The Federal Deposit Insurance Corporation (FDIC) – which has been much in the news in recent weeks due to banking sector turmoil – has more work to do to improve security of its user identification and authentication technology, according to the agency’s inspector general.

The agency’s Office of Inspector General (OIG) said in a new report that FDIC has not fully “implemented effective controls” for its Microsoft Windows Active Directory (AD).

The AD system is used by the agency to “manage user identification, authentication, and authorization,” and can be a prime target area for cyber criminals, the OIG said.

The watchdog found in its audit that out of the 12 areas assessed, seven were judged to still need improvements.

Some of the areas found to need improvement included password management, privileged account management, and AD policies and procedures.

“The FDIC’s ineffective AD security controls could pose significant risks to FDIC data and systems,” the OIG warned.

The report gives recommendations for the FDIC chief information officer to “develop and implement procedures to regularly update the Active Directory Operations Manual to reflect the current structure and practices,” said the agency.

The FDIC concurred with the entire list of recommendations, which include: