A spotty risk management strategy, along with poor security control assessment procedures, are undermining the Federal Deposit Insurance Corporation (FDIC)’s ability to identify and detect network security threats, according to an FDIC Office of the Inspector General (OIG) report released on Oct. 23.
The report, which is based on an April through September 2019 audit, classified FDIC’s threat identity and detection procedures as the weakest security points at the agency. The OIG also flagged: unnecessary network firewall rules; vulnerabilities within firewall access authentication; inadequately stored personally identifiable information; and employees operating without appropriate security and privacy training at factors preventing the agency from reaching “managed and measurable” security maturity.
The OIG recommends that the FDIC complete work on outstanding recommendations from past audits to correct some of the flaws – such as improving the method for navigating potential network risks – but also made three new recommendations to the agency to improve security.
The new recommendations to FDIC are: emphasize to staff the importance of proper security protocols for sensitive materials; monitor employee compliance with requirements for safeguarding sensitive materials; and implement a procedure to ensure that FDICLearn – the agency’s learning management system – stays up to date on employee security and privacy trainings.
In a mid-October letter, FDIC told the OIG it aims to complete the new recommendations next year.
Specifically, the agency said it will: hold annual events for employees and contractors on how to keep sensitive information secure; establish a plan to improve storage of hard copies of sensitive information; and improve documentation of network users that have not completed appropriate security and privacy training.
Since its 2018 FISMA audit, the FDIC has implemented an agency-wide Identity, Credential, and Access Management (ICAM) program, made progress toward a new backup data center, and improved security control policy and procedures, the OIG said.