On October 26, 2017, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued the Audit of the FDIC’s Information Security Program—2017. The OIG contracted with Cotton & Company LLP to conduct this audit, which evaluated the effectiveness of the FDIC’s information security program and practices, as required by the Federal Information Security Modernization Act (FISMA) of 2014.
We found that the FDIC had established a number of information security program controls and practices that were generally consistent with applicable Federal requirements, policies, standards, and guidelines. The FDIC had also taken steps to strengthen its information security program controls following the 2016 FISMA audit and was working to further strengthen controls in a number of areas at the close of this year’s audit. However, we found security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices, and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk.
The report contains a total of 19 findings: 14 were identified during the current year FISMA audit and the remaining 5 were identified in prior reports. The most significant findings include the following:
Contingency Planning. The FDIC’s IT restoration capabilities are limited, and the agency has not taken timely action to address known limitations with respect to its ability to maintain or restore critical IT systems and applications during a disaster. Therefore, the FDIC cannot be sure that it can maintain or restore its mission essential functions during an emergency within applicable timeframes. The FDIC developed a plan to address these contingency planning issues at the close of our audit. The FDIC should also implement appropriate governance over its efforts to strengthen the resiliency and availability of its IT systems and applications.
Information Security Risk Management. The FDIC established the Information Security Risk Advisory Council (the Council) in 2015. However, the Council did not fulfill several of its key responsibilities as defined in FDIC policy. Notably, the Council did not develop information security risk management standards and guidelines, a security risk tolerance level, or a Corporate risk profile.
Enterprise Security Architecture. The FDIC had not established an enterprise security architecture that (i) described the FDIC’s current and desired state of security and (ii) defined a plan for transitioning between the two. The lack of an enterprise security architecture increased the risk that the FDIC’s information systems would be developed with inconsistent security controls that are costly to maintain.
Technology Obsolescence. The FDIC was using certain software in its server operating environment that was at the end of its useful life and for which the vendor was not providing support to the FDIC. When the vendor does not provide support for software components, adversaries can exploit new weaknesses. This placed portions of the FDIC’s IT infrastructure at increased risk of malicious attacks and exploits.
Other areas warranting attention include assessments of outsourced information service providers, finalizing the FDIC’s information security strategic plan, patch management, credential scanning, and logging data to the FDIC’s security information and event management tool.
We made 18 recommendations to improve the effectiveness of the FDIC’s information security program controls and practices. FDIC management concurred with all recommendations.
The report contains sensitive information and is not available to the public in its entirety.