FDIC info security program operating ‘managed, measurable,’ but several risks continue to confront agency, audit finds

While its information security program is operating at a “managed and measurable” level, the federal bank deposit insurance agency still needs to address some issues in the system, according to an audit report issued Tuesday by the agency’s office of inspector general (OIG).

According to the Federal Deposit Insurance Corp.’s (FDIC) OIG, the audit conducted by Cotton & Co. Assurance and Advisory, LLC, found that the FDIC faces several security control weaknesses that “continue to pose risk to the FDIC.” Those include:

  • Needs to fully implement a software inventory automation program to manage end-of-life and end-of-service assets.
  • Should consider nine recommendations to address its supply chain risk management (SCRM) program, which the audit asserted “lacks maturity.”
  • Did not remove accounts belonging to separated personnel in a timely manner.
  • Did not configure privileged accounts in accordance with principle of “least privilege.”
  • Needs to enforce cybersecurity and privacy awareness training requirements.

The audit report alleged that the security control weaknesses it found reduced the effectiveness of the agency information security program. It said practices “could be improved to reduce the effect on the confidentiality, integrity, and availability of the FDIC’s information systems and data.”

The report added that, in many cases, the security control weaknesses were identified during ongoing or completed OIG audits and evaluations, or through FDIC security and privacy control assessments.

The Federal Deposit Insurance Corporation’s Information Security Program – 2023