The Federal Deposit Insurance Corporation (FDIC) has a strong information security maturation, with an overall grade of 4 on a 5-point scale, but still has “significant security control weaknesses,” according to a recent audit of its information security practices released by the FDIC Office of the Inspector General (OIG).
The audit was required by the Federal Information Security Modernization Act (FISMA) of 2014 and looked to evaluate the effectiveness of the FDIC’s information security program and practices. Finding issues with the FDIC’s security control practices, the OIG made six recommendations.
“During the past year, the FDIC had established certain information security program controls and practices. In addition, the FDIC worked to strengthen its security controls following the issuance of our FISMA 2020 audit report,” the audit says.
Among those improved practices, the OIG cites an update to the FDIC’s privacy program, as well as new processes to prevent unauthorized software installations on the FDIC network, updates to its contingency planning policies and procedures, and more.
“However, the audit report describes significant security control weaknesses that reduced the effectiveness of the FDIC’s information security program and practices and that can be improved to reduce the impact to the confidentiality, integrity, and availability of the FDIC’s information systems and risk to data,” the report says. “The FDIC should ensure a proper sense of urgency and expediency to proactively address and resolve weaknesses in its information security program, including the most significant risks as identified.”
Among the listed weaknesses, the FDIC OIG says the agency lacks maturation for its supply chain risk management (SCRM) program, needs improved account management, has inadequate oversight, and a high number of open, overdue, and unaddressed plans of actions and milestones.
The OIG’s recommendations for the FDIC are:
- “Develop and implement SCRM processes and procedures in accordance with the Supply Chain Risk Management Program Directive and applicable government guidance;
- Begin tracking completion of the Identity, Credential, and Access Management (ICAM) milestones of its revised ICAM Roadmap;
- Fully implement the Privacy Continuous Monitoring process to include updating Privacy Impact Assessments for all required systems;
- Implement Document Labeling Guide requirements across the organization;
- Analyze the Document Labeling Guide for previously-created documents; and
- Ensure that the FDIC’s information systems are subject to a formal authorization process.”