The Office of Inspector General at the Federal Deposit Insurance Corporation (FDIC) has issued its report on the Security and Management of Mobile Devices. The objective was to determine whether the FDIC had established and implemented effective controls to secure and manage its mobile devices.
The FDIC deploys nearly 4,600 smartphones and more than 150 tablets to its employees and contractor personnel to support its business operations and communications. Although these mobile devices offer opportunities to improve business productivity, they also introduce the risk of cyber threats that could compromise sensitive FDIC data. Such threats may include malicious software known as “malware” that can allow an actor to exploit vulnerabilities on the devices; eavesdrop wireless communications over public networks; and collect and monitor data on mobile applications installed by users, such as the user’s location, contacts, and browsing history. The FDIC uses a cloud-based mobile device management (MDM) solution to secure and manage its smartphones and tablets.
The audit found that the FDIC had not established or implemented effective controls in three of nine areas assessed, because the controls and practices did not comply with relevant Federal or FDIC requirements and guidance. Specifically,
- The FDIC’s Policies, Procedures, and Guidance pertaining to mobile devices were outdated and did not reflect current business practices and address key elements recommended by the National Institute of Standards and Technology;
- The FDIC did not conduct Control Assessments of the MDM solution annually; and
- FDIC Logging and Monitoring practices were not guided by written procedures.
Controls and practices in the areas of Awareness Training, Billing Analysis, and Configuration Management were partially effective because they complied with some, but not all, relevant security requirements and guidelines. The FDIC implemented effective controls and practices in the areas of Asset Management, Incident Response, and Data Protection.
The report contains nine recommendations intended to strengthen the FDIC’s controls and practices for securing and managing its mobile devices.