FDIC's Virtual Supervisory Information on the Net (ViSION) Application
(Report No. 04-027, July 30, 2004)
The Federal Deposit Insurance Corporation's (FDIC) Virtual Supervisory Information on the Net (ViSION) application was designed to accept and provide information from and for the FDIC and other federal and state regulators in support of day-to-day operations. ViSION contains information on all insured depository institutions. Users rely on ViSION as a central repository for compiling, reviewing, analyzing, and managing financial, examination, and other data on financial institutions. The ViSION user community includes FDIC executives, regional managers, case managers, review examiners, field examiners, Division of Insurance and Research analysts, and federal (Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Office of Thrift Supervision) and state regulatory agencies.
The FDIC's Office of Inspector General has concluded an audit of the ViSION application. The audit objective was to determine whether the application controls over ViSION operational components were adequate. Specifically, using the guidance in the National Institute of Standards and Technology (NIST) Draft Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, dated October 2003, we evaluated key management, operational, and technical controls to determine whether they were sufficient to protect the confidentiality, integrity, and availability of the information maintained in ViSION.
We concluded that, in general, the technical controls incorporated into ViSION provided adequate assurance that (1) it allowed only authorized user access, (2) approved access to specific information in ViSION was based on need, and (3) the data had to pass predetermined edit checks before it was accepted by the system. However, ViSION application management and operational controls needed improvement.
We recommended that the Corporation develop, update, and implement key management and operational controls to protect the confidentiality, integrity, and availability of the information contained in the ViSION application.
The Corporation's response adequately addressed our recommendations. The recommendations are considered resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions are implemented and effective.
This report addresses issues associated with information security. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of the report.