FDIC Needs to Better Protect Its Data: GAO

WASHINGTON — The Federal Deposit Insurance Corp. has improved its information security processes, but more changes need to be made, the Government Accountability Office said in a report published Wednesday.

Though the FDIC has "made improvements in developing and documenting many elements of its corporate information security program," the report said, "security controls were not always consistently implemented."

In its findings, the GAO recommended that the FDIC modify its access-control procedures to block off departing employees "in a timely manner." The agency should also create a policy to monitor "changes to critical files," the GAO found.

In a statement published in the report, FDIC Chief Financial Officer Steven App said the agency would implement "corrective actions" in response to those recommendations. App said one of the actions is expected to be implemented in 2016, while the other one will "involve a multiyear effort."

The agency has improved identification and policy controls for access to sensitive financial information, the watchdog agency found. It also implemented stricter procedures in 2015 to ensure that departing employees no longer had access to the FDIC's system.

In recent months, the agency has been sharply criticized by a House committee investigation over several incidents involving former employees taking off with sensitive data.

But the GAO also said that the FDIC had not made several recommended cybersecurity control enhancements, including implementing an "effective process" to periodically review employees' access rights.

"While these weaknesses did not materially impact FDIC's financial statements, they nevertheless increase the risk that individuals may have greater access to financial data or to assets supporting financial processing than they need to fulfill their responsibilities," the report said.

Other weaknesses identified by GAO included the FDIC's failure to "always effectively monitor server security logs and changes to a server's critical files." The agency also did not establish baselines and implement security patches in a timely manner, GAO found.

The FDIC also failed to encrypt all its data. User IDs and passwords "continue to be transmitted over the network in clear text, exposing them to potential compromise,"  the GAO said. The FDIC has previously said it plans to encrypt all data accessed by its employees through removable media devices such as external hard drives.

"We are pleased to have GAO acknowledge that, although the weaknesses identified warrant the FDIC management's attention, they do not individually or collectively amount to either a material weakness or a significant deficiency for financial reporting purposes," App said.

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology
MORE FROM AMERICAN BANKER