The FDIC's Implementation of Its Information Security Strategic Plan

July 18, 2003
Audit Report No. 03-031

Summary

The Federal Deposit Insurance Corporation's (FDIC) Office of Inspector General (OIG) has completed an audit of the FDIC's information security strategic plan. The objective of our review was to evaluate the adequacy of the FDIC's implementation activities for protecting its critical cyber-based infrastructure. To accomplish our objectives, we reviewed the: adequacy of the FDIC's Information Security Strategic Plan and Tactical Plan, documentation supporting implementation of the Tactical Plan, relevant guidance for the preparation and implementation of an information security program, and prior plans and studies prepared by the FDIC relating to its information security program. Additionally, we interviewed selected FDIC officials responsible for developing and implementing the Tactical Plan. The audit was performed as part of a review by the President's Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency. The review also supports the OIG's Federal Information Security Management Act-related reporting requirements.

The FDIC's Information Security Strategic Plan needed improvement. Specifically, the FDIC had not fully implemented the plan or adequately addressed its human capital needs. As a result of various FDIC security program initiatives and our ability to further evaluate the FDIC's progress as part of our ongoing Federal Information Security Management Act audit, we did not make recommendations related to the FDIC's implementation of the Tactical Plan.

Recommendation

We did recommend that the Acting Director, Division of Information and Resources Management (DIRM), develop a human capital plan to identify and address any shortfalls in staff resources or skill mix for the information technology security program. The plan should address the need for recruitment, training, and education of the security plan and be included in the Tactical Plan.

Management Response

The Acting Director, DIRM, adequately addressed the recommendation, which is considered resolved.

This report addresses issues associated with information security. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of the report.

Last Updated 1/9/2004