Information Security: FDIC Sustains Progress but Needs to Improve
Configuration Management of Key Financial Systems (30-MAY-08,	 
GAO-08-564).							 
                                                                 
The Federal Deposit Insurance Corporation (FDIC) has a demanding 
responsibility enforcing banking laws, regulating financial	 
institutions, and protecting depositors. Effective information	 
security controls are essential to ensure that FDIC systems and  
information are adequately protected from inadvertent misuse,	 
fraudulent, or improper disclosure. As part of its audit of	 
FDIC's 2007 financial statements, GAO assessed (1) the progress  
FDIC has made in mitigating previously reported information	 
security weaknesses and (2) the effectiveness of FDIC's controls 
in protecting the confidentiality, integrity, and availability of
its financial systems and information. To do this, GAO examined  
security policies, procedures, reports, and other documents;	 
observed controls over key financial applications; and		 
interviewed key FDIC personnel. 				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-564 					        
    ACCNO:   A82218						        
  TITLE:     Information Security: FDIC Sustains Progress but Needs to
Improve Configuration Management of Key Financial Systems	 
     DATE:   05/30/2008 
  SUBJECT:   Access control					 
	     Banking law					 
	     Computer security					 
	     Configuration control				 
	     Data encryption					 
	     Data integrity					 
	     Data transmission					 
	     Financial disclosure				 
	     Financial institutions				 
	     Financial management systems			 
	     Information security				 
	     Information security management			 
	     Information security regulations			 
	     Information systems				 
	     Internal controls					 
	     Law enforcement					 
	     Passwords						 
	     Physical security					 
	     Risk assessment					 
	     Risk management					 
	     Security assessments				 
	     Program implementation				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-564


This is the accessible text file for GAO report number GAO-08-564 
entitled 'Information Security: FDIC Sustains Progress but Needs to 
Improve Configuration Management of Key Financial Systems' which was 
released on May 30, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chief Financial Officer and Chief Operating Officer, 
Federal Deposit Insurance Corporation: 

United States Government Accountability Office: 
GAO: 

May 2008: 

Information Security: 

FDIC Sustains Progress but Needs to Improve Configuration Management of 
Key Financial Systems: 

GAO-08-564: 

GAO Highlights: 

Highlights of GAO-08-564, a report to the Chief Financial Officer and 
Chief Operating Officer, Federal Deposit Insurance Corporation. 

Why GAO Did This Study: 

The Federal Deposit Insurance Corporation (FDIC) has a demanding 
responsibility enforcing banking laws, regulating financial 
institutions, and protecting depositors. Effective information security 
controls are essential to ensure that FDIC systems and information are 
adequately protected from inadvertent misuse, fraudulent, or improper 
disclosure. 

As part of its audit of FDICï¿½s 2007 financial statements, GAO assessed 
(1) the progress FDIC has made in mitigating previously reported 
information security weaknesses and (2) the effectiveness of FDICï¿½s 
controls in protecting the confidentiality, integrity, and availability 
of its financial systems and information. To do this, GAO examined 
security policies, procedures, reports, and other documents; observed 
controls over key financial applications; and interviewed key FDIC 
personnel. 

What GAO Found: 

FDIC has made significant progress in mitigating previously reported 
information security weaknesses. Specifically, it has corrected or 
mitigated 16 of the 21 weaknesses that GAO had previously reported as 
unresolved at the completion of the 2006 audit. For example, FDIC has 
improved physical security controls over access to its Virginia Square 
computer processing facility, instructed personnel to use more secure e-
mail methods to protect the integrity of certain accounting data 
transferred over an internal communication network, and updated the 
security plan and contingency plan of a key financial system. In 
addition, FDIC stated it has initiated and completed some actions to 
mitigate the remaining five prior weaknesses. However, we have not 
verified that these actions have been completed. 

Although FDIC has made significant progress improving its information 
system controls, old and new weaknesses could limit the corporationï¿½s 
ability to effectively protect the confidentiality, integrity, and 
availability of its financial systems and information. In addition to 
the five previously reported weaknesses that remain unresolved, newly 
identified weaknesses in access controls and configuration management 
controls introduce risk to two key financial systems. For example, FDIC 
did not always implement adequate access controls. Specifically, 
multiple FDIC users shared the same login ID and password, had 
unrestricted access to application source code, and used passwords that 
were not adequately encrypted. In addition, FDIC did not adequately (1) 
maintain a full and complete baseline for system requirements; (2) 
assign unique identifiers to configuration items; (3) authorize, 
document, and report all configuration changes; and (4) perform 
configuration audits. Although these weaknesses do not pose significant 
risk of misstatement of the corporationï¿½s financial statements, they do 
increase preventable risk to the corporationï¿½s financial systems and 
information. A key reason for these weaknesses is that FDIC did not 
always fully implement key information security program activities. For 
example, it did not adequately conduct configuration control testing or 
complete the remedial action plan in a timely manner and did not 
include necessary and key information. Until FDIC fully performs key 
information security program activities, its ability to maintain 
adequate control over its financial systems and information will be 
limited. 

What GAO Recommends: 

GAO recommends that FDIC take actions to improve access and 
configuration management controls and to perform key information 
security program activities for two financial systems. FDIC concurred 
with one and partially concurred with nine of GAOï¿½s recommendations and 
has developed or implemented plans to address these recommendations. In 
some instances, FDIC chose to pursue alternative corrective actions. If 
the corporation effectively implements these alternative actions to 
reduce risk, it will satisfy the intent of our recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-564]. For more 
information, contact Gregory C. Wilshusen, at (202) 512-6244 or 
[email protected], or Dr. Nabajyoti Barkakati at (202) 512-4499 or 
[email protected]. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

FDIC Has Made Significant Progress Mitigating Previously Reported 
Weaknesses: 

Weaknesses Continue to Reduce the Security of Financial Information: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Status of Previously Reported Weaknesses: 

Appendix III: Comments from the Federal Deposit Insurance Corporation: 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

Tables: 

Table 1: NFE Does Not Have Unique Identifiers for the Same Requirement: 

Table 2: AIMS II Does Not Have Unique Identifiers for the Same 
Requirement: 

Table 3: AIMS II RequisitePro Requirements on the Traceability Matrix 
Do Not Match the Software Requirements Specification: 

Abbreviations: 

AIMS II: Assessment Information Management System II: 

CERT: Computer Emergency Response Team: 

CIO: Chief Information Officer: 

CMMI: Capability Maturity Modelï¿½ Integration: 

FDIC: Federal Deposit Insurance Corporation: 

FIPS: Federal Information Processing Standard: 

FISMA: Federal Information Security Management Act: 

NFE: New Financial Environment: 

NIST: National Institute of Standards and Technology: 

OMB: Office of Management and Budget: 

SRS: Software Requirement Specification: 

US-CERT: United States Computer Emergency Readiness Team: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

May 30, 2008: 

The Honorable Steven O. App: 
Deputy to the FDIC Chairman and Chief Financial Officer: 
Federal Deposit Insurance Corporation: 

The Honorable John F. Bovenzi: 
Deputy to the FDIC Chairman and Chief Operating Officer: 
Federal Deposit Insurance Corporation: 

The Federal Deposit Insurance Corporation (FDIC) has a demanding 
responsibility enforcing banking laws, regulating banking institutions, 
and protecting depositors. In carrying out its financial and mission-
related operations, FDIC relies extensively on computerized systems. 
Because FDIC plays an important role in maintaining public confidence 
in the nation's financial system, issues that affect the 
confidentiality, integrity, and availability of sensitive information 
maintained on its systems--such as personnel and regulatory 
information--are of paramount concern. In particular, effective 
information security controls[Footnote 1] are essential to ensure that 
FDIC systems and information are adequately protected from inadvertent 
or deliberate misuse, fraudulent use, improper disclosure, or 
destruction. 

