KPMG’s Independent Evaluation of FDIC Information Security Program – 2007
BACKGROUND
Key to achieving the FDIC’s mission of maintaining stability and public confidence in the nation’s
financial system is safeguarding the sensitive information (including personally identifiable information
(PII)) that the FDIC collects and manages in its role as federal deposit insurer of banks and savings
associations. In addition, as an employer and acquirer of services, the FDIC obtains sensitive information
from its employees and contractors. Implementing proper controls over this information is critical to
mitigating the risk of an unauthorized disclosure that could lead to identity theft, consumer fraud, and
potential legal liability or public embarrassment for the Corporation. Widely publicized reports of
network compromises and data security breaches at federal agencies have raised concern among federal
agencies, the public, and the Congress and underscore the importance of implementing strong, enterprise-wide
information security controls. In addition, the U.S. Government Accountability Office (GAO) has
designated information security as a government-wide, high-risk issue in its reports to the Congress since
1997.
In response to concerns about the security of federal information systems, the Congress enacted Title III
of the E-Government Act of 2002, commonly referred to as FISMA. FISMA focuses on improving the
oversight of federal information security programs and facilitating progress in correcting agency
information security deficiencies. FISMA requires federal agencies, including the FDIC, to develop,
document, and implement an agency-wide information security program that provides security for the
information and information systems that support the operations and assets of the agency, including those
provided or managed by another agency, contractor, or other source.1 Under FISMA, agency heads are
responsible for providing information security protections commensurate with the risk and magnitude of
harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of
information and information systems. Agency heads are also responsible for complying with the
requirements of FISMA and related policies, procedures, standards, and guidelines. FISMA directs
agency heads to report annually to the OMB Director, Comptroller General, and selected congressional
committees on the adequacy and effectiveness of agency information security policies, procedures, and
practices and compliance with FISMA. In addition, FISMA requires agencies to have an annual
independent evaluation performed of their information security programs and practices and to report the
evaluation results to OMB. FISMA states that the independent evaluation is to be performed by the
agency IG or an independent external auditor as determined by the IG.
OMB is responsible for annually reporting to the Congress on agency compliance with FISMA’s
requirements. OMB relies on the annual agency FISMA reports to evaluate agency-specific and
government-wide security performance. OMB provided federal agencies with instructions for satisfying
their reporting requirements under FISMA in a July 25, 2007 memorandum, FY 2007 Reporting
Instructions for the Federal Information Security Management Act and Agency Privacy Management.
OMB’s primary agency security policy is OMB Circular No. A-130, Management of Federal Information
Resources, Appendix III, Security of Federal Automated Information Resources (OMB A-130, Appendix
III), dated November 28, 2000.2
NIST Security Standards and Guidelines
FISMA directs NIST to develop risk-based standards and guidelines to assist agencies in defining
minimum security requirements for the non-national security systems used by agencies.3 NIST has
developed such standards and guidelines as part of its FISMA Implementation Project and is developing
additional standards and guidelines. KPMG based its security evaluation primarily on the security
controls defined in NIST Federal Information Processing Standards (FIPS) Publication (PUB) 200,
Minimum Security Requirements for Federal Information and Information Systems, and Special
Publication (SP) 800-53 Revision (Rev.) 1, Recommended Security Controls for Federal Information
Systems.4 These NIST publications define a framework for protecting the confidentiality, integrity, and
availability of federal information and information systems consisting of three general classes of security
controls, namely, management, operational, and technical. Collectively, these three security control
classes contain 17 control families. Each control family contains security controls related to the security
functionality of the family. KPMG included one additional security control class (i.e., program) in its
assessment methodology based on a review of NIST SP 800-100, Information Security Handbook: A
Guide for Managers, and research of relevant security-related statutes, regulations, policies, and
guidelines.
| Federal security control
requirements and assessment methodologies have changed dramatically in recent years in response to new NIST security standards
and guidelines. Figure 1 illustrates the relationship of key NIST security standards and guidelines. Appendix I of this report
provides additional information about FIPS PUBs and SPs, including their legal effect on the FDIC. |
|
FDIC Systems and Applications
The FDIC relies extensively on information systems to support its business operations. The FDIC’s Division of Information Technology (DIT) maintains seven general support systems (GSS)6 that provide basic processing and communications support for the 319 business application systems7 in the Corporation’s application inventory. The FDIC’s business applications collect, process, store, and distribute mission-critical information, such as personnel and bank data, in support of the Corporation’s three primary program areas (Insurance, Supervision and Consumer Protection, and Receivership Management). The FDIC has classified nine of the business application systems as major applications.8 Table 1 identifies the FDIC’s GSSs and major applications. The FDIC has aggregated its minor applications into the GSSs and major applications.
General
Support
System
|
|
|
|
|
|
|
Major
Applications |
|
|
|
|
|
|
|
|
Source: DIT’s Information Security and Privacy Staff.5
* During the fiscal year 2007 FISMA evaluation, the FDIC re-defined the boundaries of
the Windows Servers GSS to include Windows servers previously included in the
Remote Access GSS.
