[ISN] GAO Identifies Weakness in FDIC InfoSec

http://www.bankinfosecurity.com/gao-identifies-weakness-in-fdic-infosec-a-7085 By Eric Chabrow Bank Info Security July 22, 2014 Two separate audits by the Government Accountability Office show information security weaknesses at the Federal Deposit Insurance Corp. and significant deficiencies in information system controls at the Treasury Department unit that manages the federal debt. The FDIC, the government-owned corporation that insures bank deposits, failed to fully implement controls to authenticate its system users’ identities, restrict access to sensitive systems and data, encrypt sensitive data, complete background re-investigations for employees and audit and monitor system access, according to the report issued late last week. GAO says the shortcomings do not constitute a material weakness or significant deficiency for financial reporting purposes. “Nevertheless,” auditors say, “unless FDIC takes further steps to mitigate these weaknesses, the corporation’s sensitive financial information and resources will remain exposed to unnecessary risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure or destruction.” The report says an underlying reason for many of these weaknesses is that FDIC failed to fully or consistently implement aspects of its information security program. Specifically, the GAO says, FDIC did not fully document and implement information security controls, ensure that employees and contractors received security awareness training, conduct continuing assessments of security controls for all systems and remediate agency identified weaknesses in a timely manner. […]