IG: Social Security Systems, Data at Risk

Auditors Seized Control of Network, Records during FISMA Audit

By , November 28, 2012.
IG: Social Security Systems, Data at Risk

In a good news, bad news audit report, the Social Security Administration's inspector general lauded the agency for its information security program and practices for being generally consistent with the requirements of the Federal Information Security Management Act. Yet, the audit uncovered weaknesses that put Social Security systems and data at risk.

See Also: CEO Bob Carr on EMV & Payments Security

"We determined that SSA had established an overall information security program and practices that were generally consistent with FISMA requirements," Inspector General Patrick O'Carroll Jr. wrote in a 37-page audit report. "However, weaknesses in some of the program's components limited the overall program's effectiveness to adequately protect the agency's information and information systems."

O'Carroll said the risk and severity of agency's information security weaknesses were great enough to constitute a significant deficiency under FISMA. "These weaknesses could result in losses of confidentiality, integrity and availability of SSA information systems and data," he said. "Given the complex systems and magnitude of sensitive information housed on SSA's systems, any loss of confidentiality, integrity or availability of agency systems or data could have a significant impact on the public and the nation's economy."

In an internal penetration test conducted by the IG's outside auditor, Grant Thornton, examiners seized control of an SSA network running a Microsoft Windows operating system and obtained many records containing personally identifiable information. In addition, the IG reported, auditors noted concerns related to the identification and monitoring of high-risk programs operating on the mainframe. "Without performing specific assessments of the impact of program changes to the system security framework, there is an increased risk that the security posture and controls may be bypassed or compromised," O'Carroll wrote.

Grant Thornton also identified programmers with access to production data that bypassed the agency's process to monitor and limit such access. Specifically, programmers gained access to production data for a benefit application without being monitored. "This issue increases the risk that programmers could make unauthorized changes to the production environment without detection," the IG said.

These security deficiencies, when aggregated, create a weakness in the agency's overall information systems security program that, in the opinion of the IG, significantly compromises the security of its information and information systems. "The risk was great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken," O'Carroll said.

Underlying Causes of Material Weaknesses

What caused these material weaknesses? According to the IG:

  • The Social Security Administration had not fully implemented a comprehensive and robust continuous monitoring program based on a sound configuration management program. Without a robust continuous monitoring program that includes integrated and operating continuous monitoring tools and the capacity to report agency's security state to appropriate its officials, the agency had a limited ability to make timely risk management decisions.
  • SSA had a decentralized governance structure for IT security. This resulted in a system misconfiguration that enabled auditors, without detection, to obtain personally identifiable information and take control of SSA's Windows network.
  • The agency needed to strategically allocate sufficient resources to resolve or prevent high-risk security weaknesses more timely. This includes the use of more effective security testing methods, such as broad penetration testing techniques.

SSA Makes Effort to Resolve Security Weaknesses

The IG said the Social Security Administration took action to address some of the identified security weaknesses.

The agency said it was conducting a Web vulnerability assessment to address the lack of monitoring and policy implementation related to the configuration and information content of its intranet webpages. It also had purchased and was deploying a data loss protection tool.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Google Discloses Microsoft Zero Day Flaw

Microsoft says it's prepping a patch for a Windows vulnerability that was recently disclosed by...

Latest Tweets and Mentions

ARTICLE Google Discloses Microsoft Zero Day Flaw

Microsoft says it's prepping a patch for a Windows vulnerability that was recently disclosed by...

The ISMG Network