GAO recommended requiring that email containing or transmitting accounting data be secured to protect the integrity of the accounting data.
FDIC said that by August it would ensure that such email is appropriately protected, and that it will evaluate the various exchanges of accounting information and identify and document where more secure communications are needed.
The report also called on the agency to train security personnel to implement the corporation’s policy on physical security of the facility, as well as instruct personnel to lock rooms containing sensitive software.
In response to a recommendation to require significant changes to the system, such as parameter changes, to go through a formal change management process, the agency said it would have them by the end of the year.
Regarding a recommendation to develop procedures to review events occurring in the NFE to determine whether they are computer security incidents, the agency stated that it addressed this issue during the first quarter of 2007 when it established a formal process for monitoring and reviewing these events.
FDIC said it also plans to have documented procedures for elevating potential security violations to the incident handling team and for monitoring unusual events by August.