As part of our audit of the calendar year 2007 financial statements of 
the Deposit Insurance Fund[Footnote 2] and the Federal Savings & Loan 
Insurance Corporation Resolution Fund[Footnote 3], we assessed (1) the 
progress FDIC has made in mitigating previously reported information 
security weaknesses[Footnote 4] and (2) the effectiveness of FDIC's 
controls in protecting the confidentiality, integrity, and availability 
of its financial systems and information. 

In our audit report[Footnote 5] of the calendar year 2007 financial 
statements for FDIC's funds, we concluded that issues related to 
information security controls did not constitute a significant 
deficiency in internal controls with respect to financial reporting and 
compliance with laws and regulations.[Footnote 6] We also stated in the 
report that continued management commitment to an effective information 
security program will be essential to ensuring that the corporation's 
financial systems and information will be adequately protected. 

We performed our audit work from October 2007 to May 2008 in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. See appendix I for additional details on 
our objectives, scope, and methodology. 

Results in Brief: 

FDIC has made significant progress in mitigating previously reported 
information security weaknesses. Specifically, it has corrected or 
mitigated 16 of the 21 weaknesses that we had previously reported as 
unresolved at the completion of the 2006 audit. For example, FDIC has 
improved physical security controls over access to the Virginia Square 
computer processing facility, instructed personnel to use more secure e-
mail methods to protect the integrity of certain accounting data 
transferred over an internal communication network, updated the 
security plan of a key financial system called the New Financial 
Environment (NFE) to clearly identify all common security controls, 
developed procedures to report computer security incidents, and updated 
the NFE contingency plan. However, FDIC has not yet completed actions 
to: 

* effectively generate NFE audit reports; 

* maintain a complete listing of all NFE configuration items, including 
application software, data files, software development tools, hardware, 
and documentation; 

* properly segregate incompatible system-related functions, duties, and 
capacities for an individual associated with the NFE; 

* effectively implement or accurately report the status of its remedial 
actions; and; 

* properly update the NFE risk assessment. 

FDIC stated it has initiated and completed some actions to mitigate the 
remaining five prior year weaknesses. However, we have not verified 
that these actions have been completed. Although FDIC has made 
significant progress improving its information system controls, old and 
new weaknesses could limit the corporation's ability to effectively 
protect the confidentiality, integrity, and availability of its 
financial systems and information. In addition to the five previously 
reported weaknesses that remain unresolved, newly identified weaknesses 
in access controls and configuration management controls introduce risk 
to two key financial systems. For example, FDIC did not always 
implement adequate access controls. Specifically, multiple FDIC users 
shared the same login ID and password, had unrestricted access to 
application source code, and used a password that was not adequately 
encrypted. In addition, FDIC did not adequately (1) maintain a full and 
complete baseline for system requirements; (2) assign unique 
identifiers to configuration items; (3) authorize, document, and report 
all configuration changes; and (4) perform configuration audits. 
Although these weaknesses do not pose a significant risk of material 
misstatement of the corporation's financial statements, they do 
increase preventable risk to the corporation's financial systems and 
information. 

A key reason for these weaknesses is that FDIC did not always fully 
implement key information security program activities. For example, it 
did not adequately conduct configuration control testing or complete 
remedial action plans in a timely manner and did not include necessary 
and key information. Until FDIC fully performs key information security 
program activities, there is an increased risk that it may not be able 
to maintain adequate control over its financial systems and 
information. 

We are making 10 recommendations to the Chief Operating Officer to 
direct the Chief Information Officer (CIO) to address actions to 
correct access and configuration management control weaknesses and to 
perform key information security program activities for the NFE and 
Assessment Information Management System II (AIMS II) systems. 

In written comments on a draft of this report, FDIC's Deputy to the 
Chairman and Chief Financial Officer stated that FDIC has taken action 
or will take action to improve configuration management and information 
security. Although FDIC concurred with one and partially concurred with 
the remaining nine recommendations, the Deputy noted that FDIC has 
already completed actions to address some of these recommendations and 
is actively engaged in completing many others. In some instances, FDIC 
chose to pursue alternative corrective actions. If the corporation 
effectively implements these alternative actions to reduce risk, it 
will satisfy the intent of our recommendations. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business and is especially important for government 
agencies, where maintaining the public's trust is essential. While the 
dramatic expansion in computer interconnectivity and the rapid increase 
in the use of the Internet have enabled corporations such as FDIC to 
better achieve its mission and provide information to the public, the 
changes also expose federal networks and systems to various threats. 
For example, the Federal Bureau of Investigation has identified 
multiple sources of cyber threats, including foreign nation states 
engaged in information warfare, domestic criminals, hackers, virus 
writers, and disgruntled employees working within an organization. 
According to a May 2005 report by the U.S. Secret Service and the 
Computer Emergency Response Team (CERT) Coordination Center,[Footnote 
7] "insiders pose a substantial threat by virtue of their knowledge of, 
and access to, employer systems and/or databases." 

These concerns are well-founded for a number of reasons, including the 
dramatic increase in reports of security incidents, the ease of 
obtaining and using hacking tools, and steady advances in the 
sophistication and effectiveness of attack technology. For example, the 
number of incidents reported by federal agencies to the United States 
Computer Emergency Readiness Team (US-CERT) has increased dramatically 
over the past 3 years, increasing from 3,634 incidents reported in 
fiscal year 2005 to 13,029 incidents in fiscal year 2007 (about a 259 
percent increase). 

Without proper safeguards, systems are vulnerable to individuals and 
groups with malicious intent who can intrude and use their access to 
obtain or manipulate sensitive information, commit fraud, disrupt 
operations, or launch attacks against other computer systems and 
networks. 

Our previous reports, and those by inspectors general, describe 
persistent information security weaknesses that place federal agencies 
at risk of disruption, fraud, or inappropriate disclosure of sensitive 
information. Accordingly, we have designated information security as a 
governmentwide high-risk area since 1997,[Footnote 8] a designation 
that remains in force today. Recognizing the importance of securing 
federal agencies' information systems, Congress enacted the Federal 
Information Security Management Act (FISMA) in December 2002[Footnote 
9] to strengthen the security of information and systems within federal 
agencies. FISMA requires each agency to develop, document, and 
implement an agencywide information security program to provide 
information security for the information and systems that support the 
operations and assets of the agency, using a risk-based approach to 
information security management. 

FDIC Is a Key Protector of Bank and Thrift Depositors: 

FDIC is an independent agency created by Congress that maintains the 
stability and public confidence in the nation's financial system by 
insuring deposits, examining and supervising financial institutions, 
and managing receiverships. Congress created FDIC in 1933[Footnote 10] 
in response to the thousands of bank failures that occurred in the 
1920s and early 1930s[Footnote 11]. The corporation identifies, 
monitors, and addresses risks to the deposit insurance funds when a 
bank or thrift institution fails. 

The Bank Insurance Fund and the Savings Association Insurance Fund were 
established as FDIC responsibilities under the Financial Institutions 
Reform, Recovery, and Enforcement Act of 1989, which sought to reform, 
recapitalize, and consolidate the federal deposit insurance system. 
[Footnote 12] The act also designated FDIC as the administrator of the 
Federal Savings & Loan Insurance Corporation Resolution Fund, which was 
created to complete the affairs of the former Federal Savings & Loan 
Insurance Corporation and liquidate the assets and liabilities 
transferred from the former Resolution Trust Corporation. 

