The Federal government has demonstrated its inability to keep its own house in order at the same time that it expects citizens and businesses to trust it with very sensitive information.
From the SEC’s EDGAR breach, the OPM breach and others, add the FDIC.
The Office of Inspector General (OIG) found that the Federal Deposit Insurance Company’s (FDIC) policies for responding to a breach were not being followed, even as the FDIC may have been breached as many as 54 times in the last two years.
The OIG reviewed 18 of those breaches and reported their findings.
In the wake of those failures, the FDIC has taken steps to better comply with Federal Law (FISMA) by implementing a breach response plan. Very impressive for an organization that is responsible for ensuring the safety and security of trillions of dollars of your and my money.
The auditors found that the organization often failed to implement key components of this plan for the majority of the security incidents reviewed. For example, they are supposed to notify breach victims within 10 days, but it took them, on average, 288 days.
The plan designates who is supposed to be responsible for responding to breaches, but in many cases, those positions were either unfilled or staffed by employees who were not trained.
The breach notification plan established a data breach management team, however the team lacked a charter and an effective governance structure.
The FDIC says not to worry, they will have all of this fixed by September 30th, 2018.
These are the foxes that are guarding the hen house. Are you as impressed as I am?
Information for this post came from Federal Computer Week.