Network security issues dog FDIC

While the Federal Deposit  Insurance Corp.  (FDIC) has made significant progress improving its information system controls, old and new weaknesses could limit the corporation’s ability to effectively protect the confidentiality, integrity, and availability of its financial systems and information.

That was the conclusion of a Government Accountability Office report issued today  that found that the FDIC had corrected or mitigated 16 of the 21 weaknesses the GAO reported in its 2006 audit.

For example, FDIC has improved physical security controls over access to its computer processing facility, instructed personnel to use more secure e-mail methods to protect the integrity of certain accounting data transferred over an internal communication network, updated the security plan of a key financial system called the New Financial Environment (NFE) to clearly identify all common security controls, developed procedures to report computer security incidents, and updated the NFE contingency plan.  

The FDIC stated it has initiated and completed some actions to mitigate these remaining five prior year weaknesses. But the GAO said it could not verify such actions had been completed.

Specifically, the GAO found the FDIC had not always implemented certain access controls, as the following examples show:

• Multiple FDIC users in a production control unit in one division and multiple users in another division share the same NFE logon ID and password. As a result, increased risk exists that individual accountability for authorized, as well as unauthorized system activity could be lost.

• All users of the Assessment Information Management System II (AIMS II) application have full access to the application production code although their job responsibilities do not require such access. AIMS II calculates, collects and accounts for the quarterly assessment premiums paid by financial institutions. As a result, increased risk exists that individuals could circumvent security controls and deliberately or inadvertently read, modify, or delete critical source code.

• One database connection could be compromised because the password is not adequately encrypted with a Federal Information Processing Standards 140-2 compliant algorithm. As a result, increased risk exists that the database could be compromised by unauthorized individuals who could then potentially change, add, or delete information. 

The GAO said it was making 10 new recommendations to the FDIC to address actions to correct access and configuration management control weaknesses and to perform key information security program activities for the NFE and AIMS II systems.  The new requirements include:

• NFE users do not share login ID and password accounts;

• AIMS II users do not have full access to application source code, unless they have a legitimate business need;

• the database connection is adequately encrypted with passwords that comply with FIPS 140-2;

• configuration items have unique identifiers;

• configuration changes are properly authorized, documented, and reported;

• physical configuration audits verify and validate that all items are under configuration management control, all changes made are approved by the configuration control board, and that teams are assigning unique identifiers to configuration items. 

Layer 8 in a box

Check out these other hot stories:  

A look into the dark underbelly of data breaches

NASA picks “bargain basement” space technology candidates

Airborne laser weapons heating upThe HP pretexting ghost hovers over FTC’s latest settlement 

Icy reception awaits new robotsInternet-based realtors win monster settlement

FBI: Corporate, mortgage fraudsters actively threaten your financial future

Is the FAA losing battle of flight delay hell?