Skip Header
U.S. flag

An official website of the United States government

Management Report of Final Actions

Previous | Contents | Next

 

Management Report on Final Actions

As required under the provisions of Section 5 (as amended) of the Inspector General Act of 1978, the FDIC must report information on final action taken by management on certain audit reports. The tables on the following pages provide information on final action taken by management on audit reports for the federal fiscal year period October 1, 2017, through September 30, 2018.

Table 1: Management Report on Final Action on Audits with Disallowed Costs
For Fiscal Year 2018
Dollars in Thousands
(There were no audit reports in this category.)
Table 2: Management Report on Final Action on Audits with Recommendations to Put Funds to Better Use
For Fiscal Year 2018
Dollars in Thousands
(There were no audit reports in this category.)
Table 3:
Audit Reports Without Final Actions but With Management Decisions Over One Year Old
For Fiscal Year 2018
Report No. and Issue Date OIG Audit Finding Management Action Disallowed Costs

AUD-16-001

10/28/2015

The Acting CIO should assess the Information Security Manager (ISM) Outsourced Information Service Provider Assessment Methodology processes supporting information service provider assessments to determine and implement any needed improvements to ensure timely completion of assessments.

The FDIC needs additional time to bring the 22 remaining contracts into compliance consistent with recently developed transition and action plans.

Due Date: 4/30/2019

$0

EVAL-17-004

2/14/2017

The Director, RMS should continue to communicate to Financial Institutions (FIs) the importance of: fully considering and assessing the risks that Technology Service Providers (TSPs) could have on the FI's ability to manage its own business continuity and incident response planning efforts; ensuring that contracts with TSPs include specific provisions that address FI-identified risks, protect FI interests, and provide details necessary to allow FIs to manage their own business continuity planning and incident response and reporting efforts through TSP operations; and clearly defining key contract terms that would be important in understanding FI and TSP rights and responsibilities in the event of a business disruption or computer security incident particularly for those contracts that FIs identify as critical or that have access to sensitive or personally identifiable information.

Due to the significant coordination required with many agencies, the review and editing of the draft Federal Financial Institutions Examination Council’s (FFIEC) Business Continuity Planning Booklet and FFIEC Outsourcing Booklet have experienced significant delays. The agencies are attempting to make the booklets more user-friendly.

Due Date: 12/31/2019

$0

EVAL-17-007 9/18/2017 The Director, DOA, should incorporate a risk assessment of individual separating employees into the FDIC’s pre-exit clearance process.

Additional time is needed for DOA to assess currently-available operational and analytical tools to determine what tools can be used in supporting the Insider Threat and Counterintelligence Program (ITCIP). DOA will continue to analyze existing internal analytic capabilities and work with the CIOO to establish cybersecurity monitoring and mitigation capabilities (e.g., forensics, incident management systems, and data loss prevention methodologies) while protecting individual legal and privacy rights. The procedures and protocols will be drafted for appropriate review once the tools are identified and put into place. 

Due Date: 3/29/2019

$0
The Director, DOA, should work with the FDIC’s Chief Information Officer to establish appropriate policy for using Data Loss Prevention (DLP) to support the FDIC’s pre-exit clearance process.

More time is needed to complete the revisions to the Directive and to allow for sufficient time for the Directive Review Process.

Due Date: 3/29/2019

The Director, DOA, should work with the FDIC’s Chief Information Officer to develop an expanded and better defined use of the Data Loss Prevention (DLP) tool for separating contractors.

As the process for notification for contractor personnel is different than the process for employees, more time is needed to effectuate this change so that the Computer Security Incident Response Team (CSIRT) is notified in a timely fashion.

Due Date: 2/18/2019

 

Previous | Contents | Next