data. Focusing on FDIC's financial
systems and associated infrastructure, we evaluated the effectiveness of
information security controls that are intended to
o prevent, limit, and detect access to computer resources (data, programs,
and systems), thereby protecting these resources against unauthorized
disclosure, modification, and use;
^13 [8]GAO-06-620 and GAO-06-619SU.
^14 GAO, Federal Information System Controls Audit Manual, Volume I-Financial
Statements Audits, [9]GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).
o provide physical protection of computer facilities and resources from
unauthorized use, espionage, sabotage, damage, and theft;
o prevent the exploitation of vulnerabilities;
o prevent the introduction of unauthorized changes to application or
system software;
o ensure that work responsibilities for computer functions are
segregated so that one individual does not perform or control all key
aspects of computer-related operations and thereby have the ability to
conduct unauthorized actions or gain unauthorized access to assets or
records without detection; and
o ensure the implementation of secure and effective configuration
management.
In addition, we evaluated aspects of FDIC's information security program
as they relate to NFE. This program includes assessing risk; developing
and implementing policies, procedures, and security plans; promoting
security awareness and providing specialized training for those with
significant security responsibilities; testing and evaluating the
effectiveness of controls; planning, implementing, evaluating, and
documenting remedial actions to address information security deficiencies;
detecting, reporting, and responding to security incidents; and ensuring
the continuity of operations.
To evaluate FDIC's information security controls and program, we
identified and examined pertinent FDIC security policies, procedures,
guidance, security plans, and relevant reports provided during fieldwork.
In addition, we conducted tests and observations of controls in operation
and reviewed corrective actions taken by the corporation to address
vulnerabilities identified during our previous review.^15 We also
discussed with key security representatives, system administrators, and
management officials whether information system controls were in place,
adequately designed, and operating effectively.
We performed our review at the FDIC computer facility in Arlington,
Virginia, from September 2006 through February 2007. Our review was
performed in accordance with generally accepted government auditing
standards.
^15 [10]GAO-06-620 and GAO-06-619SU.
FDIC Has Made Substantial Progress Correcting Previously Reported
Weaknesses
FDIC has taken steps to address security control weaknesses. The
corporation has corrected or mitigated 21 of the 26 weaknesses that we
previously reported as unresolved at the completion of our calendar year
2005 audit (see app. I). For example, the corporation has
o developed and implemented procedures to prohibit
the transmission of mainframe user and administrator passwords in
plaintext across the network,
o established and implemented a process to monitor and report on
vendorsupplied account/password combinations, and
o improved mainframe security monitoring controls.
While the corporation has made important progress in strengthening its
information security controls, it is still in the process of completing
actions to correct or mitigate the remaining five previously reported
weaknesses. These uncorrected actions include ensuring that only
authorized application software changes are implemented, limiting network
access to sensitive personally identifiable and business proprietary
information, effectively generating and reviewing the NFE audit reports,
adequately controlling physical access to the Virginia Square building,
and properly segregating incompatible system-related functions, duties,
and capacities for an individual associated with the NFE. Not addressing
these actions could leave the corporation's sensitive data vulnerable to
unauthorized access and manipulation.
Appendix I describes the previously reported weaknesses in information
security controls that were unresolved at the time of our prior review and
the status of the corporation's corrective actions.
FDIC Has Made Progress in Information System Controls, However Some
Weaknesses Remain
Although FDIC made substantial improvements to its information system
controls, unresolved and newly identified weaknesses could limit its
ability to effectively protect the confidentiality, integrity, and
availability of its financial and sensitive information and information
systems. Specifically, we identified new weaknesses in controls related to
(1) e-mail security, (2) physical security, and (3) configuration
management. Although these control weaknesses do not pose significant
risks of misstatement to the financial reports, they do increase the risk
to FDIC's financial and sensitive systems and information and increase the
risk of unauthorized modification of data and programs, inappropriate
disclosure of sensitive information, or disruption of critical operations.
E-mail Security
E-mail is perhaps the most popular system for exchanging business
information over the Internet or any other computer network. Because the
computing and networking technologies that underlie e-mail are widespread
and well-known, attackers are able to develop attack methods to exploit
security weaknesses. E-mail messages can be secured in various ways
including the use of digital signatures. Digital signatures can be used to
ensure the integrity of an e-mail message and confirm the identity of its
sender. National Institute of Standards and Technology (NIST) guidance
recommends that organizations consider the implementation of secure email
technologies such as digital signatures to ensure the integrity of email
data. FDIC policy requires individual division managers to establish
specific procedures regarding the use of secure e-mail technologies for
email.
