Information Security: FDIC Sustains Progress but Needs to Improve
Configuration Management of Key Financial Systems (30-MAY-08,
GAO-08-564).
The Federal Deposit Insurance Corporation (FDIC) has a demanding
responsibility enforcing banking laws, regulating financial
institutions, and protecting depositors. Effective information
security controls are essential to ensure that FDIC systems and
information are adequately protected from inadvertent misuse,
fraudulent, or improper disclosure. As part of its audit of
FDIC's 2007 financial statements, GAO assessed (1) the progress
FDIC has made in mitigating previously reported information
security weaknesses and (2) the effectiveness of FDIC's controls
in protecting the confidentiality, integrity, and availability of
its financial systems and information. To do this, GAO examined
security policies, procedures, reports, and other documents;
observed controls over key financial applications; and
interviewed key FDIC personnel.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-08-564
ACCNO: A82218
TITLE: Information Security: FDIC Sustains Progress but Needs to
Improve Configuration Management of Key Financial Systems
DATE: 05/30/2008
SUBJECT: Access control
Banking law
Computer security
Configuration control
Data encryption
Data integrity
Data transmission
Financial disclosure
Financial institutions
Financial management systems
Information security
Information security management
Information security regulations
Information systems
Internal controls
Law enforcement
Passwords
Physical security
Risk assessment
Risk management
Security assessments
Program implementation
GAO High Risk Series
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-08-564
This is the accessible text file for GAO report number GAO-08-564
entitled 'Information Security: FDIC Sustains Progress but Needs to
Improve Configuration Management of Key Financial Systems' which was
released on May 30, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to [email protected].
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chief Financial Officer and Chief Operating Officer,
Federal Deposit Insurance Corporation:
United States Government Accountability Office:
GAO:
May 2008:
Information Security:
FDIC Sustains Progress but Needs to Improve Configuration Management of
Key Financial Systems:
GAO-08-564:
GAO Highlights:
Highlights of GAO-08-564, a report to the Chief Financial Officer and
Chief Operating Officer, Federal Deposit Insurance Corporation.
Why GAO Did This Study:
The Federal Deposit Insurance Corporation (FDIC) has a demanding
responsibility enforcing banking laws, regulating financial
institutions, and protecting depositors. Effective information security
controls are essential to ensure that FDIC systems and information are
adequately protected from inadvertent misuse, fraudulent, or improper
disclosure.
As part of its audit of FDIC�s 2007 financial statements, GAO assessed
(1) the progress FDIC has made in mitigating previously reported
information security weaknesses and (2) the effectiveness of FDIC�s
controls in protecting the confidentiality, integrity, and availability
of its financial systems and information. To do this, GAO examined
security policies, procedures, reports, and other documents; observed
controls over key financial applications; and interviewed key FDIC
personnel.
What GAO Found:
FDIC has made significant progress in mitigating previously reported
information security weaknesses. Specifically, it has corrected or
mitigated 16 of the 21 weaknesses that GAO had previously reported as
unresolved at the completion of the 2006 audit. For example, FDIC has
improved physical security controls over access to its Virginia Square
computer processing facility, instructed personnel to use more secure e-
mail methods to protect the integrity of certain accounting data
transferred over an internal communication network, and updated the
security plan and contingency plan of a key financial system. In
addition, FDIC stated it has initiated and completed some actions to
mitigate the remaining five prior weaknesses. However, we have not
verified that these actions have been completed.
Although FDIC has made significant progress improving its information
system controls, old and new weaknesses could limit the corporation�s
ability to effectively protect the confidentiality, integrity, and
availability of its financial systems and information. In addition to
the five previously reported weaknesses that remain unresolved, newly
identified weaknesses in access controls and configuration management
controls introduce risk to two key financial systems. For example, FDIC
did not always implement adequate access controls. Specifically,
multiple FDIC users shared the same login ID and password, had
unrestricted access to application source code, and used passwords that
were not adequately encrypted. In addition, FDIC did not adequately (1)
maintain a full and complete baseline for system requirements; (2)
assign unique identifiers to configuration items; (3) authorize,
document, and report all configuration changes; and (4) perform
configuration audits. Although these weaknesses do not pose significant
risk of misstatement of the corporation�s financial statements, they do
increase preventable risk to the corporation�s financial systems and
information. A key reason for these weaknesses is that FDIC did not
always fully implement key information security program activities. For
example, it did not adequately conduct configuration control testing or
complete the remedial action plan in a timely manner and did not
include necessary and key information. Until FDIC fully performs key
information security program activities, its ability to maintain
adequate control over its financial systems and information will be
limited.
What GAO Recommends:
GAO recommends that FDIC take actions to improve access and
configuration management controls and to perform key information
security program activities for two financial systems. FDIC concurred
with one and partially concurred with nine of GAO�s recommendations and
has developed or implemented plans to address these recommendations. In
some instances, FDIC chose to pursue alternative corrective actions. If
the corporation effectively implements these alternative actions to
reduce risk, it will satisfy the intent of our recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-564]. For more
information, contact Gregory C. Wilshusen, at (202) 512-6244 or
[email protected], or Dr. Nabajyoti Barkakati at (202) 512-4499 or
[email protected].
[End of section]
Contents:
Letter:
Results in Brief:
Background:
FDIC Has Made Significant Progress Mitigating Previously Reported
Weaknesses:
Weaknesses Continue to Reduce the Security of Financial Information:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Status of Previously Reported Weaknesses:
Appendix III: Comments from the Federal Deposit Insurance Corporation:
Appendix IV: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: NFE Does Not Have Unique Identifiers for the Same Requirement:
Table 2: AIMS II Does Not Have Unique Identifiers for the Same
Requirement:
Table 3: AIMS II RequisitePro Requirements on the Traceability Matrix
Do Not Match the Software Requirements Specification:
Abbreviations:
AIMS II: Assessment Information Management System II:
CERT: Computer Emergency Response Team:
CIO: Chief Information Officer:
CMMI: Capability Maturity Model� Integration:
FDIC: Federal Deposit Insurance Corporation:
FIPS: Federal Information Processing Standard:
FISMA: Federal Information Security Management Act:
NFE: New Financial Environment:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
SRS: Software Requirement Specification:
US-CERT: United States Computer Emergency Readiness Team:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
May 30, 2008:
The Honorable Steven O. App:
Deputy to the FDIC Chairman and Chief Financial Officer:
Federal Deposit Insurance Corporation:
The Honorable John F. Bovenzi:
Deputy to the FDIC Chairman and Chief Operating Officer:
Federal Deposit Insurance Corporation:
The Federal Deposit Insurance Corporation (FDIC) has a demanding
responsibility enforcing banking laws, regulating banking institutions,
and protecting depositors. In carrying out its financial and mission-
related operations, FDIC relies extensively on computerized systems.
Because FDIC plays an important role in maintaining public confidence
in the nation's financial system, issues that affect the
confidentiality, integrity, and availability of sensitive information
maintained on its systems--such as personnel and regulatory
information--are of paramount concern. In particular, effective
information security controls[Footnote 1] are essential to ensure that
FDIC systems and information are adequately protected from inadvertent
or deliberate misuse, fraudulent use, improper disclosure, or
destruction.
