Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Security Configuration Management of the Windows Server Operating System

Wednesday, January 16, 2019

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General issued an audit report on the FDIC’s controls for managing security configurations and changes to its Microsoft Windows Server operating system.  At the start of 2018, the FDIC had 2,166 servers on its network running the Microsoft Windows Server operating system.  These servers store and process a significant volume of sensitive information and support mission-critical functions.    

Federal agencies are required by statute to comply with certain system configuration requirements.  Without effective configuration management, information systems may not operate properly, stop operating altogether, or become vulnerable to security threats.  The objective of the audit was to determine whether the FDIC established and implemented controls for managing changes to its Windows Server operating system that were consistent with Federal requirements and guidelines.  

The FDIC established various controls to manage changes to its Windows Server operating system, including an approved baseline configuration for the operating system; a system to track and report system changes; and a governance body to evaluate proposed changes.  These controls were consistent with Federal requirements and applicable guidelines.

However, we found several deficiencies in the FDIC’s management of security configurations for its Windows servers:

- The FDIC did not establish current policies and procedures for managing changes to the Windows Server operating system.  Accordingly, we did not have sufficient criteria to fully assess the FDIC’s implementation of configuration management controls.  

- The FDIC hired a contractor firm to assess certain security controls, including configuration management controls, for which the FDIC had also assigned the firm duties related to design and/or execution.  Tasking this firm with assessing the effectiveness of its own work affected the independence of such assessments.  

- FDIC oversight activities were inadequate in identifying instances in which security control assessors did not perform actual testing of certain security controls, when appropriate, including those intended to protect the Windows Server operating system.  In these cases, when concluding on control effectiveness, assessors relied solely on written descriptions of the controls in FDIC policies, procedures, and system security plans and/or interviews of FDIC or contractor personnel. 

- The security plan for the Windows Server operating system contained several inaccurate descriptions of security controls.  

Our report includes eight recommendations collectively intended to ensure that (a) IT policies and procedures remain current and that personnel responsible for their implementation receive proper training; (b) security control assessments are performed by sufficiently independent entities; (c) oversight of security control assessments is sufficient and documented; and (d) system security plans remain accurate. The FDIC concurred with the recommendations.  The FDIC already completed actions to address two of the recommendations, and plans to complete actions to address the remaining six recommendations by November 29, 2019.

PDF Report: 
Print Print