The Bank Insurance Fund and the Savings Association Insurance Fund 
merged into the Deposit Insurance Fund on February 8, 2006, as a result 
of the President signing the Federal Deposit Insurance Reform Act of 
2005 into law.[Footnote 13] With the congressional approval of the 
Federal Deposit Insurance Reform Act of 2005, FDIC was required to 
ensure that approximately 7,400 eligible member institutions received a 
one-time assessment credit totaling $4.7 billion. 

FDIC insures deposits in excess of $4 trillion for its 8,571 member 
institutions. It had a budget of about $1.1 billion for calendar year 
2007 to support its activities in managing the funds. For that year, it 
processed almost 16.4 million financial transactions. 

FDIC Reliance on Computer Systems: 

FDIC relies extensively on computerized systems to support its 
financial operations and store the sensitive information that it 
collects. Its local and wide area networks interconnect these systems. 
To support its financial management functions, the corporation relies 
on many systems including the NFE, a corporate-wide effort focused on 
implementing an enterprisewide, integrated software system. In 
addition, the corporation relies on the AIMS II to calculate and 
collect FDIC deposit insurance premiums and Financing Corporation 
[Footnote 14] bond principal and interest amounts from insured 
financial institutions.[Footnote 15] FDIC financial systems also 
process and track financial transactions such as disbursements made to 
support operations. 

Under FISMA, the Chairman is responsible for, among other things, (1) 
providing information security protections commensurate with the risk 
and magnitude of the harm resulting from unauthorized access, use, 
disclosure, disruption, modification, or destruction of the agency's 
information systems and information; (2) ensuring that senior agency 
officials provide information security for the information and 
information systems that support the operations and assets under their 
control; and (3) delegating to the corporation's CIO the authority to 
ensure compliance with the requirements imposed on the agency under 
FISMA. 

Two deputies to the Chairman--the Chief Financial Officer and Chief 
Operating Officer--have information security responsibilities. The 
Chief Financial Officer has information security responsibilities 
insofar as he is part of a senior management group that oversees the 
NFE and AIMS II security team. He is also responsible for the 
preparation of financial statements and ensures that they are fairly 
presented and demonstrate discipline and accountability. 

In addition, the Chief Operating Officer has information security 
responsibilities. He supervises the CIO, who is responsible for 
developing and maintaining a corporate-wide information security 
program and for developing and maintaining information security 
policies, procedures, and control techniques that address all 
applicable requirements. The CIO also serves as the authorizing 
official with the authority to approve the operation of the information 
system at an acceptable level of risk to the enterprise. The CIO 
supervises the Chief Information Security Officer, who is in charge of 
information security at the corporation. The Chief Information Security 
Officer serves as the CIO's designated representative responsible for 
the overall support of the certification and accreditation[Footnote 16] 
activities. 

FDIC Has Made Significant Progress Mitigating Previously Reported 
Weaknesses: 

FDIC has made significant progress in mitigating previously reported 
information security weaknesses. Specifically, it has corrected or 
mitigated 16 of the 21 weaknesses that we had previously reported as 
unresolved at the completion of the 2006 audit (see app. II). For 
example, FDIC has enhanced physical security controls, instructed 
personnel to use more secure e-mail methods to protect the integrity of 
certain accounting data transferred over an internal communication 
network, updated the NFE security plan to clearly identify all common 
security controls, developed procedures to report computer security 
incidents, and updated the NFE contingency plan. 

While the corporation has made significant progress in resolving known 
weaknesses, it has not completed actions to mitigate the remaining five 
weaknesses. Specifically FDIC has not: 

* effectively generated NFE audit reports; 

* maintained a complete listing of all NFE configuration items, 
including application software, data files, software development tools, 
hardware, and documentation; 

* properly segregated incompatible system-related functions, duties, 
and capacities for an individual associated with the NFE; 

* effectively implemented or accurately reported the status of its 
remedial actions; and; 

* properly updated the NFE risk assessment. 

FDIC stated it has initiated and completed some actions to mitigate the 
remaining five prior year weaknesses. However, we have not verified 
that these actions have been completed. Not addressing these actions 
could leave the corporation's financial data vulnerable to an increased 
risk of unauthorized access and manipulation. 

Appendix II describes the previously reported weaknesses in information 
security controls that were unresolved at the time of our prior review 
and the status of the corporation's corrective actions. 

Weaknesses Continue to Reduce the Security of Financial Information: 

Although FDIC has made significant progress improving its information 
system controls, old and new weaknesses could limit the corporation's 
ability to effectively protect the confidentiality, integrity, and 
availability of its financial systems and information. In addition to 
the five previously reported weaknesses that remain unresolved, newly 
identified weaknesses in access controls and configuration management 
controls introduce risk to two key financial systems. A key reason for 
these weaknesses is that FDIC did not always fully implement key 
information security program activities. As a result, increased risk 
exists of unauthorized disclosure or modification of financial 
information. 

Weaknesses in Access Control Warrant Management Attention: 

A basic management objective for any organization is to protect the 
resources that support its critical operations and assets from 
unauthorized access. Organizations accomplish this objective by 
designing and implementing controls that are intended to prevent, 
limit, and detect unauthorized access to computer resources (data, 
programs, equipment, and facilities), thereby protecting them from 
unauthorized disclosure, modification, and loss. FDIC developed 
policies and procedures on access control which, among other things, 
stated that login ID and password combinations should not be shared, 
access to application source code should be restricted unless users 
have a legitimate business need for access, and passwords should be 
adequately encrypted. 

However, FDIC did not always implement certain access controls, as the 
following examples show: 

* Multiple FDIC users in a production control unit in one division and 
multiple users in another division share the same NFE logon ID and 
password. As a result, increased risk exists that individual 
accountability for authorized, as well as unauthorized system activity 
could be lost. 

* All users of the AIMS II application have full access to the 
application production code although their job responsibilities do not 
require such access. As a result, increased risk exists that 
individuals could circumvent security controls and deliberately or 
inadvertently read, modify, or delete critical source code. 

* One database connection could be compromised because the password is 
not adequately encrypted with a Federal Information Processing 
Standards 140-2 compliant algorithm. As a result, increased risk exists 
that the database could be compromised by unauthorized individuals who 
could then potentially change, add, or delete information. 

Weaknesses in Configuration Management Controls Increased Risk: 

Our Federal Information System Controls Audit Manual[Footnote 17] 
states that configuration management involves the identification and 
management of security features for all hardware and software 
components of an information system at a given point and systematically 
controls changes to that configuration during the system's life cycle. 
An effective configuration management process consists of four primary 
areas, each of which should be described in a configuration management 
plan and implemented according to the plan. The four are as follows: 

* Configuration identification: procedures for identifying, 
documenting, and assigning unique identifiers (for example, serial 
number and name) to requirements, design documents, and the system's 
hardware and software component parts, generally referred to as 
configuration items; 

* Configuration control: procedures for evaluating and deciding whether 
to approve changes to a system's baseline configuration; decision 
makers such as a Configuration Control Board evaluate proposed changes 
on the basis of costs, benefits, and risks, and decide whether to 
permit a change; 

* Configuration status accounting: procedures for documenting the 
status of configuration items as a system evolves; and; 

* Configuration auditing: procedures for determining traceability 
between the actual system and the documentation describing it (such as 
requirements documentation), thereby ensuring that the documentation 
used to support decision making is complete and correct. Configuration 
audits are performed when a significant system change is introduced and 
help to ensure that only authorized changes are being made and that 
systems are operating securely and as intended. 