As part of our audit of the calendar year 2007 financial statements of
the Deposit Insurance Fund[Footnote 2] and the Federal Savings & Loan
Insurance Corporation Resolution Fund[Footnote 3], we assessed (1) the
progress FDIC has made in mitigating previously reported information
security weaknesses[Footnote 4] and (2) the effectiveness of FDIC's
controls in protecting the confidentiality, integrity, and availability
of its financial systems and information.
In our audit report[Footnote 5] of the calendar year 2007 financial
statements for FDIC's funds, we concluded that issues related to
information security controls did not constitute a significant
deficiency in internal controls with respect to financial reporting and
compliance with laws and regulations.[Footnote 6] We also stated in the
report that continued management commitment to an effective information
security program will be essential to ensuring that the corporation's
financial systems and information will be adequately protected.
We performed our audit work from October 2007 to May 2008 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives. See appendix I for additional details on
our objectives, scope, and methodology.
Results in Brief:
FDIC has made significant progress in mitigating previously reported
information security weaknesses. Specifically, it has corrected or
mitigated 16 of the 21 weaknesses that we had previously reported as
unresolved at the completion of the 2006 audit. For example, FDIC has
improved physical security controls over access to the Virginia Square
computer processing facility, instructed personnel to use more secure e-
mail methods to protect the integrity of certain accounting data
transferred over an internal communication network, updated the
security plan of a key financial system called the New Financial
Environment (NFE) to clearly identify all common security controls,
developed procedures to report computer security incidents, and updated
the NFE contingency plan. However, FDIC has not yet completed actions
to:
* effectively generate NFE audit reports;
* maintain a complete listing of all NFE configuration items, including
application software, data files, software development tools, hardware,
and documentation;
* properly segregate incompatible system-related functions, duties, and
capacities for an individual associated with the NFE;
* effectively implement or accurately report the status of its remedial
actions; and;
* properly update the NFE risk assessment.
FDIC stated it has initiated and completed some actions to mitigate the
remaining five prior year weaknesses. However, we have not verified
that these actions have been completed. Although FDIC has made
significant progress improving its information system controls, old and
new weaknesses could limit the corporation's ability to effectively
protect the confidentiality, integrity, and availability of its
financial systems and information. In addition to the five previously
reported weaknesses that remain unresolved, newly identified weaknesses
in access controls and configuration management controls introduce risk
to two key financial systems. For example, FDIC did not always
implement adequate access controls. Specifically, multiple FDIC users
shared the same login ID and password, had unrestricted access to
application source code, and used a password that was not adequately
encrypted. In addition, FDIC did not adequately (1) maintain a full and
complete baseline for system requirements; (2) assign unique
identifiers to configuration items; (3) authorize, document, and report
all configuration changes; and (4) perform configuration audits.
Although these weaknesses do not pose a significant risk of material
misstatement of the corporation's financial statements, they do
increase preventable risk to the corporation's financial systems and
information.
A key reason for these weaknesses is that FDIC did not always fully
implement key information security program activities. For example, it
did not adequately conduct configuration control testing or complete
remedial action plans in a timely manner and did not include necessary
and key information. Until FDIC fully performs key information security
program activities, there is an increased risk that it may not be able
to maintain adequate control over its financial systems and
information.
We are making 10 recommendations to the Chief Operating Officer to
direct the Chief Information Officer (CIO) to address actions to
correct access and configuration management control weaknesses and to
perform key information security program activities for the NFE and
Assessment Information Management System II (AIMS II) systems.
In written comments on a draft of this report, FDIC's Deputy to the
Chairman and Chief Financial Officer stated that FDIC has taken action
or will take action to improve configuration management and information
security. Although FDIC concurred with one and partially concurred with
the remaining nine recommendations, the Deputy noted that FDIC has
already completed actions to address some of these recommendations and
is actively engaged in completing many others. In some instances, FDIC
chose to pursue alternative corrective actions. If the corporation
effectively implements these alternative actions to reduce risk, it
will satisfy the intent of our recommendations.
Background:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission or business and is especially important for government
agencies, where maintaining the public's trust is essential. While the
dramatic expansion in computer interconnectivity and the rapid increase
in the use of the Internet have enabled corporations such as FDIC to
better achieve its mission and provide information to the public, the
changes also expose federal networks and systems to various threats.
For example, the Federal Bureau of Investigation has identified
multiple sources of cyber threats, including foreign nation states
engaged in information warfare, domestic criminals, hackers, virus
writers, and disgruntled employees working within an organization.
According to a May 2005 report by the U.S. Secret Service and the
Computer Emergency Response Team (CERT) Coordination Center,[Footnote
7] "insiders pose a substantial threat by virtue of their knowledge of,
and access to, employer systems and/or databases."
These concerns are well-founded for a number of reasons, including the
dramatic increase in reports of security incidents, the ease of
obtaining and using hacking tools, and steady advances in the
sophistication and effectiveness of attack technology. For example, the
number of incidents reported by federal agencies to the United States
Computer Emergency Readiness Team (US-CERT) has increased dramatically
over the past 3 years, increasing from 3,634 incidents reported in
fiscal year 2005 to 13,029 incidents in fiscal year 2007 (about a 259
percent increase).
Without proper safeguards, systems are vulnerable to individuals and
groups with malicious intent who can intrude and use their access to
obtain or manipulate sensitive information, commit fraud, disrupt
operations, or launch attacks against other computer systems and
networks.
Our previous reports, and those by inspectors general, describe
persistent information security weaknesses that place federal agencies
at risk of disruption, fraud, or inappropriate disclosure of sensitive
information. Accordingly, we have designated information security as a
governmentwide high-risk area since 1997,[Footnote 8] a designation
that remains in force today. Recognizing the importance of securing
federal agencies' information systems, Congress enacted the Federal
Information Security Management Act (FISMA) in December 2002[Footnote
9] to strengthen the security of information and systems within federal
agencies. FISMA requires each agency to develop, document, and
implement an agencywide information security program to provide
information security for the information and systems that support the
operations and assets of the agency, using a risk-based approach to
information security management.
FDIC Is a Key Protector of Bank and Thrift Depositors:
FDIC is an independent agency created by Congress that maintains the
stability and public confidence in the nation's financial system by
insuring deposits, examining and supervising financial institutions,
and managing receiverships. Congress created FDIC in 1933[Footnote 10]
in response to the thousands of bank failures that occurred in the
1920s and early 1930s[Footnote 11]. The corporation identifies,
monitors, and addresses risks to the deposit insurance funds when a
bank or thrift institution fails.
The Bank Insurance Fund and the Savings Association Insurance Fund were
established as FDIC responsibilities under the Financial Institutions
Reform, Recovery, and Enforcement Act of 1989, which sought to reform,
recapitalize, and consolidate the federal deposit insurance system.
[Footnote 12] The act also designated FDIC as the administrator of the
Federal Savings & Loan Insurance Corporation Resolution Fund, which was
created to complete the affairs of the former Federal Savings & Loan
Insurance Corporation and liquidate the assets and liabilities
transferred from the former Resolution Trust Corporation.