FDIC Security Governance
| Several key components comprise the FDIC’s information security governance structure. As
illustrated in Figure 2, these components include the FDIC Chairman and Board of Directors; Chief Information Officer (CIO); Chief Operating Officer (COO); Chief Financial Officer (CFO); and the Directors of DIT, the Division of Administration (DOA), and other divisions and offices that own information systems. |
|
The Chairman and Board of Directors are ultimately responsible for the security of the FDIC’s information and information systems. The CFO and CIO co-chair a Capital Investment Review Committee, which authorizes and monitors capital projects, including IT projects. The CIO has overall responsibility for the FDIC’s IT program, including information security. The CIO also serves as
the FDIC’s Chief Privacy Officer, Senior Agency Official for Privacy,9 and Director of DIT. In addition, a CIO Council composed of senior agency managers advises the CIO on all aspects of IT, including security. The COO manages the FDIC’s operating divisions, including DIT and DOA. DIT is responsible for providing a secure IT infrastructure and systems. DOA is responsible for providing physical and personnel security for the FDIC. Other division and office heads are responsible for ensuring that systems under their ownership or control conform to the FDIC’s security requirements. The OIG performs or contracts for audits and evaluations of the FDIC’s information security controls, including the annual independent evaluation of the Corporation’s security program required by FISMA.
The CIO has assigned primary responsibility for planning, developing, and implementing the FDIC’s information security program and operations to an Associate Director in DIT who reports directly to the CIO. In addition, the FDIC has established eight Information Security Managers (ISM) within its program divisions and offices to ensure a business focus on information security. The responsibilities of ISMs include promoting security awareness, providing security management and technical advice on behalf of their divisions and offices, and assessing the level of security needed and in place in corporate applications. DIT’s budget for calendar year 2007 is approximately $191 million, of which the FDIC estimated approximately $18 million is allocated to information security.
DOA’s Security and Emergency Preparedness Section is responsible for administering the FDIC's physical and personnel security programs. Physical security includes activities such as badging employees, contractors, and visitors and protecting employees, visitors, and facilities from internal and external threats such as fire, theft, vandalism, sabotage, and terrorist activities. Personnel security includes activities such as performing credit checks, fingerprint checks, and background investigations of FDIC employees and contractors. The Security and Emergency Preparedness Section is also responsible for managing, directing, and testing the FDIC’s Emergency Preparedness Program, which includes the FDIC’s Emergency Response Plan and the Business Continuity Plan (BCP). Both plans have IT-related components. DIT and DOA coordinate on relevant corporate security matters.
Information Security Program Initiatives
The FDIC is working to implement a number of important initiatives to strengthen its information
security program controls and operations. Of particular note, DIT is in the process of deploying software
that automatically encrypts data stored on corporate laptop computers without manual intervention by
users. The FDIC’s current laptop encryption software requires manual intervention by users, limiting
management’s assurance that sensitive information is consistently encrypted. Additionally, DIT plans to
implement a standardized encryption solution for sensitive data stored on removable media, such as
Universal Serial Bus (USB) thumb drives and CDs/DVDs. In the fall of 2006, the FDIC undertook a
multi-year, strategic initiative to conduct a comprehensive assessment (including usage level, continued
need, data content, access rights, and access control monitoring procedures) of its network shared drives.
The FDIC recognizes that its network shared drives contain significant amounts of sensitive information
that may be at risk of unauthorized disclosure. In addition, DIT initiated the Identity Access Management
project to develop a more efficient and effective process for controlling access to its corporate systems
and data resources. Further, DIT is adopting the principles of the Control Objectives for Information and related Technology (COBIT®)10 in its internal control program.
RESULTS OF EVALUATION
The FDIC has made significant progress in recent years in addressing the information security provisions
of FISMA and NIST. This progress is noteworthy given the considerable increase in information-security-related requirements levied on federal agencies. KPMG found that the FDIC established policies
and procedures in substantially all of the security control areas evaluated. In addition, KPMG noted
particular program strength in the areas of Information Security Governance, Incident Response, and
Awareness and Training. KPMG also noted that a recent test of the FDIC’s IT disaster recovery
capability was successful in achieving its primary objective of recovering mission-critical applications
and GSSs within pre-determined timeframes. Further, the FDIC enhanced its configuration management
controls by integrating information security into its Rational Unified Process (RUP®) systems
development life cycle (SDLC) methodology and applying RUP® to IT infrastructure projects.
These accomplishments are notable. However, KPMG identified a number of information security
control deficiencies warranting management attention. Addressing these security control deficiencies will
contribute to the FDIC’s ongoing efforts to achieve reasonable assurance of adequate security over
corporate information resources. If not addressed in a timely manner, these security control deficiencies
could affect the results of future evaluations of the FDIC’s information security program. KPMG’s report
identifies steps that the Corporation can take to strengthen security controls in Access Control;
Identification and Authentication; Risk Assessments; Personnel Security; Audit and Accountability; and
Certification, Accreditation, and Security Assessments. In many cases, the FDIC was already working to
improve security controls in these areas during KPMG’s evaluation.