FDIC did not use secure e-mail methods to protect the integrity of certain
accounting data transferred over an internal communication network. The
corporation relied upon unsecured e-mail transmission of accounting data
instead of using more secure methods, such as securing e-mail with digital
signatures or using the internal data transmission functions in NFE.
Specifically, it did not use secure e-mail correspondence during monthly
NFE closing processes because the Division of Finance--the division
responsible for the financial environment--had not developed requirements
for securing e-mail. In addition, the e-mail system could be compromised
by sending e-mails using forged sender names and addresses. As a result,
increased risk exists that an attacker could manipulate accounting data.
Physical Security
Physical security controls are important for protecting
computer facilities and resources from espionage, sabotage, damage, and
theft. These
controls involve restricting physical access to computer resources,
usually by limiting access to the buildings and rooms in which the
resources are housed, and periodically reviewing access granted to ensure
that it continues to be appropriate. FDIC policy also requires that
visitors be allowed to enter an office only after providing proof of
identity, identifying the person they are visiting, signing a visitor log,
obtaining a visitor badge, and being escorted at all times by the employee
whom they are visiting.
FDIC did not apply physical security controls for some instances. For
example, an unauthorized visitor was able to enter a key FDIC facility
without providing proof of identity, signing a visitor log, obtaining a
visitor's badge, or being escorted. In addition, a workstation that had
access to a payroll system was located in an unsecured office. As a
result, increased risk exists that unauthorized individuals could gain
physical access to a key facility and to systems that have sensitive
information.
Configuration Management
Configuration management involves the identification and management of
security features for all hardware, software, and firmware components of
an information system at a given point and systematically controls changes
to that configuration during the system's life cycle. The agency should
have configuration management controls to ensure that only authorized
changes are made to such critical components. In addition, all
applications and changes to those applications should go through a formal,
documented systems development process that identifies all changes to the
baseline configuration. Also, procedures should ensure that no
unauthorized software is installed. Patch management, a component of
configuration management, is an important element in mitigating the risk
associated with software vulnerabilities. Up-to-date patch installations
help mitigate vulnerabilities associated with flaws in software code that
could be exploited to cause significant damage. FDIC policy requires that
patches be implemented within the specified time frames. In addition, FDIC
policy states that configuration status accounting and configuration
auditing, which includes both functional and physical audits, should be
performed. Configuration audits help to maintain the integrity of the
configuration baseline as well as to ensure that when a significant
product change is introduced, only authorized changes are being made. FDIC
policy also states that project documentation should be managed and
updated as it evolves over time.
FDIC did not consistently implement configuration management controls for
NFE. Specifically, the corporation did not
o develop and maintain a complete listing of all configuration items and
a baseline configuration for NFE, including application software, data
files, software development tools, hardware, and documentation;
o ensure that all significant system changes, such as parameter changes,
go through a change control process;
o apply comprehensive patches to system software in a timely manner. For
example, a FDIC report stated that in the third quarter of fiscal year
2006, software patches for 15 out of 21 high-risk vulnerabilities and
5 out of 34 medium-risk vulnerabilities were not implemented within
required time frames. In another report, between July 9, 2006, and
October 9, 2006, out of nine high-risk patches that were not
implemented within the required time period, eight were not
implemented for 42 days.
o review status accounting reports, or perform complete functional and
physical configuration audits; and
o update or control documents to reflect the current state of the
environment and to ensure consistency with related documents.
Specifically, documents such as the NFE security plan, risk
assessment, and contingency plan did not reflect the current
environment.
The NFE project team did not institute the above because it did not always
consistently follow the processes as outlined in the NFE configuration
management plan. According to FDIC officials, they were not following the
plan because it has not been updated to reflect the new system development
life cycle. In addition, according to an FDIC official, patches were not
implemented in the specified time frames because contractors do not always
follow FDIC policy.
As a result, the corporation has a higher risk that NFE may not perform as
intended.
NFE Was Not Fully Integrated into the Corporation's Information Security
Program
Although FDIC had taken steps to develop, document, and implement a
corporate information security program, it did not fully implement key
control activities for NFE. For example, FDIC had not sufficiently
assessed risks, updated the security plan, reported computer security
incidents, or updated the contingency plan to reflect the current
environment for NFE.
Risk Assessments
Identifying and assessing information security risks are essential steps
in determining what controls are required. Moreover, by increasing
awareness of risks, these assessments can generate support for the
policies and controls that are adopted in order to help ensure that they
operate as intended. Security testing and evaluation can be used to
efficiently identify system vulnerabilities for use in a risk assessment.
