The FDIC needs to strengthen its information security controls,two audits from the agency's inspector general found.
The July 8 reports were in response to seven security breachesthe FDIC reported sinceOctober 2015 related to employees leaving the agency and downloading data on personalexternal devices. The agency came underscrutiny from a House subcommittee in May for the slowness in reportingthe breaches.
The audits found that the current incident response policies"did not provide reasonable assurance that major incidents were identifiedand reported in a timely manner." The inspector general recommended the agencyrevise its incident response policies, procedures and guidelines to address majorincidents, review implementation of its data loss prevention tool, ensure Congressionalnotifications include context regarding the risks of incidents and include evidence,among other things.
In a report related to a breach of resolution plans of bankson Sept. 29, 2015, the inspector general recommended the agency establish a corporatewideinsider threat program, test the effectiveness of controls designed to prevent usersfrom copying information to removable devices, assign an information security managerto the FDIC's Office of Complex Financial Institutions, and determine if employeesshould be allowed to store copies of sensitive plans outside of the specified software.
Under October 2015 guidance from the Office of Management andBudget, if it takes longer than eight hours to recover data with 10,000 or morerecords, it is considered a major cyber incident and must be reported to Congresswithin seven days of the event occurring. All other breaches are reported in anannual report.
The breaches were considered low-risk because the employees werein good standing and had a business reason for having access to the data, the FDICstated. The instances were reported once the agency's inspector general told themto reconsider the reporting requirements.