GAO: FDIC needs better information security

Information Security: The Federal Deposit Insurance Corporation Needs to Improve Its Program

The Government Accountability Office has released a new report that criticizes the Federal Deposit Insurance Corp.'s (FDIC) efforts to implement information security controls.

The FDIC has made progress since an audit released in March found 24 weaknesses. So far the agency has corrected 18 of them, the new report states. The audit found that after the FDIC changed its financial systems in 2005, it “did not ensure that adequate controls were in place to accommodate its new systems environment.”

In the new report, GAO states that despite the progress, information security controls are still missing to protect the “confidentiality, integrity and availability of its financial and sensitive information and information systems.” Consequently, the agency has identified an additional 20 weaknesses in the FDIC's financial system.

GAO blames this on the FDIC's information security program, which the report says is not fully implemented. GAO says the FDIC has not consistently enforced its security-related policies, addressed security plans for specific applications, provided training to individuals with major security responsibilities, implemented plans to solve known weaknesses, or updated or tested continuity plans after changing the financial system in 2005.

GAO states that without changes, sensitive financial information is at “increased risk of unauthorized access, modification and/or disclosure, possibly without detection,” the report states.