The Bank Insurance Fund and the Savings Association Insurance Fund
merged into the Deposit Insurance Fund on February 8, 2006, as a result
of the President signing the Federal Deposit Insurance Reform Act of
2005 into law.[Footnote 13] With the congressional approval of the
Federal Deposit Insurance Reform Act of 2005, FDIC was required to
ensure that approximately 7,400 eligible member institutions received a
one-time assessment credit totaling $4.7 billion.
FDIC insures deposits in excess of $4 trillion for its 8,571 member
institutions. It had a budget of about $1.1 billion for calendar year
2007 to support its activities in managing the funds. For that year, it
processed almost 16.4 million financial transactions.
FDIC Reliance on Computer Systems:
FDIC relies extensively on computerized systems to support its
financial operations and store the sensitive information that it
collects. Its local and wide area networks interconnect these systems.
To support its financial management functions, the corporation relies
on many systems including the NFE, a corporate-wide effort focused on
implementing an enterprisewide, integrated software system. In
addition, the corporation relies on the AIMS II to calculate and
collect FDIC deposit insurance premiums and Financing Corporation
[Footnote 14] bond principal and interest amounts from insured
financial institutions.[Footnote 15] FDIC financial systems also
process and track financial transactions such as disbursements made to
support operations.
Under FISMA, the Chairman is responsible for, among other things, (1)
providing information security protections commensurate with the risk
and magnitude of the harm resulting from unauthorized access, use,
disclosure, disruption, modification, or destruction of the agency's
information systems and information; (2) ensuring that senior agency
officials provide information security for the information and
information systems that support the operations and assets under their
control; and (3) delegating to the corporation's CIO the authority to
ensure compliance with the requirements imposed on the agency under
FISMA.
Two deputies to the Chairman--the Chief Financial Officer and Chief
Operating Officer--have information security responsibilities. The
Chief Financial Officer has information security responsibilities
insofar as he is part of a senior management group that oversees the
NFE and AIMS II security team. He is also responsible for the
preparation of financial statements and ensures that they are fairly
presented and demonstrate discipline and accountability.
In addition, the Chief Operating Officer has information security
responsibilities. He supervises the CIO, who is responsible for
developing and maintaining a corporate-wide information security
program and for developing and maintaining information security
policies, procedures, and control techniques that address all
applicable requirements. The CIO also serves as the authorizing
official with the authority to approve the operation of the information
system at an acceptable level of risk to the enterprise. The CIO
supervises the Chief Information Security Officer, who is in charge of
information security at the corporation. The Chief Information Security
Officer serves as the CIO's designated representative responsible for
the overall support of the certification and accreditation[Footnote 16]
activities.
FDIC Has Made Significant Progress Mitigating Previously Reported
Weaknesses:
FDIC has made significant progress in mitigating previously reported
information security weaknesses. Specifically, it has corrected or
mitigated 16 of the 21 weaknesses that we had previously reported as
unresolved at the completion of the 2006 audit (see app. II). For
example, FDIC has enhanced physical security controls, instructed
personnel to use more secure e-mail methods to protect the integrity of
certain accounting data transferred over an internal communication
network, updated the NFE security plan to clearly identify all common
security controls, developed procedures to report computer security
incidents, and updated the NFE contingency plan.
While the corporation has made significant progress in resolving known
weaknesses, it has not completed actions to mitigate the remaining five
weaknesses. Specifically FDIC has not:
* effectively generated NFE audit reports;
* maintained a complete listing of all NFE configuration items,
including application software, data files, software development tools,
hardware, and documentation;
* properly segregated incompatible system-related functions, duties,
and capacities for an individual associated with the NFE;
* effectively implemented or accurately reported the status of its
remedial actions; and;
* properly updated the NFE risk assessment.
FDIC stated it has initiated and completed some actions to mitigate the
remaining five prior year weaknesses. However, we have not verified
that these actions have been completed. Not addressing these actions
could leave the corporation's financial data vulnerable to an increased
risk of unauthorized access and manipulation.
Appendix II describes the previously reported weaknesses in information
security controls that were unresolved at the time of our prior review
and the status of the corporation's corrective actions.
Weaknesses Continue to Reduce the Security of Financial Information:
Although FDIC has made significant progress improving its information
system controls, old and new weaknesses could limit the corporation's
ability to effectively protect the confidentiality, integrity, and
availability of its financial systems and information. In addition to
the five previously reported weaknesses that remain unresolved, newly
identified weaknesses in access controls and configuration management
controls introduce risk to two key financial systems. A key reason for
these weaknesses is that FDIC did not always fully implement key
information security program activities. As a result, increased risk
exists of unauthorized disclosure or modification of financial
information.
Weaknesses in Access Control Warrant Management Attention:
A basic management objective for any organization is to protect the
resources that support its critical operations and assets from
unauthorized access. Organizations accomplish this objective by
designing and implementing controls that are intended to prevent,
limit, and detect unauthorized access to computer resources (data,
programs, equipment, and facilities), thereby protecting them from
unauthorized disclosure, modification, and loss. FDIC developed
policies and procedures on access control which, among other things,
stated that login ID and password combinations should not be shared,
access to application source code should be restricted unless users
have a legitimate business need for access, and passwords should be
adequately encrypted.
However, FDIC did not always implement certain access controls, as the
following examples show:
* Multiple FDIC users in a production control unit in one division and
multiple users in another division share the same NFE logon ID and
password. As a result, increased risk exists that individual
accountability for authorized, as well as unauthorized system activity
could be lost.
* All users of the AIMS II application have full access to the
application production code although their job responsibilities do not
require such access. As a result, increased risk exists that
individuals could circumvent security controls and deliberately or
inadvertently read, modify, or delete critical source code.
* One database connection could be compromised because the password is
not adequately encrypted with a Federal Information Processing
Standards 140-2 compliant algorithm. As a result, increased risk exists
that the database could be compromised by unauthorized individuals who
could then potentially change, add, or delete information.
Weaknesses in Configuration Management Controls Increased Risk:
Our Federal Information System Controls Audit Manual[Footnote 17]
states that configuration management involves the identification and
management of security features for all hardware and software
components of an information system at a given point and systematically
controls changes to that configuration during the system's life cycle.
An effective configuration management process consists of four primary
areas, each of which should be described in a configuration management
plan and implemented according to the plan. The four are as follows:
* Configuration identification: procedures for identifying,
documenting, and assigning unique identifiers (for example, serial
number and name) to requirements, design documents, and the system's
hardware and software component parts, generally referred to as
configuration items;
* Configuration control: procedures for evaluating and deciding whether
to approve changes to a system's baseline configuration; decision
makers such as a Configuration Control Board evaluate proposed changes
on the basis of costs, benefits, and risks, and decide whether to
permit a change;
* Configuration status accounting: procedures for documenting the
status of configuration items as a system evolves; and;
* Configuration auditing: procedures for determining traceability
between the actual system and the documentation describing it (such as
requirements documentation), thereby ensuring that the documentation
used to support decision making is complete and correct. Configuration
audits are performed when a significant system change is introduced and
help to ensure that only authorized changes are being made and that
systems are operating securely and as intended.