FDIC has made progress in implementing each of the four configuration 
management areas. Specifically, for configuration identification, FDIC 
has documented procedures for identifying and assigning unique 
identifiers and naming configuration items. For configuration control, 
it has documented procedures for requesting changes to configuration 
items, established configuration management plans that document 
employee roles and responsibilities, developed a Change Control Board 
that reviews changes to configuration items, and implemented 
configuration management tools. In addition, for configuration status 
accounting, FDIC has developed configuration management status 
accounting reports. Further, for configuration auditing, it has 
conducted testing and evaluation of releases. 

However, FDIC has not executed adequate controls over the configuration 
management of the NFE and AIMS II information system components. 
Specifically, it did not adequately (1) maintain a full and complete 
baseline for system requirements; (2) assign unique identifiers to 
configuration items; (3) authorize, document, and report all 
configuration changes; and (4) perform configuration audits. As a 
result, increased risk exists that functional requirements for these 
system components were not adequately implemented, managed, or 
maintained. In addition, increased risk exists that inconsistencies 
among requirements were not identified, and documents were not 
correctly associated with the correct releases. 

FDIC Did Not Adequately Maintain a Full and Complete Requirements 
Baseline: 

An entity should maintain current configuration information in a formal 
configuration baseline that contains the configuration information 
formally designated at a specific time during a product's or product 
component's life. The Software Engineering Institute's Capability 
Maturity Modelï¿½ Integration[Footnote 18] (CMMI) defines a baseline as a 
set of specifications or work products that has been formally reviewed 
and agreed on, which thereafter serves as the basis for further 
development or delivery, and that can be changed only through change 
control procedures. The NFE configuration management plan states that a 
baseline is a set of configuration items and their corresponding 
changes. The plan also states that changes to the requirements baseline 
should be controlled as part of configuration management throughout the 
life of the product. 

FDIC did not maintain a full and complete requirements baseline for NFE 
and AIMS II. For example, it could not provide a complete history of 
all approved requirements and changes to those requirements for NFE. 
Furthermore, although FDIC officials have stated that RequisitePro 
[Footnote 19] is the system of record for requirements, not all 
requirements for NFE or AIMS II were in RequisitePro. For example, 
requirements that were documented in the Software Requirement 
Specification (SRS) and architecture design documents were not included 
in RequisitePro. As a result, increased risk exists that requirements 
for these two systems were not adequately implemented, managed, or 
maintained and that the system may not function as intended. 

FDIC Did Not Consistently Assign Unique Identifiers to Configuration 
Items: 

Software Engineering Institute's CMMI and the FDIC configuration 
management plan state that configuration items should have unique 
identifiers and naming conventions. Identifying items that fall under 
configuration management control is a key step in the configuration 
management process. A consistent naming convention for configuration 
items is important to ensure that requirements are consistently and 
uniquely identified, verifiable, and traceable. When the requirements 
have unique identifiers and are managed well, traceability can be 
established from the source requirement to its lower level requirements 
and from the lower level requirements back to the source. Such 
bidirectional traceability through unique identifiers helps determine 
that all source requirements have been completely addressed and that 
all lower level requirements can be traced to a valid source.[Footnote 
20] 

FDIC did not consistently assign or use unique identifiers to identify 
or trace NFE and AIMS II configuration items such as requirements. 
Specifically, FDIC assigned multiple identifiers for the same 
requirement and did not always use the assigned identifiers to identify 
requirements in certain documents. For example, as illustrated in table 
1 as follows: 

* NFE used "SR numbers" to identify requirements in the implementation 
report, test plan, test summary, and RequisitePro traceability matrix 
report but not in the SRS and the design document. 

* The NFE requirement numbers on the implementation report and the 
RequisitePro traceability matrix report were different compared with 
those identified on the test plan and test summary for the same 
requirement. For example, the configuration item identifier for change 
request 4739 was "SR36" on the implementation report and the 
RequisitePro traceability matrix, but was "SR7" on the test plan and 
test summary. 

Table 1: NFE Does Not Have Unique Identifiers for the Same Requirement: 

Document: Requirement identifiers; 
Change request number: 4739; 
SRS: No SR numbers-only change request numbers; 
Design document: No SR numbers-only change request numbers; 
Implementation report: SR36; 
Test plan: SR7; 
Test summary: SR7; 
RequisitePro traceability matrix: SR36. 

Document: Requirement identifiers; 
Change request number: Document: 4757; 
SRS: No SR numbers-only change request numbers; 
Design document: No SR numbers-only change request numbers; 
Implementation report: SR38; 
Test plan: SR3; 
Test summary: SR3; 
RequisitePro traceability matrix: SR38. 

Document: Requirement identifiers; 
Change request number: 4782; 
SRS: No SR numbers-only change request numbers; 
Design document: No SR numbers-only change request numbers; 
Implementation report: SR40,41; 
Test plan: SR6; 
Test summary: SR6; 
RequisitePro traceability matrix: SR40, 41. 

Source: GAO analysis of FDIC documentation. 

[End of table] 

FDIC also did not consistently assign or use unique identifiers to 
identify or trace AIMS II requirements. For example, the following 
illustrates this also in table 2: 

* AIMS II uses "paragraph numbers" to identify requirements in the SRS, 
test plan, and RequisitePro traceability matrix report but not in the 
architecture design document or some instances in the test summary. 

* The SRS paragraph number for one particular requirement is described 
as located at 3.1.1.6; however, the RequisitePro traceability matrix 
report points to the wrong paragraph number 3.1.1.2 and introduces 
another identifier "REQS2." 

Table 2: AIMS II Does Not Have Unique Identifiers for the Same 
Requirement: 

Document: Requirement identifiers; 
SRS paragraph number: 3.1.1.6; 
Architecture design (paragraph number in architecture document): 
Component changes: Section 5.2.4, Section 6.3; 
Test plan (ref to SRS number): 3.1.1.6; 
Test summary (ref to SRS number): none; 
RequisitePro traceability matrix (ref to SRS number and RequisitePro 
number): 3.1.1.2 REQS2. 

Document: Requirement identifiers; 
SRS paragraph number: 3.1.1.7; 
Architecture design (paragraph number in architecture document): UI 
changes: Figure 19; 
Test plan (ref to SRS number): 3.1.1.7; 
Test summary (ref to SRS number):3.1.1.7; 
RequisitePro traceability matrix (ref to SRS number and RequisitePro 
number): 3.1.1.5 REQS5. 

Document: Requirement identifiers; 
SRS paragraph number: 3.1.1.8; 
Architecture design (paragraph number in architecture document): UI 
changes: Figure 20; 
Test plan (ref to SRS number): 3.1.1.8; 
Test summary (ref to SRS number): 3.1.1.8; 
RequisitePro traceability matrix (ref to SRS number and RequisitePro 
number): 3.1.1.6 REQS6. 

Source: GAO analysis of FDIC documentation. 

[End of table] 

As a result of the lack of consistency in assigning and using unique 
identifiers for requirements, FDIC had many problems in tracing 
requirements. For example, our review of the AIMS II release 10.0 SRS, 
Software Architecture Document, test summary, and RequisitePro reports 
showed several misalignments in 96 requirements numbers described in 
the RequisitePro traceability matrix. The following are examples: 

* Requirements 3.1.2.7 to 3.1.2.26 are documented in the test summary 
document but do not appear in the RequisitePro report. 

* Requirements 3.1.4.15 through 3.1.4.26 were missing from the SRS and 
test summary, though they were documented in the RequisitePro report. 

* A requirement is also traced to SRS 3.1.1.19 when there is no SRS 
paragraph 3.1.1.19. 

