Cybersecurity at the federal agency that protects Americans' bank deposits has weaknesses that add up to a significant deficiency, says the Government Accountability Office.

In a report dated Nov. 30, GAO reviews controls it found while examining the Federal Deposit Insurance Corporation's calendar year 2009 financial statements. Among the problems it found was lack of least privilege when granting users access to files and directories and that sensitive information transmitted over its network lacked adequate encryption.

The report also calls on FDIC to partition its data network from its voice network. "Placing both systems on the same network means both are not susceptible to the same attacks and the same attackers,' the report states.

The GAO faults the FDIC for inconsistent identification and authentication user controls, and for inadequate auditing and monitoring. or example, FDIC monitoring didn't detect the existence of default installation user accounts on three of its UNIX servers.

A reason for the weaknesses is that FDIC hasn't fully completed key information security program activities, the GAO says. Its continuous monitoring program wasn't always sufficient, the report adds. Specifically, it didn't have the ability to detect changes to mainframe program, monitor for inappropriate and excessive access privileges to an important application supporting resolution and receivership activities, or test and verify that all system interfaces were properly configured before putting them into production.

The GAO does credit the agency with mitigating all 10 weaknesses identified in a 2007 audit.

For more:    
- download the report, GAO-11-29 (.pdf)

Related Articles:
GAO finds wireless network cybersecurity vulnerabilities
GAO chastises IRS over financial system cybersecurity
Recovery Act websites vulnerable to cyber attack, says IG