FDIC has made progress in implementing each of the four configuration
management areas. Specifically, for configuration identification, FDIC
has documented procedures for identifying and assigning unique
identifiers and naming configuration items. For configuration control,
it has documented procedures for requesting changes to configuration
items, established configuration management plans that document
employee roles and responsibilities, developed a Change Control Board
that reviews changes to configuration items, and implemented
configuration management tools. In addition, for configuration status
accounting, FDIC has developed configuration management status
accounting reports. Further, for configuration auditing, it has
conducted testing and evaluation of releases.
However, FDIC has not executed adequate controls over the configuration
management of the NFE and AIMS II information system components.
Specifically, it did not adequately (1) maintain a full and complete
baseline for system requirements; (2) assign unique identifiers to
configuration items; (3) authorize, document, and report all
configuration changes; and (4) perform configuration audits. As a
result, increased risk exists that functional requirements for these
system components were not adequately implemented, managed, or
maintained. In addition, increased risk exists that inconsistencies
among requirements were not identified, and documents were not
correctly associated with the correct releases.
FDIC Did Not Adequately Maintain a Full and Complete Requirements
Baseline:
An entity should maintain current configuration information in a formal
configuration baseline that contains the configuration information
formally designated at a specific time during a product's or product
component's life. The Software Engineering Institute's Capability
Maturity Model� Integration[Footnote 18] (CMMI) defines a baseline as a
set of specifications or work products that has been formally reviewed
and agreed on, which thereafter serves as the basis for further
development or delivery, and that can be changed only through change
control procedures. The NFE configuration management plan states that a
baseline is a set of configuration items and their corresponding
changes. The plan also states that changes to the requirements baseline
should be controlled as part of configuration management throughout the
life of the product.
FDIC did not maintain a full and complete requirements baseline for NFE
and AIMS II. For example, it could not provide a complete history of
all approved requirements and changes to those requirements for NFE.
Furthermore, although FDIC officials have stated that RequisitePro
[Footnote 19] is the system of record for requirements, not all
requirements for NFE or AIMS II were in RequisitePro. For example,
requirements that were documented in the Software Requirement
Specification (SRS) and architecture design documents were not included
in RequisitePro. As a result, increased risk exists that requirements
for these two systems were not adequately implemented, managed, or
maintained and that the system may not function as intended.
FDIC Did Not Consistently Assign Unique Identifiers to Configuration
Items:
Software Engineering Institute's CMMI and the FDIC configuration
management plan state that configuration items should have unique
identifiers and naming conventions. Identifying items that fall under
configuration management control is a key step in the configuration
management process. A consistent naming convention for configuration
items is important to ensure that requirements are consistently and
uniquely identified, verifiable, and traceable. When the requirements
have unique identifiers and are managed well, traceability can be
established from the source requirement to its lower level requirements
and from the lower level requirements back to the source. Such
bidirectional traceability through unique identifiers helps determine
that all source requirements have been completely addressed and that
all lower level requirements can be traced to a valid source.[Footnote
20]
FDIC did not consistently assign or use unique identifiers to identify
or trace NFE and AIMS II configuration items such as requirements.
Specifically, FDIC assigned multiple identifiers for the same
requirement and did not always use the assigned identifiers to identify
requirements in certain documents. For example, as illustrated in table
1 as follows:
* NFE used "SR numbers" to identify requirements in the implementation
report, test plan, test summary, and RequisitePro traceability matrix
report but not in the SRS and the design document.
* The NFE requirement numbers on the implementation report and the
RequisitePro traceability matrix report were different compared with
those identified on the test plan and test summary for the same
requirement. For example, the configuration item identifier for change
request 4739 was "SR36" on the implementation report and the
RequisitePro traceability matrix, but was "SR7" on the test plan and
test summary.
Table 1: NFE Does Not Have Unique Identifiers for the Same Requirement:
Document: Requirement identifiers;
Change request number: 4739;
SRS: No SR numbers-only change request numbers;
Design document: No SR numbers-only change request numbers;
Implementation report: SR36;
Test plan: SR7;
Test summary: SR7;
RequisitePro traceability matrix: SR36.
Document: Requirement identifiers;
Change request number: Document: 4757;
SRS: No SR numbers-only change request numbers;
Design document: No SR numbers-only change request numbers;
Implementation report: SR38;
Test plan: SR3;
Test summary: SR3;
RequisitePro traceability matrix: SR38.
Document: Requirement identifiers;
Change request number: 4782;
SRS: No SR numbers-only change request numbers;
Design document: No SR numbers-only change request numbers;
Implementation report: SR40,41;
Test plan: SR6;
Test summary: SR6;
RequisitePro traceability matrix: SR40, 41.
Source: GAO analysis of FDIC documentation.
[End of table]
FDIC also did not consistently assign or use unique identifiers to
identify or trace AIMS II requirements. For example, the following
illustrates this also in table 2:
* AIMS II uses "paragraph numbers" to identify requirements in the SRS,
test plan, and RequisitePro traceability matrix report but not in the
architecture design document or some instances in the test summary.
* The SRS paragraph number for one particular requirement is described
as located at 3.1.1.6; however, the RequisitePro traceability matrix
report points to the wrong paragraph number 3.1.1.2 and introduces
another identifier "REQS2."
Table 2: AIMS II Does Not Have Unique Identifiers for the Same
Requirement:
Document: Requirement identifiers;
SRS paragraph number: 3.1.1.6;
Architecture design (paragraph number in architecture document):
Component changes: Section 5.2.4, Section 6.3;
Test plan (ref to SRS number): 3.1.1.6;
Test summary (ref to SRS number): none;
RequisitePro traceability matrix (ref to SRS number and RequisitePro
number): 3.1.1.2 REQS2.
Document: Requirement identifiers;
SRS paragraph number: 3.1.1.7;
Architecture design (paragraph number in architecture document): UI
changes: Figure 19;
Test plan (ref to SRS number): 3.1.1.7;
Test summary (ref to SRS number):3.1.1.7;
RequisitePro traceability matrix (ref to SRS number and RequisitePro
number): 3.1.1.5 REQS5.
Document: Requirement identifiers;
SRS paragraph number: 3.1.1.8;
Architecture design (paragraph number in architecture document): UI
changes: Figure 20;
Test plan (ref to SRS number): 3.1.1.8;
Test summary (ref to SRS number): 3.1.1.8;
RequisitePro traceability matrix (ref to SRS number and RequisitePro
number): 3.1.1.6 REQS6.
Source: GAO analysis of FDIC documentation.
[End of table]
As a result of the lack of consistency in assigning and using unique
identifiers for requirements, FDIC had many problems in tracing
requirements. For example, our review of the AIMS II release 10.0 SRS,
Software Architecture Document, test summary, and RequisitePro reports
showed several misalignments in 96 requirements numbers described in
the RequisitePro traceability matrix. The following are examples:
* Requirements 3.1.2.7 to 3.1.2.26 are documented in the test summary
document but do not appear in the RequisitePro report.
* Requirements 3.1.4.15 through 3.1.4.26 were missing from the SRS and
test summary, though they were documented in the RequisitePro report.
* A requirement is also traced to SRS 3.1.1.19 when there is no SRS
paragraph 3.1.1.19.
Table 3 illustrates an example of a misaligned AIMS II requirement
(3.1.1.8). In this example, "high priority" requirement REQS 8 on the
RequisitePro traceability matrix is linked to a requirement in the SRS
described as paragraph 3.1.1.8. As can be seen, the requirement has the
same number, but the requirement is not the same.