NIST guidance states that the risk assessment should be updated to reflect
the results of the security test and evaluation.
The risk assessment for NFE was not properly updated. FDIC performed a
security test and evaluation after the risk assessment was performed.
However, the risk assessment was not updated to include the risks
associated with any of the newly identified vulnerabilities. As a result,
NFE may have inadequate or inappropriate security controls that might not
address the system's true risk.
Security Plans
A security plan provides an overview of the system's security requirements
and describes the controls that are in place--or planned--to meet those
requirements. Common security controls are controls that can be applied to
one or more organizational information systems. System-specific controls
are the responsibility of the information system owner. NIST guidance
states that system security plans should clearly identify which security
controls have been designated as common security controls and the
individual responsible for implementing the common security control. In
addition, NIST guidance states that organizations should update
information system security plans to address system/organizational
changes.
The corporation did not update the system security plan for NFE. FDIC has
identified 77 management, operational, and technical common security
controls established in its information system. However, the NFE security
plan was not updated to clearly identify common security controls. In
addition, the security plan was not updated to reflect the correct servers
or recently installed mainframe hardware. As a result, increased risk
exists that proper controls may not be implemented for the NFE.
Incident Handling
Even strong controls may not block all intrusions and
misuse, but organizations can reduce the risks associated with such
incidents if they take steps to promptly detect and respond to them before
significant damage is done. In addition, analyzing security incidents
allows
organizations to gain a better understanding of the threats to their
information and the costs of their security-related problems. Such
analyses can pinpoint vulnerabilities that need to be eliminated so that
they will not be exploited again. FISMA requires that agency information
security programs include procedures for detecting and reporting security
incidents. NIST guidance states that organizations should implement an
incident handling capability for security incidents that includes
preparation, detection and analysis, containment, eradication, and
recovery. In addition, NIST guidance states that organizations should
regularly review and analyze information system audit records for
indications of inappropriate or unusual activity, investigate suspicious
activity or suspected violations, report findings to appropriate
officials, and take necessary actions. FDIC policy requires all users of
the corporate information systems to report suspected computer security
incidents^16 to the Computer Security Incident Response Team (CSIRT).
FDIC has implemented an incident handling program, including establishing
a team and associated procedures for detecting, responding to, and
reporting computer security incidents. However, the corporation did not
always review events occurring in the NFE to determine whether the events
were computer security incidents or not. For example, during our
observation of the purchase order matching process, an FDIC official
overrode a matching exception. Although an override exception matching
report was generated, it was not reviewed to determine if it was an
incident, and was not forwarded to CSIRT. According to an official, there
were not always procedures to review events in NFE. As a result, increased
risk exists that computer security incidents that relate to the NFE will
not be identified.
Continuity of Operations
Continuity of operations, which includes disaster recovery planning,
should be designed to ensure that when unexpected events occur, essential
operations continue without interruption or can be promptly resumed, and
critical and sensitive data are protected. These controls include
procedures to minimize the risk of unplanned interruptions, along with a
well-tested plan to recover critical operations should interruptions
occur. FISMA requires that agencies have plans and procedures to ensure
the continuity of operations for information systems that support the
operations and assets of the agency. NIST guidance states that disaster
recovery plans, including contingency plans, should be maintained in a
ready state that accurately reflects system requirements, procedures, and
organizational structure.
^16 FDIC policy defines a computer security incident as an event that
threatens the security of the corporate information systems, including
FDIC's computers, mainframe, networks, software and associated equipment,
and information stored or transmitted using that equipment.
FDIC has developed plans for the continuity of NFE operations. To assess
the effectiveness of the plans, FDIC successfully tested the NFE at its
new disaster recovery site.^17 However, the NFE contingency plan was not
updated to reflect the new disaster recovery site. In addition, the plan
identified servers that were not in use. As a result, FDIC has limited
assurance it will be able to efficiently implement continuity of
operations for the NFE in the event of an emergency when knowledgeable
employees are not available.
Conclusions
FDIC has made substantial progress in correcting previously reported
weaknesses and has taken other steps to improve information security.
Although five weaknesses from prior reports remain unresolved and new
control weaknesses related to (1) e-mail security, (2) physical security,
and (3) configuration management were identified, the remaining unresolved
weaknesses previously reported and the newly identified weaknesses did not
pose significant risk of misstatement in the corporation's financial
statements for calendar year 2006. However, the old and new weaknesses do
increase preventable risk to the corporation's financial and sensitive
systems and information.
