The Federal Deposit Insurance Corporation, which relies on an extensive array of computer systems to enforce banking laws, regulate financial institutions and protect depositors, has corrected or mitigated 18 out of 24 information security weaknesses, but it has failed to consistently implement security controls, the Government Accountability Office has said.
It said that while the agency is developing and implementing procedures to comply with computer file naming convention standards as well as automated procedures for limiting access to sensitive information, that the FDIC has at least 20 new information security weaknesses to contend with.
Most of the recently identified weakness relate to access controls over user accounts and passwords, access rights and permissions, network services, configuration assurance, audit and monitoring of security-related events, and physical security, according to GAO-06-620.
It said additional weaknesses exist in controls relating to segregation of duties and application change controls, and it attributed the vulnerabilities to an information security program that is only partly implemented.
FDIC has not consistently implemented its security-related policies, addressed security plans for certain applications, provided specialized training to individuals with significant security responsibilities, implemented remedial action plans for resolving known weaknesses, and updated or tested continuity plans in light of its implementation of the new financial environment, GAO said.
