Skip to content
Social Security Online
Office of the Inspector General

Audit Report - A-09-96-91001

Office of Audit

Access Controls for the Social Security Administration’s Telephone Switch at the Western Program Service Center - A-09-96-91001 - 9/24/97

This report presents the results of our review of access controls for the Social Security Administration’s (SSA) telephone switch (Private Branch Exchange (PBX)) at the Western Program Service Center (WNPSC) in Richmond, California. The purpose was to determine the adequacy of access controls for ensuring that the telephone system is properly used. SSA’s Administrative Instructions Manual System instructs local offices to establish administrative controls and regional offices to review long-distance calling practices to prevent employee misuse. However, at WNPSC there is no ongoing monitoring of employee long-distance telephone use nor are the security software capabilities of PBX fully implemented. Instances of improperly placed international calls were noted by SSA staff during the audit field work. Also, the PBX password is neither changed frequently nor expanded to additional characters, increasing the risk of unauthorized remote access and calls made through PBX by outside individuals.

There are three primary reasons why PBX is vulnerable to telephone misuse. First, telephone call detail reports have not been designated by SSA as a system of records under the Privacy Act of 1974, preventing the Agency from linking individual employees with telephone calls. As a result, management cannot use telephone exception reports to monitor long-distance telephone practices of employees. Second, there is no staff permanently assigned the responsibility for monitoring employee long-distance telephone use. Third, there is an absence of procedural guidance to ensure that PBX security capabilities are fully utilized. We recommend, in part, that SSA: establish a system of records under the Privacy Act that authorizes SSA to collect call detail report data by individual employees;assign staff responsibility for monitoring employees’ long-distance telephone practices; and fully utilize PBX security capabilities to include call blocking, exception reporting, frequent changing of passwords, and use of the maximum number of digits possible for the password. We also recommend that SSA assess the need to initiate access controls at other PBX locations.

Except for the establishment of a system of records under the Privacy Act, SSA agreed with the recommendations.


At WNPSC, all telephone instruments are interconnected and linked with the public network by means of telephone switching equipment called a PBX. In 1986, SSA purchased a PBX from Northern Telecom along with a software security package and maintenance agreement. The PBX equipment provides access to services on a nationwide network operated for the Government under the FTS 2000 contract. Basic network services include domestic and international long-distance telephone calling. SSA reported that, as of July 1993, there were about 1,500 SSA offices that operated their telephones through SSA-owned telephone systems.

SSA’s Administrative Instructions Manual System provides overall guidance on procedures to control employee telephone usage. Generally, field offices are to ensure that calls are appropriately placed and regional offices are charged with reviewing and analyzing long-distance calling practices. The application of PBX software security is provided for in the purchase agreements with commercial vendors, with technical guidance from SSA’s Office of Telecommunications.

Regulations were issued by the Office of Management and Budget (OMB) on April 20, 1987, establishing procedures for Federal agencies to implement call detail programs in compliance with the Privacy Act. The purpose of these programs is to provide agencies with the means of monitoring employee telephone practices to ensure that long-distance services are properly used. The Privacy Act requires that the records only be used for authorized purposes and are protected from improper access. SSA developed a plan in July 1993 which provided for the use of call detail reports to verify the accuracy of long-distance telephone charges to the Agency. However, the Agency deferred action for establishing a system of records under the Privacy Act which would authorize it to link telephone calls with individual employees.

The regulations for managing call detail programs provide a model disclosure statement which agencies can use to establish a system of records under the Privacy Act. The statement must include such information as the routine use of and provisions for accessing, safeguarding, retaining, and disposing of the records. Such a system of records is needed whenever records are used to link telephone calls with individual employees, a necessary procedure if an agency is to identify potential misuse of long-distance service by employees.

Back to top


Our audit was conducted in accordance with generally accepted government auditing standards. Our objective was to assess the adequacy of access controls to ensure that telephone lines at WNPSC are properly used. To accomplish our objective, we:

1. held discussions with SSA Headquarters and WNPSC staff;
2. made a physical inspection of the PBX site; and
3. reviewed technical and vendor publications related to PBX equipment and articles on telephone fraud.

The audit was conducted at WNPSC in Richmond, California, and at the regional office in San Francisco, California, from July to November 1996.


SSA needs to improve access controls for its telephone system at WNPSC both as a means of ensuring that employees properly use Government telephones and preventing improper telephone access by third parties. There was neither ongoing monitoring of long-distance telephone practices nor was the Agency making full use of available security software for PBX. Reviews of telephone bills at WNPSC by SSA staff disclosed instances of long-distance telephone misuse by employees. Also, software security measures could be improved both for preventing and identifying improper employee practices and for preventing improper remote access by outside individuals.