Since FDIC did not fully integrate its NFE into its information security
program, it did not fully implement key control activities for NFE, such
as sufficiently assessing risks, updating the security plan, reporting
computer security incidents, or updating the contingency plan to reflect
the current environment. Continued management commitment to integrating
the NFE into the corporate information security program will be essential
to ensure that the corporation's financial and sensitive information will
be adequately protected. As the corporation continues to enhance the NFE,
its reliance on controls implemented in this single, integrated financial
system will increase. Until FDIC fully integrates NFE into the security
program, its ability to maintain adequate information system controls over
its financial and sensitive information will be limited.
^17 In April of 2006, FDIC consolidated its disaster recovery capability into
one disaster recovery site.
Recommendations for Executive Action
In order to sustain progress to its program, we recommend that the FDIC
Chief Financial Officer and Chief Operating Officer direct that the
following 12 actions be performed in a timely manner:
oRequire that e-mail containing or transmitting accounting data be secured
to protect the integrity of the accounting data.
oTrain security personnel to implement the corporation's policy on physical
security of the facility.
oInstruct FDIC personnel to lock rooms that contain sensitive software.
oDevelop a configuration item index of all configuration items for NFE
using a consistent and documented naming convention.
oRequire that significant changes to the system, such as parameter changes,
go through a formal change management process.
oImplement patches in a timely manner.
oRequire that the NFE project team review status accounting reports and
perform complete functional and physical configuration audits.
oAdequately control the NFE documents so that they are up-to-date and
accurately reflect the current environment.
oUpdate the NFE risk assessment to include the risk associated with
vulnerabilities identified during security testing and evaluation.
oUpdate the NFE security plan to clearly identify all common security
controls.
oDevelop procedures to review events occurring in the NFE to determine
whether the events are computer security incidents.
oUpdate the contingency plan to reflect the new disaster recovery site and
servers that are in use.
Agency Comments and Our Evaluation
We received written comments on a draft of this report from FDIC's Deputy
to the Chairman and Chief Financial Officer (these are reprinted in app.
II). The Deputy acknowledged the benefit of the recommendations made as
part of this year's audit and stated that FDIC concurred with seven of our
recommendations and has implemented or will implement them in the coming
year. He also stated that FDIC partially concurred with our remaining five
recommendations and has developed or implemented plans to adequately
address the underlying risks that prompted these five recommendations, in
some instances through alternative corrective actions.
With regard to the five recommendations to which FDIC partially concurred,
if the corporation adequately implements the corrective actions below, it
will have satisfied the intent of our recommendations. Regarding our
recommendation that FDIC require that e-mail containing or transmitting
accounting data be secured to protect the integrity of the accounting
data, the Deputy stated that by July 31, 2007, FDIC will ensure that the
integrity of accounting data transmitted by e-mail is appropriately
protected, and that it will evaluate the various exchanges of accounting
information and identify and document where more secure communications are
needed. Concerning our recommendation that FDIC instruct personnel to lock
rooms that contain sensitive software, the Deputy stated that FDIC has
conducted additional analysis on the software that had access to payroll
information and has removed that software from the desktop. With regard to
our recommendation that FDIC require that significant changes to the
system, such as parameter changes, go through a formal change management
process, the Deputy stated that by December 31, 2007, FDIC will have
developed procedures that will include appropriate management of, and
documentation standards for, parameter changes. Based on the Deputy's
comments, we have clarified our recommendation that FDIC update the NFE
risk assessment to include the risk associated with vulnerabilities
identified during security testing and evaluation. The Deputy stated that
FDIC has since changed its process to require updates to the risk
assessments when applications undergo major changes that affect the
security of the system. Finally, with regard to the recommendation that
FDIC develop procedures to review events occurring in the NFE to determine
whether the events are computer security incidents, the Deputy stated that
FDIC addressed this issue during the first quarter of 2007 when it
established a formal process for monitoring and reviewing such events. In
addition, FDIC plans to have documented procedures for elevating potential
security violations to the incident handling team and for monitoring
unusual events by August 31, 2007.
We are sending copies of this report to the Chairman and Ranking Minority
Member of the Senate Committee on Banking, Housing, and Urban Affairs; the
Chairman and Ranking Minority Member of the House Committee on Financial
Services; members of the FDIC Audit Committee; officials in FDIC's
divisions of information resources management, administration, and
finance; and the FDIC inspector general. We will also make copies
available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at http://www.gao.gov.
If you have any questions regarding this report, please contact me at
(202) 512-6244 or by e-mail at [email protected]. Contact points for
our Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. Key contributors to this report are listed
in appendix III.
