FDIC information security ‘not effective,’ report finds; eight recommendations offered to address

Information security systems at the federal insurer of bank deposits are operating at a “maturity level” that is not considered to be effective, and the agency’s inspector general has made eight recommendations to address that efficacy, according to a report made public Wednesday

In its “FDIC’s Information Security Program 2020” report, the Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General (OIG) outlined six deficiencies for the agency’s information security program. The publicly issued report contained some redactions to deal with what the OIG called “sensitive information.”

Among the highest-risk security control weaknesses outlined in the report:

  • Overall risk management issues: The agency had not fully defined “enterprise risk management” governance, roles, and responsibilities, the report notes. “In addition, the FDIC had not yet implemented recommendations to integrate privacy into its Risk Management Framework (RMF), nor did the FDIC always address Plans of Action and Milestones in a timely manner,” the report states. “Further, the FDIC did not consistently reassess its risk acceptance decisions.”
  • Risk acceptance decisions not consistently reassessed: The agency did not consistently review its existing “acceptance of risk” documents (ARs), which aim to capture risk acceptance decisions by the agency. “Unless the FDIC consistently implements a process for periodically reviewing and re-approving ARs, it cannot effectively assess the level of risk it is incurring relative to established Risk Tolerance levels,” the report states.
  • Unauthorized software on the agency’s network: Procedures and processes set up to review and authorize software before it is installed on the network “were not always effective,” the report states. It recounts an incident from May 2020 in which the agency discovered an unauthorized commercial software application installed on 32 desktop workstations. An FDIC report about this incident stated that the application had not been approved by the FDIC’s IT governance bodies or subjected to established configuration management processes designed to ensure that only authorized software is installed on the network.
    “Notably, in June 2019, the FDIC’s Office of the Chief Information Security Officer (OCSIO) had reviewed a request to acquire this same application and recommended that alternative solutions be considered due to security concerns,” the report states. “The FDIC removed the unauthorized software from the 32 workstations. However, the use of unauthorized software increased the risk of a security incident and an interruption to the safe operation of the FDIC’s network and applications,” the report adds.
  • Privacy control weaknesses not fully addressed: “FDIC had not yet completed actions to address privacy control weaknesses identified in our audit report on the FDIC’s Privacy Program issued in December 2019,” the report states. The report also notes that the agency, as of Aug. 31, had not addressed 12 of 14 recommendations contained in the audit report.
  • Oversight and monitoring of outsourced systems not adequate.
  • Cloud-based systems not subject to annual control assessments.

The eight recommendations outlined in the report are that the FDIC:

  • reassess its risk acceptance decisions in accordance with guidance;
  • implement control improvements to prevent the unauthorized installation of software on the network;
  • complete actions to address open Plans of Action and Milestones related to baseline configurations;
  • assess and improve controls for managing administrative accounts;
  • implement a process to ensure all outsourced information systems are subject to the RMF;
  • ensure all cloud-based systems are subject to annual security and privacy control assessments;
  • update its IT contingency planning policy; and
  • incorporate additional scenarios into its IT contingency plan testing.

FDIC OIG report