FDIC, Federal Deposit Insurance Corporation, Office of Inspector General, core values: communication, objectivity, responsibility, excellence
FDIC.GOV Office of Inspector General core values: communication, objectivity, responsibility, excellence
Search | Accessibility | Privacy | Information Quality | Contact Us | Site Map | Home

Controls Over the Risk-Related Premium System

September 2005
Audit Report 05-037


Table 1: Coverage of Elements in the RRPS Security Plan

Security Plan Section NIST SP 800-18 Requirements Exceptions
System Identification System Name/Title, Information Contacts, Assignment of Security Responsibility, System Operational Status, General Description/Purpose, System Environment, System Interconnection/Information Sharing, Applicable Laws or Regulations Affecting the System, General Description of Information Sensitivity None
Management Controls Risk Assessment and Management The plan does not provide information on where and how to obtain the most recent Risk Assessment Report.
  Review of Security Controls None
  Rules of Behavior The plan does not specify a requirement to provide users with a copy of the Rules of Behavior prior to obtaining access to RRPS.
  Planning for Security in the Life Cycle The plan does not describe disposal requirements for system termination such as procedures on how information would be archived, cleared, or purged from the RRPS.
  Authorize Processing None
Operational Controls Personnel Security

The plan does not indicate the sensitivity level (low, medium, and high) designations for DIT contractor personnel involved in RRPS maintenance and technical support.

The plan does not specify termination procedures for users in adverse situations.

Note: FDIC Circular 1360.15, Access Control for Automated Information Systems, is referenced as containing procedures for reviewing user access. The reviews have not been performed (see Finding C).
  Physical and Environmental Protection None
  Production, Input/Output Controls

Although the plan indicates that specific electronic processing procedures have been established to handle data and media from external agencies, no information is included on where and how to obtain these procedures.

Labeling the data sensitivity (e.g., Privacy Act or proprietary data) of printed output is not addressed.
  Contingency Planning None
  Application Software Maintenance Controls

The plan does not require that a Configuration Management Plan be developed and implemented as required by FDIC Circular 1320.4, FDIC Software Configuration Management Policy (see Finding B).

The plan does not address migration procedures (i.e., movement of the software through the development stage to the test stage to the production stage) to prevent using incorrect versions of software.
  Data Integrity/Validation Controls None
  Documentation None
  Security Awareness and Training None
Technical Controls Identification and Authentication None
  Logical Access Controls None
  Public Access Controls None
  Audit Trails None

Search | Accessibility | Privacy | Information Quality | Contact Us | Site Map | Home

Last updated 10/27/2005