Gregory C. Wilshusen
Director, Information Security Issues
Appendix I: Status of Previously Reported Weaknesses
Weakness Action completed Action in
progress
[13]Information Security: Information System
Controls at the Federal Deposit Insurance
Corporation (GAO-04-629)
Access authority
1. Federal Deposit Insurance Corporation (FDIC)
was using live data to support application
development and testing. X
Network security
2. Personal firewall settings for corporate
examiner laptop computers that were used for
remotely connecting to the network were not
adequately secured. X
Information Security: Federal Deposit Insurance Corporation Needs to
Sustain Progress (GAO-05-487SU)
Access controls
3. Procedures were not established to X
prevent processes running in supervisor state in one logical partition
from accessing datasets stored in another partition.
4. Procedures were not in place
to identify and effectively control
risks caused by sharing critical system
components between production and
nonproduction LPARs (logical partitions). X
Network Security
5. Structured query language database X
server configurations for many of FDIC's financial applications were
not adequately secured. 6. Procedures have not been consistently
followed for authorizing, documenting, and reviewing all application
software changes.
Application change contro
Information Security: Federal Deposit Insurance Corporation Needs to
Improve Its Program (GAO-06-619SU)
6. Procedures have not been consistently followed for
authorizing, documenting, and reviewing
all application software changes.
7. FDIC did not always change vendor-supplied
account/password combinations. Access control X
8. FDIC did not adequately control inactive user
accounts. FDIC policy requires accounts that have not
been used within 60 days be deleted. X
9. FDIC transmitted mainframe user and administrator
passwords in plaintext across the network.
Access rights and permissions X
10. FDIC did not adequately enforce password management
restrictions. X
11. FDIC access authorizations did not
consistently support the access rights
granted to New Financial Environment (NFE) users. X
12. FDIC did not adequately control access
to datasets containing sensitive data critical to
the integrity of loss calculations used by the
Division of Insurance. X
13. FDIC did not effectively limit network
access to sensitive personally identifiable and
business proprietary information. X
Network services
14. FDIC did not securely configure Internet-accessible remote access to
its information
resources. X
15. FDIC permitted the use of unencrypted network protocols on its X
UNIX systems.
Configuration assurance
16. FDIC did not securely configure an Oracle production database. X
17. FDIC did not properly secure the Apache Tomcat server that hosts a
production database
used by the employee time and attendance system. X
18. FDIC did not securely configure its workstations. X
19. FDIC laptop computers had unnecessary wireless technologies X
enabled.
20. FDIC's Blackberry Enterprise Server and handheld devices were
deployed and configured
with several security weaknesses. X
Audit and monitoring of security-related events
21. FDIC did not effectively generate NFE audit reports or review X
them.
22. FDIC's ability to monitor changes to critical mainframe datasets X
was inadequate.
23. FDIC did not sufficiently audit system activities on its Oracle X
databases.
Physical security
24. FDIC did not adequately control physical access to the Virginia
Square computer
processing facility. X
Segregation of duties
25. FDIC did not properly segregate incompatible system-related
functions, duties, and
capacities for an individual associated with the NFE. X
26. FDIC granted NFE accounts payable users inappropriate access to
perform incompatible
functions. X
Source: GAO.
Appendix II: Comments from the Federal Deposit Insurance Corporation
Appendix III: GAO Contacts and Staff Acknowledgments
GAO Contacts
Gregory C. Wilshusen, (202) 512-6244, [email protected]
Staff Acknowledgments
In addition to the individual named above, William F. Wadsworth, Assistant
Director; Verginie A. Amirkhanian; Daniel D. Castro; Patrick R. Dugan;
Edward Glagola Jr.; Mickie E. Gray; David B. Hayes; Kaelin
P. Kuhn; Duc M. Ngo; Tammi L. Nguyen; Eugene E. Stevens IV; Henry I. Sutanto;
and Amos Tevelow made key contributions to this report.
(310587)
References
Visible links
3. http://www.gao.gov/cgi-bin/getrpt?GAO-07-371
4. http://www.gao.gov/cgi-bin/getrpt?GAO-06-620
5. http://www.gao.gov/cgi-bin/getrpt?GAO-07-371
6. http://www.gao.gov/cgi-bin/getrpt?GAO/HR-97-9
7. http://www.gao.gov/cgi-bin/getrpt?GAO-07-310
8. http://www.gao.gov/cgi-bin/getrpt?GAO-06-620
9. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-12.19.6
10. http://www.gao.gov/cgi-bin/getrpt?GAO-06-620
13. http://www.gao.gov/cgi-bin/getrpt?GAO-04-629
*** End of document. ***