FDIC's Mainframe Security
(Report No. 04-037, September 21, 2004)
International Business Machines (IBM) Business Consulting Services (hereafter referred to as IBM), an independent professional services firm, was engaged by the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) to support its efforts to satisfy reporting requirements related to the Federal Information Security Management Act of 2002.
The objective of the audit was to determine whether the FDIC has adequate mainframe management, operational, and technical security controls. IBM reviewed the adequacy of the Division of Information Resources Management's (DIRM) policies, procedures, practices, and tools related to mainframe security.
IBM concluded that the FDIC has established and implemented management, operational, and technical controls that provide reasonable assurance of adequate mainframe security. IBM also followed up on audit recommendations in the Government Accountability Office (GAO) (formerly the General Accounting Office) Report No. 04-629, Information Security: Information System Controls at the Federal Deposit Insurance Corporation, dated May 28, 2004. IBM found that the FDIC has made progress in its efforts to strengthen mainframe security, update security policies and procedures, and increase employee security awareness.
Further, DIRM has completed the required certification activities in preparation for system accreditation. These activities include completing a mainframe security plan; conducting a risk assessment and preparing the final risk assessment report; performing a self-assessment of mainframe management, operational, and technical controls; and completing a Plan of Actions and Milestones.
IBM did find one aspect of mainframe security that could be improved.
IBM recommended that DIRM establish standards and procedures related to stored system instructions.
On September 14, 2004, the Director, DIRM, provided a written response to the draft report. DIRM management concurred with and proposed actions that are responsive to the recommendation. The recommendation is resolved but will remain undispositioned and open for reporting purposes.
This report addresses issues associated with information security. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of the report.