Security Patch Management Review

August 21, 2003
Report No. 03-035

Summary

International Business Machines (IBM), an independent professional services firm, was engaged by the Office of Inspector General (OIG) to perform a vulnerability assessment of the Federal Deposit Insurance Corporation's (FDIC) network operations. The work accomplished through this contract helped the OIG satisfy its Federal Information Security Management Act-related reporting requirements.

The objective of the review was to evaluate the policies and procedures for implementing security patches in the FDIC's networked environment. The scope of the review was specifically designed to focus on the security patching process of Cisco routers and Windows servers.

IBM concluded that the FDIC's Division of Information and Resources Management (DIRM) is improving its program; however, additional work is needed to strengthen the security patch management process.

Recommendations

IBM made multiple recommendations to the Acting Director, DIRM, to improve the security patch management process.

Management Response

DIRM's response adequately addressed the conditions discussed in the report.

This report addresses issues associated with information security. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of the report.

Last Updated 11/5/2003