Table 3 illustrates an example of a misaligned AIMS II requirement 
(3.1.1.8). In this example, "high priority" requirement REQS 8 on the 
RequisitePro traceability matrix is linked to a requirement in the SRS 
described as paragraph 3.1.1.8. As can be seen, the requirement has the 
same number, but the requirement is not the same. 

Table 3: AIMS II RequisitePro Requirements on the Traceability Matrix 
Do Not Match the Software Requirements Specification: 

Requirement description in AIMS II RequisitePro requirements 
traceability matrix: REQS8: The system shall provide the functionality 
to apply the one-time credit eligible amount to the institution's FDIC 
payment. The amount shall be applied as a debit/credit record on its 
own line on the invoice. The system shall incorporate the business 
rules to determine the maximum amount that can be applied towards the 
FDIC payment; 
AIMS II Requirements traceability matrix stated it is linked to SRS 
number: 3.1.1.8; 
SRS with description of the associated number, which does not match the 
requirement traceability matrix: 3.1.1.8 The Credit Balance Screen 
shall contain the institution's beginning credit balance, credit amount 
acquired for the current quarter through acquisitions, credit amount 
transferred in, credit amount transferred out, total credit amount 
available for use this quarter, credit amount applied to current 
quarter assessment, the ending credit balance, and the associated 
limitations to the credits applied. 

Source: GAO analysis of FDIC documentation. 

[End of table] 

Consequently, traceability cannot be adequately established from the 
source requirement to its lower level requirements and from the lower 
level requirements back to the source to ensure that all source 
requirements have been completely addressed. 

FDIC Did Not Adequately Authorize, Document, and Report All 
Configuration Changes: 

The Software Engineering Institute's CMMI and the FDIC configuration 
management plan state that an entity should properly control all 
configuration changes. This covers a wide range of activities to 
include the following: a change control board should authorize and 
approve all configuration changes, change requests should be adequately 
documented, and status accounting reports should allow users to see 
baselines, trace requirements throughout the release, and be accurate. 

However, FDIC did not adequately authorize, document, and report all 
configuration changes. 

* The FDIC Change Control Board did not authorize and approve all 
configuration changes for NFE and AIMS II. For example, PeopleSoft 
access control changes were not made through the Change Control Board. 

* Change requests were not adequately documented. For example, 
implementation date and version number were left out on all change 
requests for NFE and AIMS II. 

* Status accounting reports neither showed baselines, traced 
requirements throughout the release, nor were accurate. For example, 
FDIC could not generate a complete requirements baseline report for NFE 
or AIMS II. In addition, it could not produce configuration management 
reports of all PeopleSoft configuration items. Furthermore, 
traceability reports were manually generated and had many errors. 

As a result, increased risk exists that unauthorized changes could be 
made or introduced to FDIC's systems. 

FDIC Did Not Adequately Perform Configuration Audits: 

Software Engineering Institute's CMMI and the FDIC configuration 
management plans state that configuration audits should be conducted to 
verify that the teams are following the configuration management 
process and to ensure all approved items are built. These audits 
consist of a physical and functional configuration audit. The physical 
audit consists of validating and verifying that all items are under 
configuration management control, configuration items are identified, 
and team members are following the configuration management process. 
Another type of configuration audit that must be conducted is the 
functional configuration audit. A functional configuration audit 
consists of tracing configuration items from requirements and design to 
the final delivered release baseline. 

FDIC performed limited configuration auditing of NFE and AIMS II. For 
example, both NFE and AIMS II had developed auditing check lists and 
made sure independent testing was conducted. However, FDIC did not 
adequately ensure that configuration audits verified and validated the 
configuration management process and ensured that all approved items 
were built. For example, FDIC did not verify and validate in a physical 
audit that all items are under configuration management control since 
changes were being made without the Configuration Control Board's 
approval. In addition, teams were not assigning unique identifiers as 
required by the configuration management plans. Furthermore, FDIC did 
not verify and validate in a functional audit that adequate 
traceability existed since requirements could not be traced backward 
and forward from design to the final delivered release baseline. As a 
result, the risk exists that the configuration audits did not 
adequately verify and validate that functional requirements were 
adequately implemented, managed, and maintained. 

FDIC Has Not Fully Implemented Its Information Security Program: 

FDIC has made important progress in implementing the corporation's 
information security program; however, a key reason for these 
information security weaknesses is that FDIC did not always fully 
implement key information security program activities. FDIC requires 
its components to implement information security program activities in 
accordance with FISMA requirements, Office of Management and Budget 
(OMB) policies, and applicable National Institute of Standards and 
Technology (NIST) guidance. Among other things, FISMA requires agencies 
to develop, document, and implement: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information or information systems; 

* plans for providing adequate information security for networks, 
facilities, and systems; 

* security awareness training to inform personnel of information 
security risks and of their responsibilities in complying with agency 
policies and procedures, as well as training personnel with significant 
security responsibilities for information security; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, performed with a 
frequency depending on risk, but no less than annually, and that 
includes testing of management, operational, and technical controls for 
every system identified in the agency's required inventory of major 
information systems; 

* a process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in information security 
policies, procedures, and practices of the agency;[Footnote 21] 

* procedures for detecting, reporting, and responding to security 
incidents; and; 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

FDIC has taken several actions to implement elements of its information 
security program. For example, FDIC has: 

* included nonmajor applications in major systems security plans and 
developed a new security plan template; 

* implemented a risk assessment process that identified possible 
threats and vulnerabilities to its systems and information, as well as 
the controls needed to mitigate potential vulnerabilities; 

* implemented a test and evaluation process to assess the effectiveness 
of information security policies, procedures, and practices; 

* ensured that vulnerabilities identified during its tests and 
evaluations are addressed in its remedial action plans; 

* established a system for documenting and tracking corrective actions; 

* recognized that NFE users are not physically or logically separated 
in terms of what they are allowed to access within NFE; 

* implemented an incident handling program, including establishing a 
team and associated procedures for detecting, responding to, and 
reporting computer security incidents; 

* developed an incident response policy to review events related to 
data loss, disclose, inappropriate access and loss of equipment in the 
Division of Finance to determine whether the events are computer 
security incidents; and; 

* developed the corporation's business continuity of operations, 
updated the contingency plans and business impact analyses, and 
assessed the effectiveness of the plans through testing at a disaster 
recovery site. 

However, FDIC did not always fully implement key information security 
program activities for NFE and AIMS II. For example, it did not 
adequately conduct configuration control testing or complete remedial 
action plans in a timely manner to include key information. Until FDIC 
fully performs key information security program activities, its risk is 
increased because it may not be able to maintain adequate control over 
its financial systems and information. 

Although Controls Were Tested and Evaluated, Tests Were Not Always 
Adequate: 

A key element of an information security program is testing and 
evaluating system configuration controls to ensure that they are 
appropriate, effective, and comply with policies. According to NIST, 
the organization should (1) develop, document, and maintain a current 
baseline configuration of the information system and update the 
baseline configuration of the information system and (2) assess the 
degree of consistency between system documentation and its 
implementation in security tests, to include tests of configuration 
management controls. 

FDIC did not adequately test NFE configuration management controls. We 
found that the depth of FDIC's system testing and evaluation for 
configuration management controls were insufficient since we identified 
vulnerabilities in the configuration management process during our 
testing that FDIC did not. Specifically, the NFE system test and 
evaluation report stated that FDIC developed, documented, and 
maintained a current baseline configuration; however, as we have 
previously stated in the report, we found that FDIC did not maintain a 
full and complete requirements baseline for NFE. In addition, the NFE 
system test and evaluation stated that FDIC authorizes and controls 
changes to the information system; however, as we have previously 
stated in the report, we found that some configuration changes were not 
being authorized and controlled by the Configuration Control Board. 
Furthermore, the NFE system test and evaluation stated that 
configuration items were uniquely identified and stored in 
configuration management libraries, yet we found FDIC had problems 
assigning unique identifiers to configuration items for NFE. As a 
result, without adequate tests and evaluations of configuration 
management controls, FDIC has limited assurance that the nature of 
configuration controls are being effectively tested and reported. 

