IV. Management Controls - High Vulnerability Issues
For purposes of this report, FDIC management has designated a high vulnerability issue as a high-risk or medium-risk area with identified deficiencies and ineffective internal controls with minor or no mitigating controls. These areas warrant special attention of management, with the need to strengthen controls. The FDIC identified Information System Security as a high vulnerability issue for 2002 and 2003.
Adequate information system security is critical to the FDIC's accomplishment of its mission. Adequate controls are designed to provide the assurance that:
The systems developed, enhanced and maintained provide the support necessary to carry out the objectives of the program area and provide needed information on a timely basis;
Resources are used efficiently;
Adequate security prevents unauthorized access to and manipulation of sensitive data;
Data quality is preserved; and
Operations continue in the event of a disaster.
The FDIC continues its efforts to improve the information security program and operations, but continual management attention is needed. While some challenges are amenable to near-term resolution, others can only be addressed by a concerted, continuing effort, resulting in progress over a longer period of time.
The overall assessment included in the OIG's report entitled Independent Evaluation of the FDIC's Information Security Program - 2003 concludes that the Corporation established and implemented management controls that provided limited assurance of adequate security over its information resources. Of the ten management control areas tested, only one was rated with a control assurance level of "minimal/no assurance" in the implementation of controls category. But even in this area (Contractor and Outside Agency Security), the OIG noted that the FDIC has made significant progress since the OIG's 2002 security evaluation.
Notably, the FDIC has made considerable progress in mitigating contractor security-related risk compared to last year. Specifically, in the past year, the FDIC has updated its policy on connecting off-site contractor facilities to the corporate network and ensuring contractors are disconnected from the network when the contract expires, and has initiated a much more aggressive program to monitor and audit office activities and connections. Current plans entail inspection of contractor facilities to review security issues and concerns. By August 2003, all the sites connected to the FDIC network had been reviewed. Beginning in 2004, this approach will be expanded to include at least one scheduled and one unannounced review at each of the off-site contractor locations.
The FDIC made improvements in other areas as well. In 2002, Performance Measurement and Capital Planning/Investment Control were two areas that the OIG reported as having no assurance of adequate security. For 2003, these areas were upgraded to "limited assurance," as a result of continuous efforts made during the year. In 2003, the FDIC initiated a more extensive self-assessment program to continuously monitor and improve the Information Security Program by identifying risks and internal control deficiencies. As such, the FDIC entered into a two-year agreement with an independent contractor to assist with this initiative.