Table 2, on the following page, summarizes KPMG’s security program assessment results. The table
structures KPMG’s results according to the security control framework defined in FIPS PUB 200 and
SP 800-53 Rev. 1. The table includes one additional control class (i.e., program) based on the results of
KPMG’s research of relevant security-related statutes, regulations, policies, and guidelines.11 The
detailed results of KPMG’s program assessment are presented after Table 2.
Table 2: KPMG Assessment of the FDIC’s Security Controls
|
Control Class |
Control Families Tested That
Demonstrated Effectiveness |
Control Families Tested That
Warrant Management Attention |
| Program |
- Information Security Governance
|
|
| Management |
|
- Risk Assessment
- Certification, Accreditation, and Security Assessments
|
| Operational |
- Contingency Planning
- Configuration Management
- Maintenance
- Incident Response
- Awareness and Training
|
- Physical and Environmental Protection
- Personnel Security
- System and Information Integrity
- Media Protection
|
| Technical |
None |
- Identification and Authentication
- Access Control
- Audit and Accountability
|
Source: 2007 KPMG Evaluation of the FDIC’s Information Security Program.
PROGRAM CONTROLS
Program controls define an enterprise-wide framework for planning, directing, and controlling resources
to achieve agency security objectives. Based on our analysis of NIST SP 800-100 and relevant security-related
statutes, regulations, policies, standards, and guidelines, program controls include three families
for consideration: Information Security Governance, Capital Planning, and Enterprise Architecture. As
part of the 2006 FISMA evaluation, the OIG performed extensive testing in these three areas. For 2007,
KPMG’s evaluation of program controls was limited to Information Security Governance and the system
inventory component of Enterprise Architecture. KPMG did not evaluate security controls related to
Capital Planning. In summary, KPMG found the security controls tested related to Information Security
Governance were effective, while controls tested for Enterprise Architecture warranted management
attention.
Information Security Governance
Rating: Demonstrated Effectiveness
Information security governance involves the implementation of an enterprise-wide control structure that
provides management with reasonable assurance that security controls are implemented as designed and
operating effectively. Governance consists of (a) enterprise-wide security program policies and
procedures that define key roles and responsibilities and (b) monitoring to assess whether security
controls are achieving intended results. FISMA defines specific responsibilities and authorities for
agency heads,12 senior agency officials, and CIOs. Among those responsibilities are requirements for the
CIO to develop and maintain an information security program and to report annually to the agency head
on the effectiveness of the program and progress of remedial actions.
The FDIC has appointed a permanent CIO with corporate accountability and authority for information
security, a senior agency information security officer who reports directly to the CIO, and a CIO Council
composed of senior agency managers who advise the CIO on all aspects of IT. The FDIC has established
a number of policies, procedures, and guidelines that generally define the security roles and
responsibilities of corporate officials and contractor personnel. In addition, DIT published an Information
Security Strategic Plan, and the CIO made periodic presentations to senior agency officials on corporate
information security matters. Further, DIT is embracing the principles of COBIT® in its internal control
program.
DIT has established a performance measurement program with a current policy, reporting requirements,
and a balanced scorecard.13 Overall, the performance measurement program is maturing, as evidenced by
the addition of new performance metrics and retirement of less useful metrics. Currently, there are new
metrics under development to better align DIT activities with the Corporation’s strategic initiatives. In
2008, DIT plans to include significant updates to its performance metrics. DIT could enhance the utility of the quarterly performance measures and the DIT balanced scorecard by automating the data collection
and posting of performance results such that DIT managers could take corrective action more quickly
when warranted. Currently, there is an 8- to-10-week time lag between the quarter end and the internal
posting of performance results.
Enterprise Architecture (EA)
Rating: Warrants Management Attention
In business and technological terms, an EA defines an organization’s current and target operating
environments, including its information security architecture. Effectively representing security
information in an EA ensures that security is adequately incorporated into agency system life cycle
processes, as required by FISMA. In addition, FISMA requires agencies to develop and maintain an
inventory of major information systems, which is a fundamental component of an agency EA.
The FDIC has taken a number of important steps toward full implementation of a corporate-wide EA. Of particular note, the FDIC has established an EA policy and EA governance structure, adopted a SDLC methodology,14 and developed an EA Repository to store, classify, and organize its EA data (including security data). The FDIC’s EA Repository is the inventory of FDIC applications and tools.
In July 2007, the FDIC released an improved
EA Repository that incorporates
enhancements to permit the tracking of
various security-related data elements and
facilitates the tracking of major and minor
applications. However, the FDIC has not
assigned responsibility, in writing, for DIT
managers or business owners to periodically |
|
(quarterly or semi-annually) review the contents of the EA
Repository to ensure that it is accurate and reflects events such as system retirements, application
upgrades or consolidations, and changes in application points of contact. According to DIT’s ISPS, 19 of
the 319 application systems in the EA Repository were no longer in use at the FDIC as of July 31, 2007.
The lack of data integrity in the EA Repository introduces proved inefficiencies by requiring the use of
alternate sources to obtain accurate information, as noted in Figure 3 above. Developing guidance,
establishing review procedures, and assigning responsibility will help improve data integrity, promote
greater use of the EA Repository in DIT, and reduce reconciliation efforts to prepare a FISMA inventory
summary for OMB reporting purposes.
