Thank you for the opportunity to respond to the draft audit report, Audit of Controls Over the Risk-Related Premium System. The Division of Insurance and Research (DIR) agrees with the overall assessment that the management, operational, and technical controls for the Risk-Related Premium System (RRPS) provide reasonable assurance of adequate security.

The draft report contains three recommendations to maintain strong controls over RRPS. The Division is responsible for taking corrective action to address the deficiencies noted in the Recommendations One (1) and Three (3) of the draft report. The Division of Information Technology (DIT) is responsible for Recommendation Two (2) and will provide a response to the draft audit report under separate cover. The recommendations for which DIR has primary responsibility are listed below with the Division’s responses and actions taken to correct noted deficiencies.

FDIC OIG Recommendations:

DIR Response:

DIR concurs with the finding. All items listed in the condition have been documented in the RRPS security plan and a copy of the revised plan has been provided to the OIG. DIR will continue to modify the security plan when: (1) NIST/OMB updates requirements for major application security plans, (2) RRPS applications controls or procedures are modified, and/or (3) internal reviews or external security audits require modifications.

DIT will respond to this finding under separate cover.

DIR Response:

DIR concurs with the finding. Roles, responsibilities, and procedures for conducting periodic reviews of all RRPS users access rights have been developed and are documented in the security plan.