The Remedial Action Plan Was Not Completed in A Timely Manner and Did 
Not Include Necessary and Key Information: 

A remedial action plan is a key component described in FISMA. Such a 
plan assists agencies in identifying, assessing, prioritizing, and 
monitoring progress in correcting security weaknesses that are found in 
information systems. In its annual FISMA guidance to agencies, OMB 
requires that agencies' remedial action plans (also known as plan of 
action and milestones) include the resources necessary to correct an 
identified weakness. According to FDIC policy, the agency should 
document weaknesses found during security assessments. The policy 
further requires that FDIC track the status of resolution of all 
weaknesses and verify that each weakness is corrected. 

The NFE remedial action plan was not completed in a timely manner and 
did not include necessary and key information. FDIC performed a system 
test and evaluation of NFE in November 2007 and developed a plan of 
action and milestones to correct any identified weaknesses. However, 
the plan of action and milestones report did not contain necessary and 
key information such as the contact that will be responsible for the 
corrective action, when the action will be closed, and status of the 
action. For example, the plan of action and milestones document 
included problems with the PeopleSoft security roles and functions; 
however, it did not state how FDIC would address these issues. FDIC 
officials stated that they were in the process of completing the plan 
of action and milestones with the required information but had not 
established a milestone date for doing so. Until the plan contains 
necessary and key information, FDIC's assurance is reduced that the 
proper resources will be applied to known vulnerabilities or that those 
vulnerabilities will be properly mitigated. 

Conclusions: 

FDIC has made significant progress in correcting previously reported 
weaknesses and has taken steps to improve information security. 
Although five weaknesses from prior reports remain unresolved and new 
control weaknesses related to access control and configuration 
management were identified, the remaining unresolved weaknesses 
previously reported and the newly identified weaknesses did not pose 
significant risk of material misstatements in the corporation's 
financial statements for calendar year 2007. However, these weaknesses 
increase preventable risk to the corporation's financial and sensitive 
systems and information and warrant management's immediate attention. 

A key reason for these weaknesses is that FDIC did not always fully 
implement key information security program activities. Continued 
management commitment to mitigating known information security 
weaknesses in access controls and configuration management and fully 
implementing its information security program will be essential to 
ensure that the corporation's financial information will be adequately 
protected from unauthorized disclosure, modification, or destruction, 
and its management decisions may be based on reliable and accurate 
information. 

Recommendations for Executive Action: 

In order to sustain progress to its program, we recommend that the 
Chief Operating Officer direct the CIO to take the following 10 
actions: 

Improve access controls by ensuring that: 

* NFE users do not share login ID and password accounts; 

* AIMS II users do not have full access to application source code, 
unless they have a legitimate business need; and; 

* the database connection is adequately encrypted with passwords that 
comply with FIPS 140-2. 

Improve NFE and AIMS II configuration management by ensuring that: 

* full and complete requirement baselines are developed and 
implemented; 

* configuration items have unique identifiers; 

* configuration changes are properly authorized, documented, and 
reported; 

* physical configuration audits verify and validate that all items are 
under configuration management control, all changes made are approved 
by the configuration control board, and that teams are assigning unique 
identifiers to configuration items; and; 

* functional configuration audits verify and validate that requirements 
have bidirectional traceability and can be traced from various 
documents. 

Improve the security management of NFE and AIMS II by ensuring that 
users: 

* adequately test configuration management controls as part of the 
system test and evaluation process and; 

* develop in a timely manner a detailed plan of action and milestones 
to include who will be responsible for the corrective action, when the 
action will be closed, and status of the action for NFE. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from FDIC's 
Deputy to the Chairman and Chief Financial Officer (which are reprinted 
in app. III). The Deputy stated that FDIC concurred with one 
recommendation and partially concurred with the remaining nine. He 
added that, in general, FDIC found the issues to be more limited than 
presented in the draft report, yet FDIC has taken action or will take 
action to improve configuration management and information security. We 
believe that the issues we presented in the report are accurately 
presented and can increase the risk of unauthorized disclosure, 
modification, or destruction of the corporation's financial information 
and that management decisions may be based on unreliable or inaccurate 
information. 

Regarding the nine recommendations to which FDIC partially concurred, 
the Deputy stated that the corporation has developed or implemented 
plans to adequately address the underlying risks that prompted these 
nine recommendations, and in some instances, pursued alternative 
corrective actions. If the corporation effectively implements the 
alternative corrective actions to reduce risk, it will satisfy the 
intent of the recommendations. In addition, the Deputy provided 
technical comments, which we incorporated into the report as 
appropriate. 

We are sending copies of this report to the Chairman and Ranking Member 
of the Senate Committee on Banking, Housing, and Urban Affairs; the 
Chairman and Ranking Member of the House Committee on Financial 
Services; members of the FDIC Audit Committee; officials in FDIC's 
divisions of information resources management, administration, finance; 
the FDIC inspector general; and other interested parties. We also will 
make copies available to others upon request. In addition, this report 
will be available at no charge on the GAO Web site at [Hyperlink, 
http://www.gao.gov]. 

If you have any questions regarding this report, please contact Gregory 
C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512-
4499. We can also be reached by e-mail at [email protected] and 
[email protected]. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix IV. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Signed by: 

Dr. Nabajyoti Barkakati: 
Director, Center for Technology and Engineering: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to assess (1) the progress the 
Federal Deposit Insurance Corporation (FDIC) has made in mitigating 
previously reported information security weaknesses and (2) the 
effectiveness of FDIC's controls in protecting the confidentiality, 
integrity, and availability of its financial systems and information. 
An integral part of our objectives was to support the opinion on 
internal control in GAO's 2007 financial statement audit by assessing 
the controls over systems that support financial management and the 
generation of the FDIC funds' financial statements. 

To determine the status of FDIC's actions to correct or mitigate 
previously reported information security weaknesses, we identified and 
reviewed its information security policies, procedures, and guidance. 
We reviewed prior GAO reports to identify previously reported 
weaknesses and examined FDIC's corrective action plans to determine 
which weaknesses FDIC had reported were corrected. For those instances 
where FDIC reported it had completed corrective actions, we assessed 
the effectiveness of those actions. 

To determine whether controls over key financial systems were 
effective, we tested the effectiveness of information security and 
information technology-based internal controls. We concentrated our 
evaluation primarily on the controls for financial applications, 
enterprise database applications, and network infrastructure associated 
with the New Financial Environment (NFE) release 1.43 and the 
Assessment Information Management System II (AIMS II) release 10.0 
applications.[Footnote 22] 

Our evaluation was based on our Federal Information System Controls 
Audit Manual, which contains guidance for reviewing information system 
controls that affect the confidentiality, integrity, and availability 
of computerized information. 

Using NIST standards and guidance, and FDIC's policies, procedures, 
practices, and standards, we evaluated controls by: 

* observing methods for providing secure data transmissions across the 
network to determine whether sensitive data was being encrypted; 

* testing and observing physical access controls to determine if 
computer facilities and resources were being protected from espionage, 
sabotage, damage, and theft; 

* evaluated the control configurations of selected servers and database 
management systems; 

* inspecting key servers and workstations to determine whether critical 
patches had been installed or were up-to-date; 

* examining access responsibilities to determine whether incompatible 
functions were segregated among different individuals; and; 

* observing end-user activity pertaining to the process of preparing 
FDIC financial statements. 

