GAO: FDIC cybersecurity lacking

The confidentiality and integrity of the Federal Deposit Insurance Corporation's information systems are vulnerable, says a Government Accountability Office report (.pdf) published Aug. 12. Weak passwords, poor user-access policies, inconsistent encryption and unsatisfactory patch implementation threaten FDIC's financial systems and databases, finds the GAO.

"Control weaknesses continue to unnecessarily put FDIC's systems at an increased risk from internal and external threats," write report authors.

While security risks persist at FDIC, the situation is an improvement when compared to past cybersecurity problems at the agency. FDIC remediated 26 of the 33 control weaknesses GAO identified in a similar 2009 audit; however, "the corporation did not always fully implement key information security program activities, such as effectively developing and implementing security policies," note report authors.

GAO recommends FDIC develop, document and implement information security fixes for its loss-share loss estimation process. GAO also makes 38 new cybersecurity recommendations to address 37 findings from the audit, which are outlined "in a separate report with limited distribution," write report authors. "These recommendations consist of actions to implement and correct specific information security weaknesses related to access controls, segregation of duties, configuration management and contingency planning identified during this audit."

In a written response to the report, Steven O. App, deputy to the chairman and chief financial officer of FDIC, agreed with GAO's recommendations and said it "takes seriously the GAO's concerns regarding loss share related controls."

For more:
- see the report GAO-11-708 (.pdf)

Related Articles:
Continuous monitoring at State Dept. has weaknesses, says GAO 
VA lacked contractor cybersecurity oversight 
HHS auditors find cybersecurity holes at hospitals