The FDIC retired Circular 1320.3, Systems Development Life Cycle (SDLC), and replaced it with DIT
Policy 07-005, Systems Development Life Cycle. At the time of our evaluation, DIT was working to
update Circular 1303.1, FDIC Enterprise Architecture Program, dated November 7, 2003, to reflect the current roles and responsibilities and coordination among organizational entities involved with the
FDIC’s Enterprise Architecture program. The OIG’s 2006 security evaluation report required by FISMA
noted that Circular 1303.1 was out of date.
MANAGEMENT CONTROLS
Management controls are the safeguards or countermeasures related to an information system that focus
on the management of risk and system security. NIST SP 800-53 Rev. 1 divides management controls
into four control families: Risk Assessment; Planning; System and Services Acquisition; and
Certification, Accreditation, and Security Assessments. In summary, security controls tested related to
Planning were effective. However, controls tested related to Risk Assessment and Certification,
Accreditation, and Security Assessments warranted management attention. We did not evaluate controls
related to System and Services Acquisition.
Risk Assessment (RA)
Rating: Warrants Management Attention
Risk is the probability of an adverse event
occurring. Risk assessment involves the
implementation of policies and procedures for
categorizing information and systems, performing
and updating risk assessments, and performing
regular system vulnerability scanning. Risk
assessments occur in the system life cycle during
the information system’s initial development, after
significant upgrades, and after the completion of a
Security Test & Evaluation (ST&E).15
Additionally, conducting a risk assessment provides the agency with insight as to whether the security
controls in place adequately mitigate threats to the confidentiality, integrity, and availability of the
information processed by the system. Further, a current and complete risk assessment satisfies a control
requirement of the certification and accreditation (C&A) process as outlined in NIST SP 800-53 Rev.1
and SP 800-37. Under FISMA, agencies are responsible for (a) providing security protections
commensurate with the risk and magnitude of harm resulting from the unauthorized access, use,
disclosure, disruption, modification, or destruction of information and information systems; and (b)
establishing policies and procedures that ensure information security is addressed throughout the life
cycle of each agency information system.
Table 3: Risk Assessment
| RA-1 |
Risk Assessment Policies and Procedures |
 |
| RA-2 |
Security Categorization |
|
| RA-3 |
Risk Assessment |
|
| RA-4 |
Risk Assessment Update |
|
| RA-5 |
Vulnerability Scanning |
|
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security controls for KPMG testing
KPMG identified deficiencies in the FDIC’s monthly vulnerability scanning process that prevented some
Internet-facing servers and other network equipment from being scanned on a monthly basis. Monthly
vulnerability scanning is a key control to identify missing security patches and configuration errors on
servers and other network equipment. The OIG recommended in its draft audit report, FDIC’s IT
Disaster Recovery Capability, further enhancements to the FDIC’s vulnerability scanning process to
ensure all IT devices connected to the network are scanned on a monthly basis. The FDIC initiated
corrective actions before that audit’s closure.
The FDIC has policies and procedures in place for performing risk assessments for information systems
that are generally consistent with NIST guidelines. In addition, DIT leverages an automated risk
assessment tool that incorporates the NIST SP 800-53 Rev. 1 control families to identify potential
vulnerabilities and countermeasures. However, KPMG observed that the risk assessments for two selected GSSs, the Windows Servers GSS and Personal Systems GSS, were not updated in the previous
three years, or when a significant change occurred to the system, as prescribed by FDIC policy and
recommended in NIST guidelines.16 In the three years following the most recent risk assessments for
these systems, significant changes occurred in the FDIC’s Windows server environment. Specifically,
DIT upgraded approximately one-half of the FDIC’s Windows servers (285 out of 596 servers) from
Windows 2000 and Windows NT 4.0 operating systems to Windows 2003 operating system. In addition,
DIT aggregated the boundaries of the Windows Servers GSS to include 87 FDIC-defined minor
applications and contractor systems. DIT’s ISPS acknowledged that the risk assessments for these
systems had not been updated but explained that full ST&Es for both GSSs had been conducted in the
previous two years as well as annual security self-assessments. ISPS concluded that the ST&Es and self-assessments
satisfied the intent of NIST’s risk assessment guidance.
However, risk assessments identify the controls necessary for adequate security, while ST&Es test the
effectiveness of security controls. Accordingly, KPMG believes that DIT should update risk assessments
as part of a continuous process that incorporates the outcomes of the ST&Es as recommended by NIST
risk management guidance.17 For example, control deficiencies identified from ST&Es should be
subsequently incorporated into risk assessments to retain lessons learned from past control assessments.
Where security exposures exist, the risk assessment should suggest additional or compensating controls to
mitigate risk. Updates to the risk assessment and identification of additional or compensating controls are
subsequently incorporated into System Security Plans (SSPs) and then tested as part of the ST&E.
