Follow-up Audit of Information Security Management
of FDIC Contractors


September 26, 2003
Audit Report No. 03-043

Summary

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has completed a follow-up audit of information security management of contractors with access to the Corporation's sensitive information resources. The objective of this audit was to determine whether the FDIC had made adequate progress in addressing the recommendations in Audit Report No. 02-035, Information Security Management of FDIC Contractors, dated September 30, 2002. Our audit focused on information security in acquisition planning, contract security provisions, and contractor oversight. To accomplish our objectives, we reviewed new policies and procedures issued by the FDIC to address recommendations in our audit Report No. 02-035 and the FDIC's actions to implement the new policies and procedures. Furthermore, we performed limited testing at five FDIC off-site contractors to evaluate their security practices.

The FDIC has developed and finalized policies and procedures to address the prior report recommendations regarding security in acquisition planning, contract requirements, and contractor oversight. In addition, the FDIC intends to ensure that new contracts contain adequate security provisions and plans to evaluate the cost benefit of modifying existing contracts to include adequate security provisions.

Recommendations

We did not make recommendations related to acquisition planning or contract security requirements because it was premature to evaluate the effectiveness of the policies and procedures that FDIC recently issued. However, we did recommend that the Acting Director, Division of Information and Resources Management (DIRM), update contractor security oversight procedures.

Management Response

The Acting Director, DIRM, adequately addressed the report recommendations, which are considered resolved.

This report addresses issues associated with information security. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of the report.

Last Updated 1/9/2004