Table 3: AIMS II RequisitePro Requirements on the Traceability Matrix
Do Not Match the Software Requirements Specification:
Requirement description in AIMS II RequisitePro requirements
traceability matrix: REQS8: The system shall provide the functionality
to apply the one-time credit eligible amount to the institution's FDIC
payment. The amount shall be applied as a debit/credit record on its
own line on the invoice. The system shall incorporate the business
rules to determine the maximum amount that can be applied towards the
FDIC payment;
AIMS II Requirements traceability matrix stated it is linked to SRS
number: 3.1.1.8;
SRS with description of the associated number, which does not match the
requirement traceability matrix: 3.1.1.8 The Credit Balance Screen
shall contain the institution's beginning credit balance, credit amount
acquired for the current quarter through acquisitions, credit amount
transferred in, credit amount transferred out, total credit amount
available for use this quarter, credit amount applied to current
quarter assessment, the ending credit balance, and the associated
limitations to the credits applied.
Source: GAO analysis of FDIC documentation.
[End of table]
Consequently, traceability cannot be adequately established from the
source requirement to its lower level requirements and from the lower
level requirements back to the source to ensure that all source
requirements have been completely addressed.
FDIC Did Not Adequately Authorize, Document, and Report All
Configuration Changes:
The Software Engineering Institute's CMMI and the FDIC configuration
management plan state that an entity should properly control all
configuration changes. This covers a wide range of activities to
include the following: a change control board should authorize and
approve all configuration changes, change requests should be adequately
documented, and status accounting reports should allow users to see
baselines, trace requirements throughout the release, and be accurate.
However, FDIC did not adequately authorize, document, and report all
configuration changes.
* The FDIC Change Control Board did not authorize and approve all
configuration changes for NFE and AIMS II. For example, PeopleSoft
access control changes were not made through the Change Control Board.
* Change requests were not adequately documented. For example,
implementation date and version number were left out on all change
requests for NFE and AIMS II.
* Status accounting reports neither showed baselines, traced
requirements throughout the release, nor were accurate. For example,
FDIC could not generate a complete requirements baseline report for NFE
or AIMS II. In addition, it could not produce configuration management
reports of all PeopleSoft configuration items. Furthermore,
traceability reports were manually generated and had many errors.
As a result, increased risk exists that unauthorized changes could be
made or introduced to FDIC's systems.
FDIC Did Not Adequately Perform Configuration Audits:
Software Engineering Institute's CMMI and the FDIC configuration
management plans state that configuration audits should be conducted to
verify that the teams are following the configuration management
process and to ensure all approved items are built. These audits
consist of a physical and functional configuration audit. The physical
audit consists of validating and verifying that all items are under
configuration management control, configuration items are identified,
and team members are following the configuration management process.
Another type of configuration audit that must be conducted is the
functional configuration audit. A functional configuration audit
consists of tracing configuration items from requirements and design to
the final delivered release baseline.
FDIC performed limited configuration auditing of NFE and AIMS II. For
example, both NFE and AIMS II had developed auditing check lists and
made sure independent testing was conducted. However, FDIC did not
adequately ensure that configuration audits verified and validated the
configuration management process and ensured that all approved items
were built. For example, FDIC did not verify and validate in a physical
audit that all items are under configuration management control since
changes were being made without the Configuration Control Board's
approval. In addition, teams were not assigning unique identifiers as
required by the configuration management plans. Furthermore, FDIC did
not verify and validate in a functional audit that adequate
traceability existed since requirements could not be traced backward
and forward from design to the final delivered release baseline. As a
result, the risk exists that the configuration audits did not
adequately verify and validate that functional requirements were
adequately implemented, managed, and maintained.
FDIC Has Not Fully Implemented Its Information Security Program:
FDIC has made important progress in implementing the corporation's
information security program; however, a key reason for these
information security weaknesses is that FDIC did not always fully
implement key information security program activities. FDIC requires
its components to implement information security program activities in
accordance with FISMA requirements, Office of Management and Budget
(OMB) policies, and applicable National Institute of Standards and
Technology (NIST) guidance. Among other things, FISMA requires agencies
to develop, document, and implement:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information or information systems;
* plans for providing adequate information security for networks,
facilities, and systems;
* security awareness training to inform personnel of information
security risks and of their responsibilities in complying with agency
policies and procedures, as well as training personnel with significant
security responsibilities for information security;
* periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, performed with a
frequency depending on risk, but no less than annually, and that
includes testing of management, operational, and technical controls for
every system identified in the agency's required inventory of major
information systems;
* a process for planning, implementing, evaluating, and documenting
remedial actions to address any deficiencies in information security
policies, procedures, and practices of the agency;[Footnote 21]
* procedures for detecting, reporting, and responding to security
incidents; and;
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
FDIC has taken several actions to implement elements of its information
security program. For example, FDIC has:
* included nonmajor applications in major systems security plans and
developed a new security plan template;
* implemented a risk assessment process that identified possible
threats and vulnerabilities to its systems and information, as well as
the controls needed to mitigate potential vulnerabilities;
* implemented a test and evaluation process to assess the effectiveness
of information security policies, procedures, and practices;
* ensured that vulnerabilities identified during its tests and
evaluations are addressed in its remedial action plans;
* established a system for documenting and tracking corrective actions;
* recognized that NFE users are not physically or logically separated
in terms of what they are allowed to access within NFE;
* implemented an incident handling program, including establishing a
team and associated procedures for detecting, responding to, and
reporting computer security incidents;
* developed an incident response policy to review events related to
data loss, disclose, inappropriate access and loss of equipment in the
Division of Finance to determine whether the events are computer
security incidents; and;
* developed the corporation's business continuity of operations,
updated the contingency plans and business impact analyses, and
assessed the effectiveness of the plans through testing at a disaster
recovery site.
However, FDIC did not always fully implement key information security
program activities for NFE and AIMS II. For example, it did not
adequately conduct configuration control testing or complete remedial
action plans in a timely manner to include key information. Until FDIC
fully performs key information security program activities, its risk is
increased because it may not be able to maintain adequate control over
its financial systems and information.
Although Controls Were Tested and Evaluated, Tests Were Not Always
Adequate:
A key element of an information security program is testing and
evaluating system configuration controls to ensure that they are
appropriate, effective, and comply with policies. According to NIST,
the organization should (1) develop, document, and maintain a current
baseline configuration of the information system and update the
baseline configuration of the information system and (2) assess the
degree of consistency between system documentation and its
implementation in security tests, to include tests of configuration
management controls.
FDIC did not adequately test NFE configuration management controls. We
found that the depth of FDIC's system testing and evaluation for
configuration management controls were insufficient since we identified
vulnerabilities in the configuration management process during our
testing that FDIC did not. Specifically, the NFE system test and
evaluation report stated that FDIC developed, documented, and
maintained a current baseline configuration; however, as we have
previously stated in the report, we found that FDIC did not maintain a
full and complete requirements baseline for NFE. In addition, the NFE
system test and evaluation stated that FDIC authorizes and controls
changes to the information system; however, as we have previously
stated in the report, we found that some configuration changes were not
being authorized and controlled by the Configuration Control Board.
