Audit: Information security improvements needed at FDIC

Lax configuration controls and failure to document system changes could limit the ability for the Federal Deposit Insurance Corporation to protect financial systems and information adequately, according to a new report from the Government Accountability Office.

FDIC was created in 1933 in response to the bank runs and failures of the 1920s and early 1930s. The independent agency enforces banking laws, regulates financial institutions and protects depositors. GAO conducts annual audits on financial statements, which include information security processes. Results of the 2007 audit were released on May 30.

"All in all, FDIC has made significant progress in correcting previous weaknesses identified," said Gregory Wilshusen, director of information security issues at GAO, citing physical security controls, information security training, and security and contingency plans for a key financial system. "The one area where we found issues was configuration management practices and policies -- the set of controls that helps assure that no unauthorized changes are made to software. We found that FDIC did not maintain a complete and full baseline for system requirements, and then control them to make sure they're adequately designed and implemented into the systems."

According to the report, FDIC did not always implement adequate access controls, resulting in multiple users sharing the same login ID and password, unrestricted access to application source code, and passwords that were not adequately encrypted. The weaknesses did not affect the accuracy of financial statements -- which passed the audit review -- but did "increase preventable risk to the corporation's financial systems and information."

FDIC is working to mitigate the issues, but officials said the report overstated security weaknesses. Top technology officials at the agency said most of the concerns noted in the report relate to documentation.

"The requirements for financial systems in government are set in stone -- it's not as if we're writing requirements for a brand new system or function," said Ned Goldberg, associate director of the IT division at FDIC. "It's like putting socks on in the morning. We didn't leave a back door open or leave a sign telling thieves to come in … None of this in any way would impact anything the public would need to worry about."

"Some statements in the report are stronger than they need to be," said Russell Pittman, deputy chief information officer and deputy director of the IT division at FDIC. "These are documentation and minor technical issues that we need to deal with -- and the agency is dealing with them."