Trusted Information Systems Review

April 14, 2003
Report No. 03-028

Summary

International Business Machines (IBM), an independent professional services firm, was engaged by the Office of Inspector General (OIG) to perform a vulnerability assessment of the Federal Deposit Insurance Corporation's (FDIC) network operations. The work accomplished through this contract helped the OIG satisfy its Federal Information Security Management Act-related reporting requirements.

The objectives of the review were to (1) evaluate the controls, policies, and procedures for the FDIC's Public Key Infrastructure (PKI); (2) analyze and test the FDIC's connectivity with third-party organizations such as contractors; and (3) evaluate the FDIC's controls over sensitive data. The scope of the review was specifically designed to focus on the progress achieved by the FDIC in developing and implementing effective information security policies for its trusted relationships, that is, network connections that the FDIC has with banks, contractors, and other government agencies.

During the review, IBM noted that the FDIC had implemented a number of good security practices but that improvements were needed in PKI operations, contractor-connected systems, and protection of data provided to third parties.

Recommendations

IBM made recommendations to FDIC's Division of Information and Resources Management (DIRM) and Division of Administration (DOA) to improve network integrity, performance, and controls.

Management Response

DIRM's and DOA's responses to the report satisfactorily address the noted areas.

This report addresses issues associated with information security. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of the report.

Last Updated 1/9/2004