FDIC still weak on IT security, GAO says
- By Sean Lyngaas
- Jun 30, 2016
The Federal Deposit Insurance Corp.'s IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk," the Government Accountability Office said in a new report.
FDIC, whose charge is maintaining public confidence in financial institutions, lacked an effective process for verifying user access to FDIC systems, the report said. The agency also failed to apply "critical" patches to third-party software vulnerabilities on financial-processing systems, the watchdog found.
GAO noted some progress in the agency's security regime. FDIC had, for example, improved controls for authenticating users and authorizing their access.
Nonetheless, some aspects of the agency's IT security program were not fully implemented, according to GAO. For example, the agency still lacked "a policy for monitoring critical file changes" to a server, the report said, recommending that the FDIC CIO implement such a policy.
Additionally, the report found that sensitive data including user identifications and passwords "continue to be transmitted over the network in clear text," because encryption hasn't been implemented for all FDIC mainframe connections.
FDIC "will have limited assurance that its sensitive financial information and resources will be secure" until longstanding and newfound vulnerabilities are addressed, the watchdog concluded.
The GAO report comes amid a congressional investigation of several breaches, which involved the inadvertent downloading of data by ex-FDIC employees, that the agency has retroactively deemed "major" incidents.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.