Furthermore, the NFE system test and evaluation stated that
configuration items were uniquely identified and stored in
configuration management libraries, yet we found FDIC had problems
assigning unique identifiers to configuration items for NFE. As a
result, without adequate tests and evaluations of configuration
management controls, FDIC has limited assurance that the nature of
configuration controls are being effectively tested and reported.
The Remedial Action Plan Was Not Completed in A Timely Manner and Did
Not Include Necessary and Key Information:
A remedial action plan is a key component described in FISMA. Such a
plan assists agencies in identifying, assessing, prioritizing, and
monitoring progress in correcting security weaknesses that are found in
information systems. In its annual FISMA guidance to agencies, OMB
requires that agencies' remedial action plans (also known as plan of
action and milestones) include the resources necessary to correct an
identified weakness. According to FDIC policy, the agency should
document weaknesses found during security assessments. The policy
further requires that FDIC track the status of resolution of all
weaknesses and verify that each weakness is corrected.
The NFE remedial action plan was not completed in a timely manner and
did not include necessary and key information. FDIC performed a system
test and evaluation of NFE in November 2007 and developed a plan of
action and milestones to correct any identified weaknesses. However,
the plan of action and milestones report did not contain necessary and
key information such as the contact that will be responsible for the
corrective action, when the action will be closed, and status of the
action. For example, the plan of action and milestones document
included problems with the PeopleSoft security roles and functions;
however, it did not state how FDIC would address these issues. FDIC
officials stated that they were in the process of completing the plan
of action and milestones with the required information but had not
established a milestone date for doing so. Until the plan contains
necessary and key information, FDIC's assurance is reduced that the
proper resources will be applied to known vulnerabilities or that those
vulnerabilities will be properly mitigated.
Conclusions:
FDIC has made significant progress in correcting previously reported
weaknesses and has taken steps to improve information security.
Although five weaknesses from prior reports remain unresolved and new
control weaknesses related to access control and configuration
management were identified, the remaining unresolved weaknesses
previously reported and the newly identified weaknesses did not pose
significant risk of material misstatements in the corporation's
financial statements for calendar year 2007. However, these weaknesses
increase preventable risk to the corporation's financial and sensitive
systems and information and warrant management's immediate attention.
A key reason for these weaknesses is that FDIC did not always fully
implement key information security program activities. Continued
management commitment to mitigating known information security
weaknesses in access controls and configuration management and fully
implementing its information security program will be essential to
ensure that the corporation's financial information will be adequately
protected from unauthorized disclosure, modification, or destruction,
and its management decisions may be based on reliable and accurate
information.
Recommendations for Executive Action:
In order to sustain progress to its program, we recommend that the
Chief Operating Officer direct the CIO to take the following 10
actions:
Improve access controls by ensuring that:
* NFE users do not share login ID and password accounts;
* AIMS II users do not have full access to application source code,
unless they have a legitimate business need; and;
* the database connection is adequately encrypted with passwords that
comply with FIPS 140-2.
Improve NFE and AIMS II configuration management by ensuring that:
* full and complete requirement baselines are developed and
implemented;
* configuration items have unique identifiers;
* configuration changes are properly authorized, documented, and
reported;
* physical configuration audits verify and validate that all items are
under configuration management control, all changes made are approved
by the configuration control board, and that teams are assigning unique
identifiers to configuration items; and;
* functional configuration audits verify and validate that requirements
have bidirectional traceability and can be traced from various
documents.
Improve the security management of NFE and AIMS II by ensuring that
users:
* adequately test configuration management controls as part of the
system test and evaluation process and;
* develop in a timely manner a detailed plan of action and milestones
to include who will be responsible for the corrective action, when the
action will be closed, and status of the action for NFE.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from FDIC's
Deputy to the Chairman and Chief Financial Officer (which are reprinted
in app. III). The Deputy stated that FDIC concurred with one
recommendation and partially concurred with the remaining nine. He
added that, in general, FDIC found the issues to be more limited than
presented in the draft report, yet FDIC has taken action or will take
action to improve configuration management and information security. We
believe that the issues we presented in the report are accurately
presented and can increase the risk of unauthorized disclosure,
modification, or destruction of the corporation's financial information
and that management decisions may be based on unreliable or inaccurate
information.
Regarding the nine recommendations to which FDIC partially concurred,
the Deputy stated that the corporation has developed or implemented
plans to adequately address the underlying risks that prompted these
nine recommendations, and in some instances, pursued alternative
corrective actions. If the corporation effectively implements the
alternative corrective actions to reduce risk, it will satisfy the
intent of the recommendations. In addition, the Deputy provided
technical comments, which we incorporated into the report as
appropriate.
We are sending copies of this report to the Chairman and Ranking Member
of the Senate Committee on Banking, Housing, and Urban Affairs; the
Chairman and Ranking Member of the House Committee on Financial
Services; members of the FDIC Audit Committee; officials in FDIC's
divisions of information resources management, administration, finance;
the FDIC inspector general; and other interested parties. We also will
make copies available to others upon request. In addition, this report
will be available at no charge on the GAO Web site at [Hyperlink,
http://www.gao.gov].
If you have any questions regarding this report, please contact Gregory
C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512-
4499. We can also be reached by e-mail at [email protected] and
[email protected]. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix IV.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Dr. Nabajyoti Barkakati:
Director, Center for Technology and Engineering:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to assess (1) the progress the
Federal Deposit Insurance Corporation (FDIC) has made in mitigating
previously reported information security weaknesses and (2) the
effectiveness of FDIC's controls in protecting the confidentiality,
integrity, and availability of its financial systems and information.
An integral part of our objectives was to support the opinion on
internal control in GAO's 2007 financial statement audit by assessing
the controls over systems that support financial management and the
generation of the FDIC funds' financial statements.
To determine the status of FDIC's actions to correct or mitigate
previously reported information security weaknesses, we identified and
reviewed its information security policies, procedures, and guidance.
We reviewed prior GAO reports to identify previously reported
weaknesses and examined FDIC's corrective action plans to determine
which weaknesses FDIC had reported were corrected. For those instances
where FDIC reported it had completed corrective actions, we assessed
the effectiveness of those actions.
To determine whether controls over key financial systems were
effective, we tested the effectiveness of information security and
information technology-based internal controls. We concentrated our
evaluation primarily on the controls for financial applications,
enterprise database applications, and network infrastructure associated
with the New Financial Environment (NFE) release 1.43 and the
Assessment Information Management System II (AIMS II) release 10.0
applications.[Footnote 22]
Our evaluation was based on our Federal Information System Controls
Audit Manual, which contains guidance for reviewing information system
controls that affect the confidentiality, integrity, and availability
of computerized information.
Using NIST standards and guidance, and FDIC's policies, procedures,
practices, and standards, we evaluated controls by:
* observing methods for providing secure data transmissions across the
network to determine whether sensitive data was being encrypted;
* testing and observing physical access controls to determine if
computer facilities and resources were being protected from espionage,
sabotage, damage, and theft;
* evaluated the control configurations of selected servers and database
management systems;
* inspecting key servers and workstations to determine whether critical
patches had been installed or were up-to-date;
* examining access responsibilities to determine whether incompatible
functions were segregated among different individuals; and;
* observing end-user activity pertaining to the process of preparing
FDIC financial statements.
