A report from the Office of Inspector General (OIG) at the Federal Deposit Insurance Corporation (FDIC) found that the FDIC has not established and implemented effective controls to secure and manage its mobile devices.
In response, the FDIC committed to work on a long list of improvements, and hopes to complete those efforts by next year.
The report says that the FDIC has deployed nearly 4,600 smartphones and more than 150 tablets to its employees and contractor personnel to support its business operations and communications. Further, the FDIC uses a cloud-based mobile device management (MDM) solution to secure and manage its smartphones and tablets. The OIG report notes that the MDM solution performs a handful of important functions, such as connecting mobile devices to the FDIC’s network, monitoring the security and configuration settings on the devices, and erasing sensitive FDIC data on the devices when users report them as lost or stolen.
The purpose of the IG audit was to determine whether the FDIC had established and implemented effective controls to secure and manage its mobile devices, and it examined nine areas: policies, procedures, and guidance; awareness training; control assessments; logging and monitoring; billing analysis; configuration management; asset management; incident response; and data protection.
The audit found that the FDIC has not established or implemented effective controls and practices to secure and manage its mobile devices in three of the nine areas assessed. The report says that the controls and practices that existed in those three areas “did not comply with relevant Federal or FDIC requirements and guidance.”
Specifically, the audit determined that:
- “FDIC policies, procedures, and guidance were outdated and did not reflect current business practices pertaining to mobile devices, and they did not address key elements recommended by the National Institute of Standards and Technology (NIST). For example, FDIC policies did not address the Bring Your Own Device (BYOD) program nor the risks associated with personal use of FDIC-furnished mobile devices, such as downloading and using non-work related applications, and texting, messaging, and video.
- The FDIC did not conduct Control Assessments of the MDM solution annually in order to ensure that controls were effective and operating as intended.
- FDIC Logging and Monitoring practices were not guided by written procedures and did not provide for adequate separation of duties.”
The report notes that controls and practices in the areas of awareness training, billing analysis, and configuration management were “partially effective” because they complied with some, but not all, relevant security requirements and guidelines. On a positive note, the FDIC did implement effective controls and practices in the areas of asset management, incident response, and data protection.
The report recommends that the FDIC CIO:
- Perform a documented assessment of risks associated with BYOD and the personal use of COPE devices, including the installation and use of mobile applications, text messaging, and audio and video capabilities.
- Establish mobile device policies and guidance that align with NIST and GAO-recommended practices. The policies and guidance should (a) reflect the FDIC’s current business practices for mobile devices and (b) be based on the documented assessment of risks in Recommendation 1.
- Require users of BYOD to consent to rules of behavior in a mobile device security agreement.
- Define and document roles, responsibilities, and procedures for reviewing audit logs generated by the MDM solution.
- Separate responsibilities for performing systems administration from conducting reviews of audit logs generated by the MDM solution.
- Develop and implement awareness training to address risks and security practices related to the use of mobile devices.
- Implement a process to routinely report usage information for mobile devices and MiFi devices to business units in the FDIC’s Divisions and Offices.
- Require the FDIC’s Divisions and Offices to provide EUCS with documentation to support the continued business need for zero usage devices and take action to suspend or terminate unnecessary devices and services.
- Develop and implement written policies and/or procedures that define roles, responsibilities, and requirements for testing mobile device software updates and documenting the associated results before users are permitted to download and install them.
The FDIC concurred with the OIG recommendations and plans to complete corrective actions by May 30, 2022.