Using the requirements of the Federal Information Security Management 
Act (FISMA), which establishes key elements for an effective agencywide 
information security program, we evaluated FDIC's implementation of its 
security program by: 

* reviewing FDIC's risk assessment process and risk assessments for two 
key FDIC systems that support the preparation of financial statements 
to determine whether risks and threats were documented consistent with 
federal guidance; 

* analyzing FDIC's policies, procedures, practices, and standards to 
determine their effectiveness in providing guidance to personnel 
responsible for securing information and information systems; 

* analyzing security plans to determine if management, operational, and 
technical controls were in place or planned and that security plans 
were updated; 

* examining training records for personnel with significant security 
responsibilities to determine if they received training commensurate 
with those responsibilities; 

* analyzing configuration management plans and procedures to determine 
if configurations are being managed appropriately; 

* analyzing security testing and evaluation results for two key FDIC 
systems to determine whether management, operational, and technical 
controls were tested at least annually and based on risk; 

* examining remedial action plans to determine whether they addressed 
vulnerabilities identified in the FDIC's security testing and 
evaluations; and; 

* examining contingency plans for two key FDIC systems to determine 
whether those plans had been tested or updated. 

We also discussed with key security representatives and management 
officials, whether information security controls were in place, 
adequately designed, and operating effectively. We conducted this audit 
work from October 2007 to May 2008 in accordance with generally 
accepted government auditing standards. Those standards require that we 
plan and perform the audit to obtain sufficient, appropriate evidence 
to provide a reasonable basis for our findings and conclusions based on 
our audit objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

[End of section] 

Appendix II: Status of Previously Reported Weaknesses: 

This appendix describes the status of the information security 
weaknesses we reported last year. It also includes the status of 
weaknesses from previous reports that were not fully implemented during 
the time of our last review. 

Table 4: Status of Previously Reported Weaknesses: 

Control areas: Access controls: Access rights and permissions: 
1. FDIC did not effectively limit network access to sensitive 
personally identifiable and business proprietary information; 
Year initially reported: 2006; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Access controls: Audit and monitoring of security-
related events: 
2. FDIC did not effectively generate NFE audit reports or review them; 
Year initially reported: 2006; 
Action completed: [Empty]; 
Action in progress: [Check]. 

Control areas: Access controls: Cryptography: 
3. FDIC did not use secure e-mail methods to protect the integrity of 
certain accounting data transferred over an internal communication 
network; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Access controls: Physical security: 
4. FDIC did not adequately control physical access to the Virginia 
Square computer processing facility; 
Year initially reported: 2006; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Access controls: Physical security: 
5. FDIC did not apply physical security controls for some instances. 
For example, an unauthorized visitor was able to enter a key FDIC 
facility without providing proof of identity, signing a visitor log, 
obtaining a visitor's badge, or being escorted; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Access controls: Physical security: 
6. FDIC did not apply physical security controls for some instances. 
For example, a workstation that had access to a payroll system was 
located in an unsecured office; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
7. Procedures have not been consistently followed for authorizing, 
documenting, and reviewing all application software changes; 
Year initially reported: 2005; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
8. FDIC did not consistently implement configuration management 
controls for NFE. Specifically, the corporation did not develop and 
maintain a complete listing of all configuration items and a baseline 
configuration for NFE, including application software, data files, 
software development tools, hardware, and documentation; 
Year initially reported: 2007; 
Action completed: [Empty]; 
Action in progress: [Check]. 

Control areas: Configuration management (formerly application change 
control): 
9. FDIC did not ensure that all significant system changes, such as 
parameter changes, go through a change control process; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
10. FDIC did not apply comprehensive patches to system software in a 
timely manner; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
11. FDIC did not review status accounting reports, or perform complete 
functional and physical configuration audits; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
12. FDIC did not update or control documents to reflect the current 
state of the environment and to ensure consistency with related 
documents; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Segregation of duties: 
13. FDIC did not properly segregate incompatible system-related 
functions, duties, and capacities for an individual associated with 
NFE; 
Year initially reported: 2006; 
Action completed: [Empty]; 
Action in progress: [Check]. 

Control areas: Security management (formerly information security 
program): 
14. FDIC has documented various policies for establishing effective 
information security controls; however, the corporation has not 
consistently implemented them; 
Year initially reported: 2006; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
15. FDIC did not integrate the security plans or requirements for 
certain nonmajor applications into the security plan for the general 
support system. Two of FDIC's nonmajor applications, the corporation's 
human resources and time and attendance systems, are not included in 
FDIC general support systems security plans; 
Year initially reported: 2006; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
16. FDIC did not effectively implement or accurately report the status 
of its remedial actions; 
Year initially reported: 2006; 
Action completed: [Empty]; 
Action in progress: [Check]. 

Control areas: Configuration management (formerly application change 
control): 
17. FDIC did not update its business impact analysis to reflect the 
significant changes resulting from the implementation of NFE; 
Year initially reported: 2006; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
18. The risk assessment for FDIC's NFE was not properly updated; 
Year initially reported: 2007; 
Action completed: [Empty]; 
Action in progress: [Check]. 

Control areas: Configuration management (formerly application change 
control): 
19. The corporation did not update the system security plan for NFE; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
20. The corporation did not always review events occurring in NFE to 
determine whether the events were computer security incidents or not; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Control areas: Configuration management (formerly application change 
control): 
21. FDIC's NFE contingency plan was not updated to reflect the new 
disaster recovery site. In addition, the plan identified servers that 
were not in use; 
Year initially reported: 2007; 
Action completed: [Check]; 
Action in progress: [Empty]. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix III: Comments from the Federal Deposit Insurance Corporation: 

FDIC: 
Federal Deposit Insurance Corporation: 
Deputy to the Chairman and CFO: 
550 17th Street NW,
Washington, D.C. 20429-9990: 

May 14, 2008: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
Dr. Nabajyoti Barkakati: 
Acting Chief Technologist: 
Government Accountability Office: 
Washington, D.C. 20548: 

Re: FDIC Management Response to the GAO 2007 Audit of FDIC's 
Information Security Program: 

Dear Mr. Wilshusen and Dr. Barkakati: 

Thank you for the opportunity to comment on the U.S. Government 
Accountability Office's (GAO) draft audit report titled, Information 
Security: FDIC Sustains Progress but Needs to Improve Configuration 
Management of Key Financial Systems, GAO-08-564. The report presents 
GAO's assessment of the progress the Federal Deposit Insurance 
Corporation (FDIC) has made in correcting or mitigating remaining 
information system control weaknesses reported as unresolved at the 
time of the GAO's prior review in 2006, as well as outlining GAO's 
findings with respect to the effectiveness of the Corporation's 
information system controls for protecting the confidentiality, 
integrity, and availability of its information and information systems 
during 2007. 

We are pleased to accept GAO's acknowledgement of the significant 
progress FDIC has made in correcting previously reported weaknesses and 
improving its information security controls. We are also pleased to 
have GAO acknowledge that, although the weaknesses identified warrant 
FDIC management's attention, they do not pose a significant risk to the 
integrity of the financial statements of either the Deposit Insurance 
Fund (DIF) or the FSLIC Resolution Fund (FRF). Further, we appreciate 
the work of the GAO and recognize the benefit of a number of the 
recommendations made as part of this year's audit. The FDIC has, in 
fact, already completed actions to address some of those 
recommendations and is actively engaged in completing many others. 