Planning (PL)
Rating: Demonstrated Effectiveness
Planning involves the implementation of policies, procedures, and practices for developing SSPs. Security plans provide an overview of system security requirements and describe the security controls in place or planned for meeting those requirements. Planning also involves establishing rules that describe user responsibilities and expected behavior related to system usage, as well as conducting system Privacy Impact Assessments (PIA).18
Table 4: Planning
| PL-1 |
Security Planning Policy and Procedures |
|
| PL-2 |
System Security Plan |
|
| PL-3 |
System Security Plan Update |
|
| PL-4 |
Rules of Behavior |
. |
| PL-5 |
Privacy Impact Assessment |
|
| PL-6 |
Security-Related Activity Planning |
. |
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security control for KPMG testing
The FDIC’s security planning policies and procedures
were generally consistent with NIST security standards and guidelines. Following the OIG’s 2006
FISMA evaluation, the FDIC strengthened its security planning controls by establishing policy and
procedures requiring application owners to maintain security plans in StarTeam19 and to update the SSPs,
as part of the SDLC process. However, guidance for preparing SSPs should be enhanced to require that security plans describe how common security controls20 are considered in the security C&A process, as
noted in the 2006 FISMA evaluation. ST&Es of common security controls are performed separately from
ST&Es of application and GSS security controls. Enhancing guidance for preparing SSPs would provide
greater assurance that all relevant risks identified from the common controls ST&Es are considered when
accrediting an application or system.
Following the OIG’s 2006 FISMA evaluation, the FDIC strengthened controls in the Planning family by
enhancing its Security Plan template to incorporate the NIST SP 800-53 Rev. 1 control families. The
FDIC also aligned its minor applications with its GSSs and major applications. The FDIC performed this
realignment to increase efficiency, identify shared common controls, and incorporate refinements from
NIST SP 800-53 Rev. 1. Further, in the OIG’s Audit Report No. AUD-07-013, Response to Privacy
Program Information Request in OMB’s Fiscal Year 2007 Reporting Instructions for FISMA and Agency
Privacy Management, the OIG concluded that the FDIC’s PIA process was satisfactory and consistent
with relevant privacy-related policy, guidance, and standards.
System and Services Acquisition (SA)
Rating: Not Evaluated
System and services acquisition involves allocating resources to protect information systems,
implementing an SDLC methodology that addresses security, and including security requirements and/or
specifications in systems acquisitions. System and services acquisition also includes controls for system
documentation, software usage restrictions, security engineering principles, configuration management,
and developing security testing during development projects. KPMG did not perform sufficient testing to
assess system and services acquisition. The OIG may evaluate system and services acquisition security
controls in future FISMA evaluations.
Certification, Accreditation, and Security Assessments (CA)
Rating: Warrants Management Attention
The certification and accreditation of federal information systems is critical to securing the government’s operations and assets. Certification involves the evaluation of an information system’s management, operational, and technical security controls. Accreditation involves a senior agency official’s authorization of an information system to operate. OMB requires agencies to certify and accredit their information systems in accordance with federal security policies, standards, and guidelines. At the close of KPMG’s current year evaluation, the FDIC reported that it had fully certified and accredited its major applications and GSSs.
Table 5: Certification, Accreditation, and
Security Assessments
| CA-1 |
Certification, Accreditation, and Security Assessment Policies and Procedures |
|
| CA-2 |
Security Assessments |
. |
| CA-3 |
Information System Connections |
. |
| CA-4 |
Security Certification |
|
| CA-5 |
Plan of Action and Milestones |
|
| CA-6 |
Security Accreditation |
|
| CA-7 |
Continuous Monitoring |
|
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security controls for KPMG testing
The FDIC’s certification, accreditation, and security assessment policies and procedures were generally
consistent with NIST security standards and guidance. However, the FDIC needed to enhance its ongoing
security control assessments of its information systems to provide greater assurance that controls are
operating effectively. Such enhancements could include, for example, expanding the testing of minor
applications, contractor systems, and IT computer services (e.g., Structured Query Language (SQL)
database server, Exchange e-mail server). Such enhancements would allow the FDIC to identify and
correct the types of operational and technical control deficiencies discussed in this report. Such
deficiencies include weak password controls over application and database accounts with access to
sensitive information, including PII; sensitive network applications with excessive access privileges;
insufficient application audit logging and monitoring; and inadequately secured audit logs.
In the prior three OIG FISMA reports to OMB and the Congress, the OIG had suggested that DIT modify
its Plans of Action and Milestones (POA&M) procedures to ensure that all relevant information security
deficiencies are incorporated into or accompany system-level POA&Ms. Previously, the FDIC used
various systems to track and report system-level security deficiencies based on how the deficiency was
identified. For example, system-level security deficiencies identified during the ST&E process were
tracked and reported through system-level POA&Ms, while system-level security deficiencies identified
during GAO, OIG, and others’ reviews were tracked in the Internal Risks Information System (IRIS).21
In June 2007, the ISPS modified its POA&M practices by developing a POA&M template and process to
capture control deficiencies identified by other security reviews beyond the ST&E. ISPS has informed
the FDIC’s ISMs that POA&Ms should include findings from risk assessments, technical security
assessments, ST&Es, FISMA self-assessments, and FDIC OIG or GAO audit findings. KPMG applauds
DIT’s decision to centralize and consolidate the tracking of information security deficiencies, as this
approach is consistent with NIST and OMB guidance.
