As part of its auditing of financial statements of funds administered by FDIC, GAO “assessed the effectiveness of the corporation’s controls in protecting the confidentiality, integrity, and availability of its financial systems and information.” GAO found that although “FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information.”
GAO concluded that various “control weaknesses continue to unnecessarily put FDIC’s systems at an increased risk from internal and external threats.” Among the security weaknesses indentified by GAO was that the agency “had not fully implemented key elements of its information security program, such as effectively implementing security policies, conducting risk assessments, documenting security management plans, documenting contingency plans, testing security controls, or implementing an effective continuous monitoring program.”
GAO notes that “Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain.”
Leave a Reply