Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Controls Over System Interconnections with Outside Organizations

Thursday, December 6, 2018

Controls Over System Interconnections with Outside Organizations

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General issued an audit report that focused on the FDIC’s system interconnections, which enable the FDIC to exchange significant amounts of data with outside organizations.  As of September 7, 2017, the FDIC had 11 system interconnections.  The FDIC uses these system interconnections to transmit data, including personally identifiable information, confidential bank examination information, and sensitive financial data.  Proper design of these interconnections is critical to reducing security risks such as unauthorized access or disclosure of agency information.

Our audit objective was to assess the FDIC’s controls for managing system interconnections with outside organizations.  The audit focused on key controls recommended by the National Institute of Standards and Technology (NIST) for managing system interconnections, such as written agreements that specify the technical and security safeguards needed to protect interconnections.

We found that:

• Although the FDIC issued certain policies, procedures and templates for establishing system interconnections, we identified control weaknesses in each of the four phases of the NIST life-cycle framework.  The NIST framework consists of four phases:  planning, establishing, maintaining, and terminating interconnections.  

• The FDIC’s policies and procedures did not:  (a) define the types of technologies and configurations that constitute a system interconnection; (b) articulate the roles and responsibilities for those involved in managing system interconnections; or (c) establish documentation requirements for key activities.

• The FDIC did not create necessary written agreements to govern 3 of the 11 system interconnections.

• In four instances in which written agreements governing system interconnections had expired, the system interconnection remained enabled.  In addition, the FDIC did not terminate three system interconnections when they were no longer needed.  

We made seven recommendations to the FDIC to: (1) modify existing policies and procedures to address all four phases of the NIST life-cycle framework for managing system interconnections; (2) execute written agreements with two outside organizations; (3) modify the FDIC’s standard contract language involving system interconnections to align with NIST guidance; (4) review system interconnection agreements annually to ensure that they remain current; (5) implement procedures to review, update, and reauthorize written agreements when appropriate; (6) develop and implement procedures for notifying technical staff when system interconnections are terminated; and (7) develop and implement policies and procedures to govern the secure transfer of data outside the FDIC when using technologies that are not considered system interconnections.  

The FDIC concurred with six of the seven recommendations and partially concurred with the remaining recommendation.  The FDIC provided an alternative corrective action to address the remaining recommendation.  

PDF Report: 
Text Report: 
Print Print