While DIT’s revised approach for tracking information security vulnerabilities is positive, continued
management attention is necessary to ensure the POA&Ms include all known information security
deficiencies. During fieldwork, KPMG observed two instances where information security deficiencies
were not subsequently incorporated into system-level POA&Ms. In one instance, DIT’s information
security contractor identified security deficiencies associated with System and Information Integrity
security control, SI-2 Flaw Remediation, that was not incorporated into the Windows Servers POA&M.
In another instance, previously reported security deficiencies associated with session time out for inactive
remote network connections were not captured in the Windows Servers or Data Communications
Infrastructure POA&M. Continued management attention on incorporating all known information
security deficiencies into POA&Ms will enable management to better prioritize remediation efforts and
track issues through closure.
OPERATIONAL CONTROLS
Operational controls are the safeguards and countermeasures for an information system that are primarily
implemented and executed by individuals (as opposed to information systems). Operational controls
include nine control families: Physical and Environmental Protection; Personnel Security; Contingency
Planning; Configuration Management; Maintenance; System and Information Integrity; Media
Protection; Incident Response; and Awareness and Training. In summary, the controls tested in the areas
of Contingency Planning, Maintenance, Incident Response, Configuration Management and Awareness
and Training were effective. However, the controls tested related to Physical and Environmental
Protection, Personnel Security, System and Information Integrity, and Media Protection warranted
management attention.
Physical and Environmental Protection (PE)
Rating: Warrants Management Attention
Physical and environmental protection relates to those security measures aimed at safeguarding information systems, facilities, and related supporting infrastructures from threats. Such security measures include, but are not limited to, physical access controls, emergency power and lighting, fire protection, and temperature and humidity controls. Such measures also include procedures for the delivery and removal of systems hardware, firmware, and software to and from facilities.
Table 6: Physical and Environmental Protection
| PE-1 |
Physical Security and Environmental Policy and Procedures |
|
| PE-2 |
Physical Access Authorizations |
|
| PE-3 |
Physical Access Control |
|
| PE-4 |
Access Control for Transmission Medium |
. |
| PE-5 |
Access Control for Display Medium |
. |
| PE-6 |
Monitoring Physical Access |
|
| PE-7 |
Visitor Control |
|
| PE-8 |
Access Records |
|
| PE-9 |
Power Equipment and Cabling |
. |
| PE-10 |
Emergency Shutoff |
. |
| PE-11 |
Emergency Power |
. |
| PE-12 |
Emergency Lighting |
. |
| PE-13 |
Fire Protection |
. |
| PE-14 |
Temperature and Humidity Controls |
. |
| PE-15 |
Water Damage Protection |
. |
| PE-16 |
Delivery and Removal |
. |
| PE-17 |
Alternate Work Site |
. |
| PE-18 |
Location of Information System Components |
. |
| PE-19 |
Information Leakage |
. |
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security controls for OIG testing
The FDIC has established corporate-wide physical
security program policies22 and procedures. In addition, DIT has conducted security tests and evaluations of Physical and Environmental Protection controls and developed POA&Ms to address the control deficiencies it identified. Further, DOA maintained physical access logs for the Virginia Square Data Center. Additionally, DOA enhanced controls over visitors to the FDIC’s headquarters facilities by adopting procedures in February 2007 that ensure the verification of visitors’ backgrounds and intended purposes before allowing
their entry. Such actions were positive; however, during the evaluation, the OIG identified several physical security control deficiencies warranting management attention.
On July 3, 2007, the OIG conducted an after-hours walkthrough of the FDIC’s Virginia Square facility in Arlington, Virginia, and identified one exterior door to the building and several interior doors to the mainframe and server computer rooms that were
unsecured. The doors had been automatically unlocked during our walkthrough by the building’s
emergency system in response to a water leak in the fire suppression system. However, for several hours,
building security personnel were unaware that these doors remained unsecured. Such a vulnerability
presented a risk that unauthorized individuals could enter the Virginia Square facility or access sensitive
computing areas. An OIG representative notified building security personnel of the vulnerable doors, and
guards were subsequently placed at the doors until they were locked. OIG representatives discussed this
physical access control vulnerability with DOA officials. DOA subsequently improved procedures for
restoring physical access security at the Virginia Square facility following an emergency.
The OIG also identified four unsecured mechanical rooms housing the Virginia Square facility’s heating,
ventilation, and air conditioning systems, water supply, and electrical equipment. After bringing this
matter to DOA’s attention, DOA officials determined that the mechanical room doors were not closing
properly for various reasons, such as internal airflow pressure on the doors and improper sealing around
the doorframes. Prior to the close of our fieldwork, DOA adjusted all four mechanical room doors to
ensure they properly close and lock. In addition, during a June 20, 2007 after-hours walkthrough, the
OIG identified an unsecured engineering room in the FDIC’s main headquarters building housing critical
electrical equipment. After alerting the building’s security personnel to this vulnerability, the engineering
room was locked.
