The FDIC’s Governance of Information Technology Initiatives
August 2, 2018 / Source: FDICIG
The FDIC’s Governance of Information Technology Initiatives
Thursday, July 26, 2018
The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General issued an audit report that highlights challenges and risks facing the FDIC with respect to the governance of its information technology (IT) initiatives.
The audit focused on key components of the FDIC’s IT strategic planning, enterprise architecture, and governance bodies and practices. We reviewed these components in light of three IT initiatives: (1) migration of FDIC email operations to the cloud; (2) deployment of laptop computers to FDIC employees and contractor personnel; and (3) proposed adoption of a managed services solution for mobile IT devices.
We reported that the FDIC faced a number of challenges and risks with respect to the governance of its IT initiatives. Although the FDIC had planned to develop an enterprise cloud strategy in 2017, it had not done so prior to pursuing cloud initiatives. Specifically, the FDIC had not fully developed a strategy to migrate IT services and applications to the cloud prior to executing initiatives, nor had the FDIC obtained the acceptance of organizational stakeholders across FDIC’s Divisions and Offices.
In addition, the FDIC did not have an effective enterprise architecture to support its IT decision-making and guide the execution of its strategic goals and objectives. We found that the FDIC’s architecture was immature, and it did not guide the three IT initiatives we reviewed nor the FDIC’s transition of IT services to the cloud.
Also, the FDIC had not established a security architecture for its IT Governance Framework and IT Governance Processes, nor adequately defined the roles and responsibilities of information security officials. Notably, a third-party consultant assessed the FDIC’s enterprise security architecture was “ad hoc” and was “inconsistently documented and implemented.” The consultant further found that the FDIC’s IT Governance Processes did not clearly document roles and responsibilities for IT security.
Moreover, the FDIC had not acquired adequate resources and expertise needed to improve its IT Governance Framework and did not use complete cost information when evaluating cloud solutions. The FDIC’s plans for significant and rapid transformation in the delivery of IT resources required individuals with expertise that the FDIC lacked in 2016 and improved financial information such as relevant intangible benefits to evaluate IT initiatives.
These challenges created uncertainty among FDIC Divisions and Offices regarding the implementation of its IT strategic goals and objectives and the impact such efforts would have on their respective program areas. We also found that due to the limited IT governance applied to the cloud and laptop deployment initiatives that we reviewed, the former FDIC Chief Information Officer pursued overly aggressive implementation schedules and did not obtain broad business stakeholder involvement during the early stages of two of the three initiatives we reviewed. This resulted in unaddressed business needs and security risks, and it created inefficiencies, increased costs, and delayed the initiatives.
We made eight recommendations to address the IT Governance weaknesses we identified. These recommendations included the FDIC developing an implementation plan that supports the IT Strategic Plan; implementing an enterprise architecture as part of the IT Governance Framework; defining and documenting roles and responsibilities for information security; and identifying IT resources and expertise to execute the IT Strategic Plan. FDIC management concurred with our recommendations.
PDF Report:
[PDF icon] 18-004AUD.pdf