Audit of Information Systems Security - Dallas

(Audit Report No. 98-087, October 22, 1998)

This report presents the results of our audit of information systems security in the Federal Deposit Insurance Corporation's (FDIC) office in Dallas, Texas. The objectives of the audit were to determine whether FDIC Dallas' security controls protected computer systems and local area network (LAN) equipment and whether contingency plans ensured restoration of general support and major application systems in the event of a disaster. During the period June 1997 through February 1998, we reviewed Dallas access control practices for each FDIC division; the LAN operating system and equipment; and three information systems: Liability Dividend System (LDS), Accounts Payable and Purchase Order system (APPO), and Personnel Action Request System (PARS).

Our audit revealed a number of security lapses that, when taken together, raise concerns relating to security over vital information and costly equipment relied upon by FDIC staff to accomplish the Corporation's mission. The APPO system was well protected, but controls over the LAN, LDS system, PARS system, and LAN equipment needed improvement. We found problems with password procedures, granted levels of access, security reviews, security officer duties, access revocation, independent reviews for programming changes and dividend processing, edit report details, door locks, and fire protection. Also, Dallas DIRM's contingency plan did not ensure that important systems could be restored in the event of a disaster. We noted significant changes affecting information security during our audit. Specifically, FDIC's Southeast Service Center in Atlanta, Georgia, transferred its workload to the Dallas office, a new LAN operating system was installed, and all Dallas divisions relocated office space. FDIC Dallas was addressing these changes and working to enhance controls during the course of our audit.

Based on our audit work, we made 17 individual recommendations to FDIC Dallas officials addressing various elements of systems security.

From October 13, 1998 through October 20, 1998, Corporation officials in the Division of Information Resources Management, Division of Administration, and Division of Finance provided written responses to a draft of this report. The Corporation agreed with all the draft report's recommendations and stated that corrective actions had been or would be taken. Further, the Corporation's responses and subsequent information furnished provided the elements necessary for management decisions on the recommendations.