Oversight

FDIC still weak on IT security, GAO says

Shutterstock image (by Pavel Ignatov): Alert icon.

The Federal Deposit Insurance Corp.'s IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk," the Government Accountability Office said in a new report.

FDIC, whose charge is maintaining public confidence in financial institutions, lacked an effective process for verifying user access to FDIC systems, the report said. The agency also failed to apply "critical" patches to third-party software vulnerabilities on financial-processing systems, the watchdog found.

GAO noted some progress in the agency's security regime. FDIC had, for example, improved controls for authenticating users and authorizing their access.

Nonetheless, some aspects of the agency's IT security program were not fully implemented, according to GAO. For example, the agency still lacked "a policy for monitoring critical file changes" to a server, the report said, recommending that the FDIC CIO implement such a policy.

Additionally, the report found that sensitive data including user identifications and passwords "continue to be transmitted over the network in clear text," because encryption hasn't been implemented for all FDIC mainframe connections.

FDIC "will have limited assurance that its sensitive financial information and resources will be secure" until longstanding and newfound vulnerabilities are addressed, the watchdog concluded.

The GAO report comes amid a congressional investigation of several breaches, which involved the inadvertent downloading of data by ex-FDIC employees, that the agency has retroactively deemed "major" incidents.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected