FDICís IT Disaster Recovery Capability

October 2007
Report No. AUD-08-001

AUDIT REPORT

FDIC OIG, Office of Audits

Background and
Purpose of Audit


The Office of Management and Budget has issued policy requiring federal agencies to establish and periodically test their ability to recover from information technology (IT) service interruptions. In addition, the National Institute of Standards and Technology (NIST) has developed security standards and guidelines to assist agencies in restoring their information systems following a disruption or failure. Further, organizations can consider adopting a number of industry-accepted practices related to IT disaster recovery.

Key to achieving the FDICís business goals and objectives is having a reliable recovery capability for the Corporationís critical IT systems and applications.

The objective of the audit was to determine whether the FDIC has established and implemented an IT disaster recovery capability consistent with federal standards and guidelines and industryaccepted practices.

FDIC, Federal Deposit Insurance Corporation


Results of Audit


The FDIC has established and implemented an IT disaster recovery capability that is consistent with federal standards and guidelines and industry-accepted practices. Among other things, the FDIC has established an alternate processing site and developed written plans to recover its general support systems and mission-critical applications following a disaster. In April 2007, the FDICís Division of Information Technology (DIT) conducted a test of its IT disaster recovery capability and successfully recovered its general support systems and mission-critical applications. DIT issued a report on the results of its IT disaster recovery testing, including the issues it identified during the testing and associated solutions, to improve future recovery responsiveness and reliability.

These accomplishments are positive. However, our audit identified the following areas needing enhancements to further assure that information security controls are in place in the event of a disaster.

  • The FDICís corporate contingency planning policy does not reflect the FDICís current IT disaster recovery practices or recent NIST guidance.
  • Security patches were not installed on certain servers in the FDICís alternative processing site.
  • DIT had not documented or tested its strategy for recovering key security services designed to protect the FDICís alternate processing capability during a disaster.

Our report also identifies opportunities for DIT to enhance its IT disaster recovery performance metrics. We discussed these opportunities with DIT officials during our audit.

Recommendations and Management Response

We recommended that FDIC management (1) update the FDICís corporate contingency policy; (2) take steps to ensure that security patches are installed on disaster recovery servers in a timely manner; and (3) document and test, as appropriate, DITís strategy for recovering key security services. In general, management concurred with our recommendations and is taking responsive corrective action.

Because the report addresses issues associated with information security, we do not intend to make public release of the specific contents of the report.

Last updated 11/17/2007