The GAO's report contains ten new recommendations to assist FDIC in 
further strengthening its information security program. FDIC has 
reviewed the recommendations along with the accompanying statements of 
condition on which the recommendations are based. In general, FDIC 
found the issues to be more limited than presented in the draft report; 
however, FDIC has taken action or will take action to improve 
configuration management and information security. At this time the 
FDIC concurs with one of the findings and recommendations and partially 
concurs with the remaining nine. In instances where FDIC did not fully 
concur with specific GAO findings and recommendations, FDIC has 
developed or implemented plans to adequately address the underlying 
risks that prompted the recommendations. In some instances, we chose to 
pursue alternative corrective actions. The detailed responses to these 
ten new recommendations arc provided in Attachment 1. Appendix II of 
the GAO's report cites five weaknesses that were identified in the 
previous IT security audit and that GAO concludes remain unresolved. 
Our responses to these five prior year weaknesses are provided in 
Attachment 2. For all but two weaknesses identified in GAO's report, 
corrective action has already been or will be completed by December 31, 
2008. Corrective action for the remaining two, which are generally low 
risk issues, will involve multi-year efforts to ensure a complete 
solution. 

Once again, we thank you for your past contributions and your work on 
this year's audit. We look forward to our dialogue with the GAO as we 
continue to enhance our information security program and to discussing 
mutually beneficial process improvements for the upcoming year. 

If you have any questions relating to the FDIC management response, 
please contact James H. Angel, Jr., Director, Office of Enterprise Risk 
Management, at 703-562-6456. 

Sincerely, 

Signed by: 

Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 

cc: John Bovenzi: 
Michael Bartell: 
Bret Edwards: 
James H. Angel, Jr. 
Audit Committee: 

[End of section] 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244, [email protected]: 

Dr. Nabajyoti Barkakati, (202) 512-4499, [email protected] : 

Staff Acknowledgments: 

In addition to the individuals named above, William F. Wadsworth 
(Assistant Director), Angela M. Bell, Neil J. Doherty, Patrick R. 
Dugan, Mickie E. Gray, David B. Hayes, Tammi L. Nguyen, Eugene E. 
Stevens IV, Amos A. Tevelow, and Jayne L. Wilson made key contributions 
to this report. 

[End of section] 

Footnotes: 

[1] Information system general controls affect the overall 
effectiveness and security of computer operations and are not unique to 
specific computer applications. These controls include security 
management, configuration management, operating procedures, software 
security features, and physical protections designed to ensure that 
access to data is appropriately restricted, that only authorized 
changes to computer programs are made, that incompatible computer-
related duties are segregated, and that backup and recovery plans are 
adequate to ensure the continuity of operations. 

[2] The Bank Insurance Fund and the Savings Association Insurance Fund 
merged to become the Deposit Insurance Fund. 

[3] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2007 and 2006 Financial Statements, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-416] (Washington, D.C.: Feb. 11, 2008). 

[4] GAO, Information Security: Federal Deposit Insurance Corporation 
Needs to Sustain Progress Improving Its Program, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-351] (Washington, D.C.: May 
18, 2007). 

[5] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-416]. 

[6] A significant deficiency is a control deficiency, or combination of 
deficiencies, that adversely affects the entity's ability to initiate, 
authorize, record, process, or report financial data reliably in 
accordance with generally accepted accounting principles such that 
there is more than a remote likelihood that a misstatement of the 
entity's financial statements that is more than inconsequential will 
not be prevented or detected. 

[7] The CERT Coordination Center is a center of Internet security 
expertise located at the Software Engineering Institute, a federally 
funded research and development center operated by Carnegie Mellon 
University. 

[8] GAO, High-Risk Series: Information Management and Technology, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/HR-97-9] (Washington, 
D.C.: February 1997) and High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, D.C.: 
January 2007). 

[9] FISMA was enacted as title III, E-Government Act of 2002, Pub L. 
No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). 

[10] Federal Deposit Insurance Corporation Act, June 16, 1933, Ch. 89, 
ï¿½ 8. 

[11] FDIC is considered an independent agency of the federal government 
and receives no congressional appropriations--it is funded by premiums 
that banks and thrift institutions pay for deposit insurance coverage 
and from earnings on investments in U.S. Treasury securities. 

[12] Pub. L. No. 101-73, ï¿½ 211, 103 Stat. 183, 218-22 (Aug. 9, 1989). 

[13] Pub. L. No. 109-171, Title II, Subtitle B, ï¿½ 2102, 120 Stat. 9 
(Feb. 8, 2006). 

[14] The Financing Corporation, established by the Competitive Equality 
Banking Act of 1987, is a mixed-ownership government corporation whose 
primary purpose was to function as a financing vehicle for the Federal 
Savings & Loan Insurance Corporation. Effective December 12, 1991, as 
provided by the Resolution Trust Corporation Refinancing, Restructuring 
and Improvement Act of 1991, the Financing Corporation's ability to 
issue new debt was terminated. Outstanding Financing Corporation bonds, 
which are 30-year non-callable bonds with a principal amount of 
approximately $8.1 billion, mature in 2017 through 2019. 

[15] AIMS II has several purposes; the main purpose is the calculation 
of FDIC insured institutions' insurance assessments and Financing 
Corporation payments on a quarterly basis. In addition, AIMS II has the 
functionality to gather the deposit and other data needed to calculate 
the assessments and Financing Corporation payments; allow FDIC 
Assessment Operation Section and Assessment Management Section staff to 
make necessary adjustments/amendments to financial institution 
demographic and financial data; produce invoices; produce Automated 
Clearing House files; create assessment entries to post to the NFE- 
General Ledger; monitor financial institution changes (e.g., new 
institutions, terminated institutions, mergers, branch sales) and 
produce management reports. 

[16] As a key element of agencies' implementation of FISMA 
requirements, OMB has continued to emphasize its long-standing policy 
of requiring a management official to formally authorize (or accredit) 
an information system to process information and accept the risk 
associated with its operation based on a formal evaluation (or 
certification) of the system's security controls. For annual reporting, 
OMB requires agencies to report the number of systems, including impact 
levels, authorized for processing after completing certification and 
accreditation. 

[17] The current GAO draft Federal Information System Controls Audit 
Manual version 2, the original version Volume I was published in 1999. 

[18] Software Engineering Institute's CMMI for Development v1.2, August 
2006. 

[19] RequisitePro is a tool that allows organizations to capture, 
track, manage and analyze different types of requirements. 

[20] Typical work products associated with this activity include a 
requirements traceability matrix. 

[21] OMB requires agencies to address remedial actions through plan of 
action and milestones for all programs and systems where an information 
technology security weakness has been found. The plan lists the 
weaknesses and shows estimated resource needs, agency head responsible, 
key milestones and completion dates, and the status of corrective 
actions. 

[22] AIMS II release 10.0 involved the implementation of requirements 
associated with the implementation of the deposit insurance reform 
legislation in the Deficit Reduction Act of 2005, Pub. L. No. 109-171, 
enacted February 8, 2006. Among the new requirements based on the 
legislation was the introduction of credits and dividends. FDIC was 
required to issue credits to some insured financial institutions, based 
on their status and contributions to the insurance fund as of specific 
dates. Such credits were based on the assessment base of the eligible 
institution as of December 31, 1996. Dividends were then to be paid to 
qualifying institutions based on limits for the Deposit Insurance Fund. 
A requirement of the Federal Deposit Insurance Reform Act of was to 
merge the Bank Insurance Fund and Savings Association Insurance Fund 
into one fund, the Deposit Insurance Fund. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***