Using the requirements of the Federal Information Security Management
Act (FISMA), which establishes key elements for an effective agencywide
information security program, we evaluated FDIC's implementation of its
security program by:
* reviewing FDIC's risk assessment process and risk assessments for two
key FDIC systems that support the preparation of financial statements
to determine whether risks and threats were documented consistent with
federal guidance;
* analyzing FDIC's policies, procedures, practices, and standards to
determine their effectiveness in providing guidance to personnel
responsible for securing information and information systems;
* analyzing security plans to determine if management, operational, and
technical controls were in place or planned and that security plans
were updated;
* examining training records for personnel with significant security
responsibilities to determine if they received training commensurate
with those responsibilities;
* analyzing configuration management plans and procedures to determine
if configurations are being managed appropriately;
* analyzing security testing and evaluation results for two key FDIC
systems to determine whether management, operational, and technical
controls were tested at least annually and based on risk;
* examining remedial action plans to determine whether they addressed
vulnerabilities identified in the FDIC's security testing and
evaluations; and;
* examining contingency plans for two key FDIC systems to determine
whether those plans had been tested or updated.
We also discussed with key security representatives and management
officials, whether information security controls were in place,
adequately designed, and operating effectively. We conducted this audit
work from October 2007 to May 2008 in accordance with generally
accepted government auditing standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence
to provide a reasonable basis for our findings and conclusions based on
our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
[End of section]
Appendix II: Status of Previously Reported Weaknesses:
This appendix describes the status of the information security
weaknesses we reported last year. It also includes the status of
weaknesses from previous reports that were not fully implemented during
the time of our last review.
Table 4: Status of Previously Reported Weaknesses:
Control areas: Access controls: Access rights and permissions:
1. FDIC did not effectively limit network access to sensitive
personally identifiable and business proprietary information;
Year initially reported: 2006;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Access controls: Audit and monitoring of security-
related events:
2. FDIC did not effectively generate NFE audit reports or review them;
Year initially reported: 2006;
Action completed: [Empty];
Action in progress: [Check].
Control areas: Access controls: Cryptography:
3. FDIC did not use secure e-mail methods to protect the integrity of
certain accounting data transferred over an internal communication
network;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Access controls: Physical security:
4. FDIC did not adequately control physical access to the Virginia
Square computer processing facility;
Year initially reported: 2006;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Access controls: Physical security:
5. FDIC did not apply physical security controls for some instances.
For example, an unauthorized visitor was able to enter a key FDIC
facility without providing proof of identity, signing a visitor log,
obtaining a visitor's badge, or being escorted;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Access controls: Physical security:
6. FDIC did not apply physical security controls for some instances.
For example, a workstation that had access to a payroll system was
located in an unsecured office;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
7. Procedures have not been consistently followed for authorizing,
documenting, and reviewing all application software changes;
Year initially reported: 2005;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
8. FDIC did not consistently implement configuration management
controls for NFE. Specifically, the corporation did not develop and
maintain a complete listing of all configuration items and a baseline
configuration for NFE, including application software, data files,
software development tools, hardware, and documentation;
Year initially reported: 2007;
Action completed: [Empty];
Action in progress: [Check].
Control areas: Configuration management (formerly application change
control):
9. FDIC did not ensure that all significant system changes, such as
parameter changes, go through a change control process;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
10. FDIC did not apply comprehensive patches to system software in a
timely manner;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
11. FDIC did not review status accounting reports, or perform complete
functional and physical configuration audits;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
12. FDIC did not update or control documents to reflect the current
state of the environment and to ensure consistency with related
documents;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Segregation of duties:
13. FDIC did not properly segregate incompatible system-related
functions, duties, and capacities for an individual associated with
NFE;
Year initially reported: 2006;
Action completed: [Empty];
Action in progress: [Check].
Control areas: Security management (formerly information security
program):
14. FDIC has documented various policies for establishing effective
information security controls; however, the corporation has not
consistently implemented them;
Year initially reported: 2006;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
15. FDIC did not integrate the security plans or requirements for
certain nonmajor applications into the security plan for the general
support system. Two of FDIC's nonmajor applications, the corporation's
human resources and time and attendance systems, are not included in
FDIC general support systems security plans;
Year initially reported: 2006;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
16. FDIC did not effectively implement or accurately report the status
of its remedial actions;
Year initially reported: 2006;
Action completed: [Empty];
Action in progress: [Check].
Control areas: Configuration management (formerly application change
control):
17. FDIC did not update its business impact analysis to reflect the
significant changes resulting from the implementation of NFE;
Year initially reported: 2006;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
18. The risk assessment for FDIC's NFE was not properly updated;
Year initially reported: 2007;
Action completed: [Empty];
Action in progress: [Check].
Control areas: Configuration management (formerly application change
control):
19. The corporation did not update the system security plan for NFE;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
20. The corporation did not always review events occurring in NFE to
determine whether the events were computer security incidents or not;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Control areas: Configuration management (formerly application change
control):
21. FDIC's NFE contingency plan was not updated to reflect the new
disaster recovery site. In addition, the plan identified servers that
were not in use;
Year initially reported: 2007;
Action completed: [Check];
Action in progress: [Empty].
Source: GAO.
[End of table]
[End of section]
Appendix III: Comments from the Federal Deposit Insurance Corporation:
FDIC:
Federal Deposit Insurance Corporation:
Deputy to the Chairman and CFO:
550 17th Street NW,
Washington, D.C. 20429-9990:
May 14, 2008:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
Dr. Nabajyoti Barkakati:
Acting Chief Technologist:
Government Accountability Office:
Washington, D.C. 20548:
Re: FDIC Management Response to the GAO 2007 Audit of FDIC's
Information Security Program:
Dear Mr. Wilshusen and Dr. Barkakati:
Thank you for the opportunity to comment on the U.S. Government
Accountability Office's (GAO) draft audit report titled, Information
Security: FDIC Sustains Progress but Needs to Improve Configuration
Management of Key Financial Systems, GAO-08-564. The report presents
GAO's assessment of the progress the Federal Deposit Insurance
Corporation (FDIC) has made in correcting or mitigating remaining
information system control weaknesses reported as unresolved at the
time of the GAO's prior review in 2006, as well as outlining GAO's
findings with respect to the effectiveness of the Corporation's
information system controls for protecting the confidentiality,
integrity, and availability of its information and information systems
during 2007.
We are pleased to accept GAO's acknowledgement of the significant
progress FDIC has made in correcting previously reported weaknesses and
improving its information security controls. We are also pleased to
have GAO acknowledge that, although the weaknesses identified warrant
FDIC management's attention, they do not pose a significant risk to the
integrity of the financial statements of either the Deposit Insurance
Fund (DIF) or the FSLIC Resolution Fund (FRF). Further, we appreciate
the work of the GAO and recognize the benefit of a number of the
recommendations made as part of this year's audit. The FDIC has, in
fact, already completed actions to address some of those
recommendations and is actively engaged in completing many others.
