The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued its audit of the FDIC’s Information Security Program--2019. The OIG engaged a contract firm to conduct this audit, which evaluated the effectiveness of the FDIC’s information security program and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). The FDIC’s overall information security program was operating at a Maturity Level 3 (Consistently Implemented) on a scale of 1-5. Programs operating below a Maturity Level 4 are not considered effective.
The FISMA report describes security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk. The six highest risk weaknesses are briefly described below.
Risk Management. The FDIC had not yet completed an inventory of risks facing the FDIC, or a Risk Profile to help manage and prioritize risk mitigation activities. The FDIC also needed to develop a method and strategy to classify risk ratings and risk profiles of applications and systems, and develop and communicate the FDIC’s information security Risk Tolerance level and Risk Profile.
Network Firewalls. In a previous report, we found that many of the FDIC’s network firewall rules that controlled the flow of inbound and outbound traffic lacked a documented justification and the majority were unnecessary. The FDIC took steps to address these weaknesses, but further actions are needed.
Privileged Account Management. Hackers and other adversaries target administrative accounts to perform malicious activity, such as exfiltrating sensitive information. Our report identifies vulnerabilities related to these accounts that increased the risk of unauthorized network access or malicious activity.
Protection of Sensitive Information. We conducted unannounced walkthroughs of selected FDIC facilities and identified significant quantities of sensitive hard copy information stored in unlocked filing cabinets and boxes in building hallways. We also identified instances in which sensitive information stored on internal network shared drives was not restricted to authorized users.
Security and Privacy Awareness Training. FDIC employees and contractor personnel with network access must complete security and privacy awareness training within 1 week of employment, and annually thereafter. If not, their network access is revoked. We identified 29 network users who did not satisfy the FDIC’s awareness training requirement but still had access to the network.
Security Control Assessments. Our report discusses instances that occurred in 2016 and 2017 in which security control assessors did not test the implementation of security controls, when warranted. Instead, assessors relied on narrative descriptions of controls in FDIC policies, procedures, and system security plans and/or interviews of FDIC or contractor personnel.
The FDIC was working to address six recommendations from prior FISMA audit reports to strengthen controls in the areas of risk management, contactor-provided services, Plans of Action and Milestones, and vulnerability and compliance scanning. This FISMA report contains three new recommendations to ensure employees and contractor personnel properly safeguard sensitive electronic and hardcopy information, and network users complete required security and privacy awareness training. The FDIC concurred with these three recommendations.