GAO: FDIC Makes Improvements on Security ControlsAuditors Don't Find Any Material Weakness or Significant Deficiency
In an audit published Monday, the Government Accountability Office said the FDIC took corrective actions that effectively resolved a significant deficiency in internal controls related to security in its financial systems, which GAO reported a year ago. Still, GAO said, it identified areas in which FDIC's internal controls could be further improved and will share recommendations with the agency's managers on how to improve them.
In making improvements, GAO said the FDIC corrected weaknesses in:
- Controls over access to computer systems and a business application that had not effectively limited individuals' access to only those functions and data necessary to perform their assigned duties. As an example, GAO cited that FDIC strengthened network configurations such that users are now prevented from obtaining unauthorized access to network controls and control information. In addition, GAO said, FDIC addressed weaknesses that had resulted in granting users inappropriate and excessive access privileges to a business application supporting resolution and receivership activities.
- Enforcing revised policies and procedures governing the assignment, use, authentication and monitoring of mainframe user IDs intended to support technical assistance to business processes. FDIC also greatly reduced the incidence of the use of access privileges that provide a limited number of system administrators full access to all data and programs on the mainframe.
- Configuration of certain key systems, significantly reducing the potential for the misuse of powerful mainframe programs.
- Interfaces of two applications that increased the risk of errors in data as it is transferred from one system to another.
GAO also said the FDIC resolved deficiencies in controls designed to prevent users from having inappropriate or incompatible access to multiple applications.
"As a result of the improvements," Steven Sebastian, GAO director of financial management and assurance, wrote in the audit, "the remaining unresolved prior year issues and new issues identified in our 2010 audit do not individually or collectively constitute a material weakness or significant deficiency."
But to sustain progress, Sebastian said, FDIC must continue to place a high level of emphasis on eliminating weaknesses in IT security controls, especially with respect to continuous and periodic monitoring activities.
Some of the results published in the new audit follow up findings in a November report GAO issued in November (see FDIC's IT Systems at Elevated Risk).