The GAO's report contains ten new recommendations to assist FDIC in
further strengthening its information security program. FDIC has
reviewed the recommendations along with the accompanying statements of
condition on which the recommendations are based. In general, FDIC
found the issues to be more limited than presented in the draft report;
however, FDIC has taken action or will take action to improve
configuration management and information security. At this time the
FDIC concurs with one of the findings and recommendations and partially
concurs with the remaining nine. In instances where FDIC did not fully
concur with specific GAO findings and recommendations, FDIC has
developed or implemented plans to adequately address the underlying
risks that prompted the recommendations. In some instances, we chose to
pursue alternative corrective actions. The detailed responses to these
ten new recommendations arc provided in Attachment 1. Appendix II of
the GAO's report cites five weaknesses that were identified in the
previous IT security audit and that GAO concludes remain unresolved.
Our responses to these five prior year weaknesses are provided in
Attachment 2. For all but two weaknesses identified in GAO's report,
corrective action has already been or will be completed by December 31,
2008. Corrective action for the remaining two, which are generally low
risk issues, will involve multi-year efforts to ensure a complete
solution.
Once again, we thank you for your past contributions and your work on
this year's audit. We look forward to our dialogue with the GAO as we
continue to enhance our information security program and to discussing
mutually beneficial process improvements for the upcoming year.
If you have any questions relating to the FDIC management response,
please contact James H. Angel, Jr., Director, Office of Enterprise Risk
Management, at 703-562-6456.
Sincerely,
Signed by:
Steven O. App:
Deputy to the Chairman and Chief Financial Officer:
cc: John Bovenzi:
Michael Bartell:
Bret Edwards:
James H. Angel, Jr.
Audit Committee:
[End of section]
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gregory C. Wilshusen, (202) 512-6244, [email protected]:
Dr. Nabajyoti Barkakati, (202) 512-4499, [email protected] :
Staff Acknowledgments:
In addition to the individuals named above, William F. Wadsworth
(Assistant Director), Angela M. Bell, Neil J. Doherty, Patrick R.
Dugan, Mickie E. Gray, David B. Hayes, Tammi L. Nguyen, Eugene E.
Stevens IV, Amos A. Tevelow, and Jayne L. Wilson made key contributions
to this report.
[End of section]
Footnotes:
[1] Information system general controls affect the overall
effectiveness and security of computer operations and are not unique to
specific computer applications. These controls include security
management, configuration management, operating procedures, software
security features, and physical protections designed to ensure that
access to data is appropriately restricted, that only authorized
changes to computer programs are made, that incompatible computer-
related duties are segregated, and that backup and recovery plans are
adequate to ensure the continuity of operations.
[2] The Bank Insurance Fund and the Savings Association Insurance Fund
merged to become the Deposit Insurance Fund.
[3] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds'
2007 and 2006 Financial Statements, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-416] (Washington, D.C.: Feb. 11, 2008).
[4] GAO, Information Security: Federal Deposit Insurance Corporation
Needs to Sustain Progress Improving Its Program, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-351] (Washington, D.C.: May
18, 2007).
[5] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-416].
[6] A significant deficiency is a control deficiency, or combination of
deficiencies, that adversely affects the entity's ability to initiate,
authorize, record, process, or report financial data reliably in
accordance with generally accepted accounting principles such that
there is more than a remote likelihood that a misstatement of the
entity's financial statements that is more than inconsequential will
not be prevented or detected.
[7] The CERT Coordination Center is a center of Internet security
expertise located at the Software Engineering Institute, a federally
funded research and development center operated by Carnegie Mellon
University.
[8] GAO, High-Risk Series: Information Management and Technology,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/HR-97-9] (Washington,
D.C.: February 1997) and High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, D.C.:
January 2007).
[9] FISMA was enacted as title III, E-Government Act of 2002, Pub L.
No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002).
[10] Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89,
� 8.
[11] FDIC is considered an independent agency of the federal government
and receives no congressional appropriations--it is funded by premiums
that banks and thrift institutions pay for deposit insurance coverage
and from earnings on investments in U.S. Treasury securities.
[12] Pub. L. No. 101-73, � 211, 103 Stat. 183, 218-22 (Aug. 9, 1989).
[13] Pub. L. No. 109-171, Title II, Subtitle B, � 2102, 120 Stat. 9
(Feb. 8, 2006).
[14] The Financing Corporation, established by the Competitive Equality
Banking Act of 1987, is a mixed-ownership government corporation whose
primary purpose was to function as a financing vehicle for the Federal
Savings & Loan Insurance Corporation. Effective December 12, 1991, as
provided by the Resolution Trust Corporation Refinancing, Restructuring
and Improvement Act of 1991, the Financing Corporation's ability to
issue new debt was terminated. Outstanding Financing Corporation bonds,
which are 30-year non-callable bonds with a principal amount of
approximately $8.1 billion, mature in 2017 through 2019.
[15] AIMS II has several purposes; the main purpose is the calculation
of FDIC insured institutions' insurance assessments and Financing
Corporation payments on a quarterly basis. In addition, AIMS II has the
functionality to gather the deposit and other data needed to calculate
the assessments and Financing Corporation payments; allow FDIC
Assessment Operation Section and Assessment Management Section staff to
make necessary adjustments/amendments to financial institution
demographic and financial data; produce invoices; produce Automated
Clearing House files; create assessment entries to post to the NFE-
General Ledger; monitor financial institution changes (e.g., new
institutions, terminated institutions, mergers, branch sales) and
produce management reports.
[16] As a key element of agencies' implementation of FISMA
requirements, OMB has continued to emphasize its long-standing policy
of requiring a management official to formally authorize (or accredit)
an information system to process information and accept the risk
associated with its operation based on a formal evaluation (or
certification) of the system's security controls. For annual reporting,
OMB requires agencies to report the number of systems, including impact
levels, authorized for processing after completing certification and
accreditation.
[17] The current GAO draft Federal Information System Controls Audit
Manual version 2, the original version Volume I was published in 1999.
[18] Software Engineering Institute's CMMI for Development v1.2, August
2006.
[19] RequisitePro is a tool that allows organizations to capture,
track, manage and analyze different types of requirements.
[20] Typical work products associated with this activity include a
requirements traceability matrix.
[21] OMB requires agencies to address remedial actions through plan of
action and milestones for all programs and systems where an information
technology security weakness has been found. The plan lists the
weaknesses and shows estimated resource needs, agency head responsible,
key milestones and completion dates, and the status of corrective
actions.
[22] AIMS II release 10.0 involved the implementation of requirements
associated with the implementation of the deposit insurance reform
legislation in the Deficit Reduction Act of 2005, Pub. L. No. 109-171,
enacted February 8, 2006. Among the new requirements based on the
legislation was the introduction of credits and dividends. FDIC was
required to issue credits to some insured financial institutions, based
on their status and contributions to the insurance fund as of specific
dates. Such credits were based on the assessment base of the eligible
institution as of December 31, 1996. Dividends were then to be paid to
qualifying institutions based on limits for the Deposit Insurance Fund.
A requirement of the Federal Deposit Insurance Reform Act of was to
merge the Bank Insurance Fund and Savings Association Insurance Fund
into one fund, the Deposit Insurance Fund.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: [email protected]:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, [email protected]:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, [email protected]:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
*** End of document. ***