The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued an audit report that identified weaknesses in the security controls over the FDIC’s Regional Automated Document Distribution and Imaging System (RADD).
The FDIC relies heavily on information systems to carry out its mission. As of February 11, 2020, the FDIC maintained 274 information systems, nearly half of which contained sensitive information and Personally Identifiable Information (PII). One of these systems is RADD, which serves as the official recordkeeping and electronic filing system for the FDIC’s supervisory business records. RADD contains over 5 million electronic supervisory business records. The large amount of sensitive information in RADD underscores the need for effective security controls to mitigate security incidents.
The audit objective was to assess the effectiveness of selected security controls for protecting the confidentiality, integrity, and availability of information in RADD. We assessed security controls in eight areas covered in National Institute of Standards and Technology (NIST) guidance: Plans of Action and Milestones, Configuration Management, Access Management, Removable Media, Encryption, Audit Logging, Security Authorization and Continuous Monitoring, and Contingency Planning.
We found that the FDIC’s controls and practices were effective in five of the eight security control areas assessed. However, controls and practices in the remaining three security control areas were not fully effective -- because either they did not comply with FDIC policy requirements or they were not implemented in a manner consistent with relevant NIST guidance. Specifically, the FDIC did not use a secure encryption solution to protect RADD data; did not implement a control to prevent unauthorized access to certain sensitive documents in RADD; and did not adequately document roles, responsibilities, and procedures for reviewing and maintaining RADD audit logs.
The report contains two recommendations to address the access control and audit logging weaknesses identified during the audit. The FDIC already completed corrective actions to address them.