FHFA Comes Up Short in GAO Audit
Controls Insufficient to Protect Confidentiality of Financial DataThat's the problem at the Federal Housing Finance Agency, according to an audit by the Government Accountability Office. The controls the FHFA implemented during fiscal year 2009 were insufficient to protect the confidentiality, integrity and availability of financial information stored on and transmitted over its key financial systems, databases, and computer networks, the GAO said.
In particular, according to the audit, FHFA failed to consistently maintain authorization records for network and system access, enforce the most restrictive access needed by users on shared network files and directories and enforce the most restrictive set of rights needed by users to perform their assigned duties. FHFA also didn't effectively implement physical protection and environmental safety controls over its facilities and information technology resources. GAO identified numerous instances in which FHFA facilities were not adequately secured and was able to obtain unauthorized access from outside agency facilities into the agency's interior space containing sensitive information and information technology equipment.
"A key reason for the control deficiencies in FHFA's financial system computing environment is that the agency has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively," GAO's Gregory Wilshusen, director of information security issues, and Nabajyoti Barkakati, director of the Center for Technology and Engineering, wrote in a 30-page report.
Other findings of the audit:
- Written policies, procedures, and technical standards do not reflect the current operating environment.
- The agency has not yet developed, documented and implemented sufficient policies and procedures to ensure that the activities performed by external third parties are monitored for compliance with FHFA's policies.
"Although these deficiencies were not considered significant deficiencies for financial reporting purposes, if left uncorrected they unnecessarily increase the risk that sensitive and financial information is subject to unauthorized disclosure, modification, or destruction," the GAO auditor reported.
GAO recommends that the acting director of the FHFA take steps to mitigate control deficiencies and fully implement a comprehensive information security program.
FHFA, in commenting on a draft of the GAO report, agreed with the findings and said it intends to address the identified deficiencies.