The Physical and Environmental Protection control family also includes controls for authorizing physical
access to facilities. The OIG was unable to determine whether selected employees recently hired by the
FDIC with access to the FDIC’s facilities had an appropriate access authorization because access
authorization documentation was not readily available. Using a non-statistical sample23 of 20 employees
hired by the FDIC from July 1, 2006 through April 30, 2007, the OIG attempted to verify whether FDIC
Form 1620/01, Employee/Contractor Identification Card Request (or equivalent documentation), had
been completed and approved.24 DOA officials were unable to locate a completed FDIC Form 1620/01
for seven of the 20 selected employees. The OIG cited a lack of completed FDIC Forms 1620/01 as a
deficiency in its 2006 FISMA evaluation report. In response to the OIG’s findings, DOA decided to
document the authorization and approval of FDIC-issued identification badges for employees already on-board
in conjunction with the issuance of new personal identity verification cards that implement
Homeland Security Presidential Directive/Hspd-12, Policy for a Common Identification Standard for
Federal Employees and Contractors (HSPD-12).25 FDIC Forms 1620/01 would continue to be completed
whenever new identification cards are issued. However, based on the OIG’s current year work, DOA
needs to implement additional measures to ensure that FDIC Forms 1620/01 are maintained when new
identification cards are issued.
Personnel Security (PS)
Rating: Warrants Management Attention
Personnel security involves the implementation of policies, procedures, and practices for assigning risk designations to positions, screening individuals for those positions, and ensuring that systems access is terminated when personnel leave an agency or are transferred. Personnel security also involves ensuring that appropriate access agreements, such as nondisclosure and conflict of interest agreements, are in place for employees and contractors and implementing a formal sanctions process for personnel who fail to comply with security policies and procedures.
Table 7: Personnel Security
| PS-1 |
Personnel Security Policy and Procedures |
|
| PS-2 |
Position Categorization |
|
| PS-3 |
Personnel Screening |
|
| PS-4 |
Personnel Termination |
|
| PS-5 |
Personnel Transfer |
|
| PS-6 |
Access Agreements |
|
| PS-7 |
Third-Party Personnel Security |
|
| PS-8 |
Personnel Sanctions |
|
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security controls for OIG testing
The FDIC has established personnel-related (employees and contractors) policies, procedures, and
guidelines26 that are generally consistent with NIST guidelines. In addition, the OIG noted that
employees and contractors were preparing written confidentiality agreements as prescribed by Circular
2410.1 and the FDIC’s Acquisition Policy Manual.27 Further, DIT was in the process of validating its
employee position descriptions against actual duties and responsibilities in response to the division’s
recent re-organization. DIT plans to re-evaluate the appropriateness of its employee risk level
designations after it completes ongoing efforts to validate its employee position descriptions. These
actions were positive; however, as discussed below, the OIG identified Personnel Security-related control
deficiencies warranting management’s attention.
The OIG reviewed background investigation documentation for employees and contractors to determine
whether individuals with physical access to the Virginia Square mainframe or server computer rooms had
a background investigation commensurate with the risk associated with their access. FDIC and contractor
employees working in FDIC offices undergo a fingerprint and credit check before they are allowed access
to FDIC facilities. After an individual begins work, the FDIC and the individual send additional personal
information to OPM for a background investigation. Of the 185 individuals who, as of July 13, 2007, had
physical access to the mainframe or server computer rooms, 33 did not have OPM background
investigations commensurate with the risk associated with their access because the scope of their OPM
investigation was below the Moderate risk level. All 33 individuals were DOA contractor employees
assigned to contracts that had a risk level designation of Low. Further, the OIG noted that the FDIC had
not initiated a background investigation with OPM for six of the 33 referenced individuals and that one of
the six individuals had worked for the FDIC for over two years. The FDIC should evaluate the risk level
designations of contractor employees with physical access to restricted areas, such as the computer rooms,
and allow access only after confirming that OPM has sufficient information to conduct the appropriate
background investigation. The OIG briefed DOA management on this condition during the evaluation
and identified the individual contractor employees for DOA’s review. DOA started the OPM background investigation process for the six contractor employees without an OPM background investigation and is
reviewing the duties and risk level designations for the 33 contractor employees.
Using information in the Corporate Human
Resources Information System (CHRIS),28
the OIG selected a separate non-statistical sample of 197 of the FDIC’s 4,658 employees on board as of July 19, 2007 to determine whether background investigations were commensurate with risk level designations. As shown in Table 8, the OIG found that 32 employees in positions with a Moderate risk level designation had a background investigation consistent with a Low risk level position. According to a DOA representative, for employees with a High and National Security risk level designation in CHRIS, DOA performed monthly, manual reviews of completed background investigations to identify discrepancies. However, a similar review is not performed for employees with a Moderate risk level designation because of the large number of employees in this category. DOA should develop procedures to better ensure that employee background investigations are commensurate with risk level designations. We discussed this issue with DOA during the evaluation, and DOA began a review of the 32 employees’ risk level designations and
background investigations.
| CHRIS Risk
Level
Designation |
Number of
Employees |
Number of
Employees
Sampled |
Insufficient
Background
Investigation |
| National
Security* |
63 |
3 |
. |
| High |
348 |
29 |
. |
| Moderate |
2,856 |
161 |
32 |
| Low |
1,391 |
4 |
. |
| Totals |
4,658 |
197 |
32 |
Source: OIG analysis of CHRIS and DOA records.
