Report: FDIC Lax on Data Security
A report by the General Accounting Office says many of the information security weaknesses of the Federal Deposit Insurance Corp. (FDIC) result from its lack of a fully established security management program.
While the FDIC has made significant progress since the GAO last audited its information systems in 2001 and 2002, the investigative group found that sensitive financial data is still at risk for unauthorized disclosure, leading to possible disruption of operations and loss of assets.
Good controls established by an effective security management program are essential to ensuring that financial information is protected from misuse, the GAO says. As it operates now, however, the FDIC is unable to ensure that such problems do not occur.
GAO recommends that the FDIC continue with its establishment of a program to test and evaluate its computer control environment. It says the FDIC’s current program does not include provisions to ensure that all computer resources are routinely reviewed and tested; that detected weaknesses are analyzed for systematic solutions; that corrective actions are then independently tested; and that newly identified weaknesses or security threats are incorporated into the testing and evaluation process.
One of the main weaknesses cited by the report is the lack of proper access controls on restricted information. The GAO identified several instances in which access to sensitive information had not been properly restricted. Many users had unnecessary access to production systems including bank and financial information. Additionally, a large number of users held a powerful user ID and password allowing them to transfer data unfettered among FDIC computer systems.
The GAO studied 2003 audits of the FDIC’s Bank Insurance Fund, Savings Association Fund and Federal Savings and Loan Insurance Corp. Resolution Fund.
In its response to the report, FDIC chief financial officer Steven App wrote: “The FDIC agrees with the results represented and recognizes the need to further enhance its existing programs.” He vowed that the agency would correct the 22 information systems control weaknesses identified in the report.
Created in 1933 by President Roosevelt, the FDIC protects bank and thrift depositors from loss caused by bank closures, insuring most deposits up to $100,000. It insures deposits in excess of $3.3 trillion in about 9,200 institutions.
