A recent audit of the FDIC’s financial statements revealed critical security gaps in its financial databases, according to a report released today by the Government Accountability Office. The government watchdog pointed out vulnerabilities in FDIC’s management of data access rights, and noted that the agency has failed to install an urgent patch to mitigate known vulnerabilities in third party software that supports financial processing.
The GAO found that while FDIC has implemented several security controls since a previous audit, several aspects of its IT security program are still not fully implemented. Specifically, GAO said that the agency has failed to fully document and implement procedures for performing system access requests, assignments and removal, nor did they have a policy in place for monitoring critical file changes.
The GAO recommended that FDIC update and implement access control procedures requiring that authorizations for the removal or modification of access rights are documented and acted upon in a timely manner, and that the agency put in place a policy that will allow them to better monitor changes to critical files. The GAO made ten additional recommendations to FDIC in a separate, limited-distribution report.