* National Security clearance levels are Secret and Top Secret.
DOA recognizes that improvements are needed in its processes for establishing risk level designations
and conducting background investigations. In a September 29, 2006 internal report, DOA’s Management
Support Section concluded that audit trails for approving, authorizing, verifying, reconciling, and
maintaining risk level designation determinations within DOA were not clearly evident as changes are
made. The report also noted that supporting documentation was often not retained or did not exist to
support risk level determinations or changes in risk level assignments within DOA. DOA was working to
address the deficiencies identified in the internal review report during this evaluation.
Contingency Planning (CP)
Rating: Demonstrated Effectiveness
Effective contingency planning and testing is essential to mitigate the risk of system and service unavailability. Contingency planning involves developing and implementing system contingency plans that address roles, responsibilities, and activities associated with restoring a system after a disruption or failure. Such planning also involves training personnel, testing systems, performing system backups, and establishing alternative processing sites.
The FDIC has taken a number of positive steps in the area of contingency planning. Of particular note, the FDIC has established a DIT contingency planning program policy.29 Further, the FDIC has documented system recovery plans in the DIT Business Continuity Plan that were current and consistent with NIST guidance. In addition, the FDIC conducted a disaster recovery test of its mission-critical applications and GSSs in April 2007. The disaster recovery test was successful in achieving its primary objective of recovering the FDIC’s mission-critical applications and GSSs within pre-determined timeframes. The FDIC prepared a formal report detailing the results of its disaster recovery testing and developed plans to address the issues it identified during the testing.
Table 9: Contingency Planning
| CP-1 |
Contingency Planning Policy and Procedures |
|
| CP-2 |
Contingency Plan |
|
| CP-3 |
Contingency Training |
|
| CP-4 |
Contingency Plan Testing and Exercises |
|
| CP-5 |
Contingency Plan Update |
|
| CP-6 |
Alternative Storage Sites |
|
| CP-7 |
Alternative Processing Sites |
|
| CP-8 |
Telecommunication Services |
|
| CP-9 |
Information System Backup |
|
| CP-10 |
Information System Recovery and Reconstitution |
|
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security controls for KPMG testing
The above actions are positive; however, a recent audit of the FDIC’s IT disaster recovery capability30
identified several opportunities for the FDIC to improve its Contingency Planning controls. Specifically,
the audit noted that DIT needed to update the FDIC’s contingency planning program policy to reflect the
Corporation’s current IT disaster recovery environment and recent NIST guidance, and document (and
test as appropriate) its plans for recovering certain security services designed to protect the FDIC’s
network during a disaster. In addition, the audit noted that the FDIC was working to update its Business
Impact Analysis (BIA). Based on the collective control strengths and deficiencies related to contingency
planning, KPMG determined that the Contingency Planning control family demonstrated effectiveness.
Configuration Management (CM)
Rating: Demonstrated Effectiveness
Key to ensuring the confidentiality, integrity, and availability of any information system is implementing structured processes for managing the inevitable changes that will occur during the system’s life cycle. Such processes, collectively referred to as configuration management, include evaluating, authorizing, testing, tracking, reporting, and verifying both hardware and software changes. Inadequate configuration management controls increase the risk that unauthorized programs or untested changes could inadvertently or deliberately be implemented and negatively affect system performance or security.
Table 10: Configuration Management
| CM-1 |
Configuration Management Policies and Procedures |
|
| CM-2 |
Baseline Configuration |
|
| CM-3 |
Configuration Change Control |
|
| CM-4 |
Monitoring Configuration Changes |
|
| CM-5 |
Access Restrictions for Change |
|
| CM-6 |
Configuration Settings |
|
| CM-7 |
Least Functionality |
|
| CM-8 |
Information System Component Inventory |
|
Source: NIST SP 800-53 Rev. 1.
Legend: Selected security controls for KPMG testing
Importantly, the FDIC established a corporate-wide software configuration management policy covering
all of its application and system software.31 The policy requires that the FDIC’s software configuration
management practices be consistent with the principles of the Capability Maturity Model Integration
(CMMI)32 and relevant federal standards and guidelines. In addition, DIT established the FDIC
Infrastructure Change Control Board to, among other things, review and approve changes to the FDIC’s
IT infrastructure and technical architecture, including the Windows Servers and Personal Systems GSS.
DIT also developed software configuration management plans for its Windows Servers and Personal
Systems GSS.
On March 22, 2007, OMB issued Memorandum M-07-11 entitled, Implementation of Commonly
Accepted Security Configurations for Windows Operating Systems.33 The OMB memorandum requires
agencies using the Windows XP operating system to adopt the security configurations developed by
NIST, the Department of Defense, and the Department of Homeland Security no later than
February 1, 2008. The OMB memorandum states that adopting such configurations are important to
improving information security and reducing overall IT operating costs. As part of its FISMA eval |
