Thank you for the opportunity to respond to the draft audit report, Audit of Controls Over The Risk Related Premium System. The Division of Technology (DIT) agrees with the overall assessment that the management, operational, and technical controls for the Risk-Related Premium System (RRPS) provide reasonable assurance of adequate security.

The draft report contains three recommendations to maintain strong controls over RRPS. The Division is responsible for taking corrective action to address the deficiencies noted in Recommendation Two (2) of the draft report. The Division of Insurance and Research (DIR) is responsible for Recommendations One (1) and Three (3) and will provide a response to the draft audit report under separate cover. The recommendation for which DIT has primary responsibility is listed below with the Division’s response and corrective action.

FDIC OIG Recommendation:

DIT Response:

The System Configuration Management Plan (SCMP) template was changed July 29, 2005 to reflect the implementation of the RUP SDLC implementation. A draft of the new RRPS SCMP was distributed for comments on August 30, 2005. The target date for completion of the RRPS SCMP is October 14, 2005. Four of the five StarTeam capabilities that the OIG determined to be missing at the time of the audit will be activated in StarTeam for RRPS and included as part of the new plan. Specifically, this includes: software release comparison with date/time stamp; change tracking and traceability; file locking to prevent simultaneous access between users; and rollback to previous software version. A second, separate document which addresses the fifth feature, workflow control for approval process, will also be completed by October 14, 2005.