Seven recommendations were made to address interconnection issues uncovered during an audit of information systems, according to the Federal Deposit Insurance Corp. (FDIC), including to modify the agency’s existing policies and procedures to meet standards for managing system interconnections.
In a Dec. 6 report by the FDIC’s Office of Inspector General (OIG), the agency said “control weaknesses” were identified in each of the four phases of the life-cycle framework for managing system interconnections, as recommended by the National Institute of Standards and Technology (NIST). (The four phases are planning, establishing, maintaining, and terminating interconnections.)
In particular, the audit found that, among the agency’s 11 system interconnections (as of Sept. 2017):
- Policies and procedures did not: (a) define the types of technologies and configurations that constitute a system interconnection; (b) articulate the roles and responsibilities for those involved in managing system interconnections; or (c) establish documentation requirements for key activities.
- The agency did not create necessary written agreements to govern three of the 11 system interconnections.
- In four instances in which written agreements governing system interconnections had expired, the system interconnection remained enabled. “In addition, the FDIC did not terminate three system interconnections when they were no longer needed,” the audit stated.
The OIG said the seven recommendations it made were to:
- modify existing policies and procedures to address all four phases of the NIST life-cycle framework;
- execute written agreements with two outside organizations;
- modify the agency’s standard contract language involving system interconnections to align with NIST guidance;
- review system interconnection agreements annually to ensure that they remain current;
- launch procedures to review, update, and reauthorize written agreements when appropriate;
- develop and implement procedures for notifying technical staff when system interconnections are terminated; and
- develop and implement policies and procedures to govern the secure transfer of data outside the FDIC when using technologies that are not considered system interconnections.
The OIG said the agency concurred with six of the seven recommendations and partially concurred with the remaining recommendation, providing “an alternative corrective action to address the remaining recommendation.”
Controls Over System Interconnections with Outside Organizations