In a good news, bad news audit report, the Social Security Administration's inspector general lauded the agency for its information security program and practices for being generally consistent with the requirements of the Federal Information Security Management Act. Yet, the audit uncovered weaknesses that put Social Security systems and data at risk.
"We determined that SSA had established an overall information security program and practices that were generally consistent with FISMA requirements," Inspector General Patrick O'Carroll Jr. wrote in a 37-page audit report. "However, weaknesses in some of the program's components limited the overall program's effectiveness to adequately protect the agency's information and information systems."
O'Carroll said the risk and severity of agency's information security weaknesses were great enough to constitute a significant deficiency under FISMA. "These weaknesses could result in losses of confidentiality, integrity and availability of SSA information systems and data," he said. "Given the complex systems and magnitude of sensitive information housed on SSA's systems, any loss of confidentiality, integrity or availability of agency systems or data could have a significant impact on the public and the nation's economy."
In an internal penetration test conducted by the IG's outside auditor, Grant Thornton, examiners seized control of an SSA network running a Microsoft Windows operating system and obtained many records containing personally identifiable information. In addition, the IG reported, auditors noted concerns related to the identification and monitoring of high-risk programs operating on the mainframe. "Without performing specific assessments of the impact of program changes to the system security framework, there is an increased risk that the security posture and controls may be bypassed or compromised," O'Carroll wrote.
Grant Thornton also identified programmers with access to production data that bypassed the agency's process to monitor and limit such access. Specifically, programmers gained access to production data for a benefit application without being monitored. "This issue increases the risk that programmers could make unauthorized changes to the production environment without detection," the IG said.
These security deficiencies, when aggregated, create a weakness in the agency's overall information systems security program that, in the opinion of the IG, significantly compromises the security of its information and information systems. "The risk was great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken," O'Carroll said.
Underlying Causes of Material Weaknesses
What caused these material weaknesses? According to the IG:
- The Social Security Administration had not fully implemented a comprehensive and robust continuous monitoring program based on a sound configuration management program. Without a robust continuous monitoring program that includes integrated and operating continuous monitoring tools and the capacity to report agency's security state to appropriate its officials, the agency had a limited ability to make timely risk management decisions.
- SSA had a decentralized governance structure for IT security. This resulted in a system misconfiguration that enabled auditors, without detection, to obtain personally identifiable information and take control of SSA's Windows network.
- The agency needed to strategically allocate sufficient resources to resolve or prevent high-risk security weaknesses more timely. This includes the use of more effective security testing methods, such as broad penetration testing techniques.
SSA Makes Effort to Resolve Security Weaknesses
The IG said the Social Security Administration took action to address some of the identified security weaknesses.
The agency said it was conducting a Web vulnerability assessment to address the lack of monitoring and policy implementation related to the configuration and information content of its intranet webpages. It also had purchased and was deploying a data loss protection tool.
SSA removed on high-risk privileged program identified by auditors to address the lack of controls related to the identification and monitoring of high-risk programs operating. It also was expanding its review process to include all mainframe privileged programs.
Another problem, insufficient vulnerability testing to identify critical weaknesses in its IT environment, was being addressed by the agency initiating this past year penetration testing with an open and dynamic scope. The agency also hired three contract employees in September to perform targeted internal penetration testing to identify security weaknesses of SSA's networks.
The agency began using a commercial tool to manage its security profile review process for SSA employees and contractors, a procedure auditors found lacking. The agency planned to remediate some access control issues by fully implementing its profile and access recertification program in early fiscal year 2013.
To address the lack of appropriate controls to prevent unauthorized access to its production environment, SSA managers told the IG that the agency removed the access of the programmers identified in the auditor's testing. Agency managers also said its triennial access recertification will identify these issues in the future, and SSA was exploring options to alert the agency if programmers gain access to the production environment.
Auditors determined that the SSA's continuous monitoring strategy not fully implemented. The agency discussed its preliminary plan to implement its continuous monitoring strategy with the IG, and according to the audit, SSA has been evaluating the ability of its continuous monitoring tools to ensure compliance with Federal requirements and Agency policies and procedures to build upon its continuous monitoring strategy., SSA managers also told the IG that after the continuous monitoring tool evaluations are completed, it will have a better idea of the timeframe needed to fully implement its continuous monitoring strategy. The agency plans to complete the continuous monitoring tool evaluations by the end of December. SSA said it's also evaluating which identified security deficiencies identified could be resolved by fully implementing its continuous monitoring strategy.
The IG recommended the SSA implement: