Oversight

FDIC still weak on IT security, GAO says

Shutterstock image (by Pavel Ignatov): Alert icon.

The Federal Deposit Insurance Corp.'s IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk," the Government Accountability Office said in a new report.

FDIC, whose charge is maintaining public confidence in financial institutions, lacked an effective process for verifying user access to FDIC systems, the report said. The agency also failed to apply "critical" patches to third-party software vulnerabilities on financial-processing systems, the watchdog found.

GAO noted some progress in the agency's security regime. FDIC had, for example, improved controls for authenticating users and authorizing their access.

Nonetheless, some aspects of the agency's IT security program were not fully implemented, according to GAO. For example, the agency still lacked "a policy for monitoring critical file changes" to a server, the report said, recommending that the FDIC CIO implement such a policy.

Additionally, the report found that sensitive data including user identifications and passwords "continue to be transmitted over the network in clear text," because encryption hasn't been implemented for all FDIC mainframe connections.

FDIC "will have limited assurance that its sensitive financial information and resources will be secure" until longstanding and newfound vulnerabilities are addressed, the watchdog concluded.

The GAO report comes amid a congressional investigation of several breaches, which involved the inadvertent downloading of data by ex-FDIC employees, that the agency has retroactively deemed "major" incidents.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.