GAO to FDIC: Improve Data Security
The U.S. Government Accountability Office took the FDIC to task Friday for failing to improve the security of sensitive data on its computer systems.
“The FDIC has implemented numerous information security controls intended to protect its key financial systems; nevertheless, weaknesses place the confidentiality, integrity, and availability of financial systems and information at unnecessary risk,” the government watchdog found.
The GAO praised the bank regulator for having adopted 28 of 39 previously recommended steps to improve its data security systems, but reiterated that the remaining 11 left the agency vulnerable to hacking and data theft.
Specifically, the GAO found the FDIC had not taken steps to adequately identify and authenticate the identity of users, restrict access to sensitive systems and data, encrypt sensitive data, complete background reinvestigations for employees and audit and monitor system access.
The GAO recommended the FDIC take four steps to help limit these risks, including documenting security controls descriptions for all systems to describe the control thoroughly and ensure that all the required information is included, as well as documenting and maintaining a description for each common control in an appropriate document, such as system security plans.
The GAO also said the FDIC should ensure that those with administrative-level access have completed the requisite “Rules of Behavior” training upon receiving access and each year after, as well as perform control assessments for FFIEC CDR and DCOM in accordance with the frequency established.
In a letter included in the report, the FDIC said it would take those recommended steps before the end of 2014.
NCUA Public Affairs Specialist John Fairbanks said the GAO has never audited NCUA for data security.