What GAO Found

The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; however, weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk. During calendar year 2015, the corporation continued to devote attention to securing its financial information and systems that support its mission. Key among its actions were improving controls for identifying and authenticating the identity of users and improving controls for authorizing users' access. However, FDIC continues to have unremediated weaknesses. For example, the corporation (1) did not have an effective process for recertifying user access rights to several systems supporting the corporation's financial processing and (2) had not yet applied critical patches to mitigate known vulnerabilities in third party software on systems supporting financial processing.

Although the corporation had a comprehensive framework for its information security program, some aspects were not fully implemented. For example, the corporation did not (1) fully document and implement procedures for performing system access requests, assignments, and removal and (2) have a policy for monitoring critical file changes. In addition, FDIC had yet to fully address 9 previously-reported weaknesses that were unresolved as of December 31, 2014, as indicated in the following table.

Status of GAO Information Security Recommendations to FDIC as of December 2015

Source: GAO analysis of FDIC data. | GAO-16-605

While newly-identified weaknesses, along with those previously identified that remain uncorrected, are not individually or collectively a material weakness or a significant deficiency for financial reporting purposes, the corporation will have limited assurance that its sensitive financial information and resources will be secure until these weaknesses have been mitigated.

Why GAO Did This Study

FDIC has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of FDIC's reliance on information systems, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

As part of its audit of the 2015 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel.

What GAO Recommends

In addition to the 9 prior recommendations that have not been fully addressed, GAO is making 2 recommendations to improve FDIC's implementation of its information security program. In a separate report with limited distribution, GAO is making 10 new recommendations to FDIC to address newly-identified weaknesses in access controls. FDIC concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.