‘Outdated practices’ for securing mobile devices found in audit lead to recommendations for FDIC

Outdated practices for securing and managing mobile devices at the federal insurer of bank deposits has resulted in a series of control recommendations from an auditor brought in by the agency’s inspector general.

According to a report issued Wednesday by the inspector general for the Federal Deposit Insurance Corp. (FDIC), the audit (conducted by Cotton & Co. LLP) determined that the agency had “not established or implemented effective controls and practices to secure and manage its mobile devices in three of the nine areas assessed because the controls and practices did not comply with relevant Federal or FDIC requirements and guidance.”

The report details that the agency deploys nearly 4,600 smartphones and more than 150 tablets to employees and contract personnel. It alleges that the devices – while offering opportunities to improve business productivity – also introduce the risk of cyber threats that could compromise sensitive FDIC data. “The FDIC must implement proper controls to ensure that it effectively manages its inventory of mobile devices and the associated expenditures,” the report states.

According to the report, the audit found:

  • Agency policies, procedures, and guidance were outdated and did not reflect current business practices pertaining to mobile devices. They did not address key elements recommended by the National Institute of Standards and Technology (NIST). “For example, FDIC policies did not address the bring your own device (BYOD) program nor the risks associated with personal use of FDIC-furnished mobile devices, such as downloading and using non-work related applications, and texting, messaging, and video,” the report stated.
  • The FDIC did not conduct annual control assessments of its cloud-based mobile device management (MDM) solution to ensure that controls were effective and operating as intended.
  • Logging and monitoring practices were not guided by written procedures and did not provide for adequate separation of duties.

Among the recommendations made are that the FDIC:

  • fully assess the risks associated with its mobile devices;
  • establish mobile device policies and guidance consistent with NIST guidance;
  • require BYOD users to sign service agreements;
  • strengthen awareness training pertaining to the use of mobile devices and define roles, responsibilities, and procedures for reviewing logs generated by the MDM solution;
  • routinely report mobile device usage information to FDIC business units and require them to suspend or terminate service for devices that are no longer needed (which, the report adds, would achieve cost savings by the agency);
  • develop and implement written roles, responsibilities, and procedures for testing software updates for mobile devices.

The FDIC said it concurred with all nine of the report’s recommendations and plans to complete corrective actions by May 30, 2022.

FDIC OIG audit report: Security and Management of Mobile Devices