tailieunhanh - United States General Accounting Office GAO March 2003 Report to the Congress_part2

Trong năm 2002, FDIC đạt được tiến bộ trong việc cải thiện kiểm soát hệ thống thông tin. Trong số 41 khuyến nghị năm trước mà chúng ta đã thực hiện, FDIC đã hoàn thành hành động vào ngày 18 và một phần hoàn thành hoặc đã có kế hoạch hành động để giải quyết những người còn lại. | development and change control segregation of duties and service continuity controls. During 2002 FDIC made progress in improving information system controls. Of the 41 prior year recommendations that we made FDIC had completed action on 18 and partially completed or had action plans to address those remaining. During our current review FDIC also corrected several newly identified weaknesses. Nevertheless continuing and newly identified vulnerabilities involving information system controls continue to impair FDIC s ability to ensure the reliability confidentiality and availability of financial data. For example FDIC did not have information system controls to adequately ensure that 1 users had only the access needed to perform their assigned duties 2 its network was secured from unauthorized access and 3 comprehensive programs were in place to routinely oversee and monitor access to its computer data to identify unusual or suspicious access. The effect of these weaknesses increases the risk of unauthorized disclosure of critical FDIC financial and sensitive personnel and bank examination information disruption of critical financial operations and loss of assets. As we have previously reported the primary reason for FDIC s information system control weaknesses is that it has not fully developed and implemented a comprehensive corporatewide security management program. An effective program would include assessing risks establishing a central security function establishing policies and related controls raising awareness of prevailing risks and mitigating controls and regularly evaluating the effectiveness of established controls. During the past year FDIC has made progress in implementing such a program including establishing a central security staff to provide guidance and oversight enhancing its security awareness program and continuing efforts to develop and update security policy. However FDIC has not yet fully established a risk assessment process and the .