On September 18, 2017, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued a report entitled Controls over Separating Personnel’s Access to Sensitive Information.
By way of background, the FDIC experienced a number of data breaches in late 2015 and early 2016 that involved employees who were exiting the Corporation. Between February and May 2016, the FDIC notified the Congress of seven major incidents in which departing employees inappropriately took significant quantities of sensitive information. The information taken was associated with financial institutions and their customers, creating the risk of unauthorized disclosure. In response, the Chairman of the Senate Committee on Banking, Housing, and Urban Affairs requested that the FDIC Office of Inspector General examine issues related to the FDIC’s policies governing departing employees’ access to sensitive financial information. We reviewed procedures for separating FDIC employees and FDIC contractor employees (contractors).
We reported that the FDIC has established pre-exit clearance procedures for personnel who are separating from the FDIC. These procedures are intended to protect FDIC-owned property and interests. The FDIC has also taken steps to detect or prevent separating personnel from removing sensitive information from the Corporation, including the use of a data loss prevention tool, placing limits on the use of removable media, and the use of Personal Identity Verification cards to access facilities and information systems.
While the FDIC has established and implemented various control activities for the employee pre-exit clearance process, we found the following:
- Weaknesses existed in the design of certain controls: The FDIC did not review certain pre-exit clearance records until after employees had separated; often did not use the data loss prevention tool to examine employee network activity until after employee separation; and relied heavily on employee assertions about their handling of sensitive information, using some forms that did not warn against making false statements.
- Divisions were not always following procedures: In the sample we reviewed, division and office records liaisons did not review data questionnaires before employees separated in 20 of 49 cases or 41 percent of the time.
- The FDIC should strengthen the pre-exit clearance process: No single FDIC official was responsible for the overall program; division and office representatives needed to assume a more active role in managing the process; and the FDIC did not require divisions and offices to assess risks to sensitive information when they became aware of individuals separating from the FDIC.
We further concluded that separating contractors may present greater risks than separating FDIC employees. We found several differences between the pre-exit clearance process for FDIC employees and contractors that increase risks related to protecting sensitive information when contractors separate. We also found that the FDIC was not consistently following its pre-exit clearance procedures with respect to separating contractors. Specifically, oversight managers signed clearance records prior to contractor separation 29 percent of the time. Records liaisons signed contractor data questionnaires prior to contract separation 6 percent of the time.
To strengthen its process, the FDIC needed to ensure consistency between employee and contractor pre-exit clearance processes, reiterate responsibilities and expectations for oversight managers and records liaisons, and require timely notice of separating contractors.
As designed, the program controls did not provide reasonable assurance that the pre-exit clearance process would identify unauthorized access to, or inappropriate removal and disclosure of, sensitive information in a timely or effective manner.
We made 11 recommendations to address the weaknesses we identified. The FDIC concurred with the recommendations and proposed actions to address the recommendations.