Monitoring Telephone Usage

SSA was not reviewing telephone usage at WNPSC when we started this audit. Subsequently, SSA staff started manually reviewing selected invoices and found several irregularities that required further examination to determine if employee abuse of the telephone system had occurred. For example, international calls were made to two foreign countries. There were 21 calls to the Philippines totaling $744.05 from August 9 to September 13, 1996, and 24 calls to Mexico totaling $107.98 from July 1 to August 27, 1996. These calls were improper because international calls are not part of normal business conducted from those telephone lines. Another example involved an employee who charged SSA for membership in a telephone service called "Psychic Encounters." These types of telephone misuse can be minimized by making use of a PBX software control feature called "call blocking."

Call blocking allows SSA to customize each user’s telephone access to match job needs. An example is to block a user from calling internationally if the individual has no job-related duties requiring international telephone calls. After detecting the above incidents, SSA staff increased the use of call blocking for all "900" number, collect, and calling card calls. At the time of our field work, call blocking of international calls was pending because international business is done on some telephone lines.

Exception reports are a software feature which provide an effective and efficient means for SSA to monitor employee long-distance telephone practices. An exception report lists telephone calls meeting specific criteria, such as length of calls, international calls, and "900" calls. Such reports can be automated to identify trends which indicate potentially improper telephone practices by individual employees. However, the Privacy Act requires that SSA establish call detail reports as a system of records in order to use information linking telephone calls with individual employees.

Protection against Unauthorized Electronic Access to PBX

At the time of our field work, the PBX password had not been changed in about 5 years. The password is used by authorized SSA employees for making changes to the PBX configuration, such as adding or removing individual telephone instruments or service features like voice mail, long-distance access, and call blocking. The password can also be used by the vendor to access PBX while physically outside WNPSC for performing maintenance and repair from a remote location.

The Communications Fraud Control Association (CFCA), a clearinghouse for information on the fraudulent use of telephone services, recommends that passwords be changed frequently. Unauthorized access by SSA employees could lead to such improper changes to the system as the removal of call blocking features or the addition of unauthorized long-distance access lines. Furthermore, an outside individual who successfully accesses PBX from a remote location by dialing into the remote maintenance modem can use PBX for making calls anywhere in the world.

Although no instances of unauthorized remote access were identified at WNPSC, CFCA literature has examples of compromised PBXs that were used to incur significant improper costs for long-distance telephone calls. Philadelphia Newspapers, Incorporated, lost $150,000 in 1 month; a Midwestern chemical company lost $700,000 in 3 weeks; and an Ohio manufacturer lost $300,000 over a weekend.

PBX software used at WNPSC allowed SSA to use a maximum number of four digits for the password. Northern Telecom’s security manual states that a hacker can crack a four-digit password within 7 seconds. Longer strings of password digits should be used and the password changed frequently to increase the difficulty of compromising the password and having someone gain improper access to the PBX.

Back to top


SSA needs to improve controls over the long-distance telephone practices of employees and access to its PBX at WNPSC. In addition, the lack of established control procedures indicates that similar control weaknesses may exist at other SSA offices. We recommend that SSA:

  • establish call detail reports as a system of records under the Privacy Act and OMB regulations;
  • assign staff responsibility for ongoing long-distance telephone call monitoring;
  • use call blocking to prevent and exception reports to identify improper telephone calls;
  • change PBX passwords frequently and request software revisions to increase the maximum number of password digits used;
  • improve procedural guidance to ensure that SSA components fully utilize available PBX security software; and
  • assess the risk of telephone misuse at other PBX locations and, if necessary, initiate appropriate access controls.

SSA Comments

SSA agreed with our conclusion that controls over the use of SSA telephone systems need to be improved. Corrective actions to implement our recommendations have been initiated at WNPSC. Also, SSA plans to assess the need for improved controls for its offices nationwide and develop guidance to ensure that PBX security software is fully utilized and other needed controls are in place.

SSA, however, did not agree with the recommendation to establish a system of records under the Privacy Act for call detail reports. The Agency stated that current controls either in place or being implemented will substantially reduce incidents of telephone abuse. SSA further stated that the Office of the Inspector General (OIG) report provided no evidence that implementing the recommended system of records would be cost-effective. SSA’s written comments in their entirety are included at Appendix A.

OIG Response

The corrective actions taken at WNPSC should reduce the risk of unauthorized access and use of PBX. SSA also agreed to assess the need for and implement, as required, improved controls for its telephone systems nationwide. Without establishing call detail reports as a system of records under the Privacy Act, however, SSA lacks the authority to monitor and, when necessary, take actions against individual employees who place improper personal calls on the Agency’s telephone systems.

We acknowledge that there are administrative costs related to implementing the protections required under the Privacy Act for a system of records. Also, we have no basis for estimating the benefits related to such a system because there is no SSA data on the costs associated with improper telephone use. Nonetheless, the benefit of establishing such a system should include the deterrent value resulting from SSA’s capability and authority to detect improper telephone practices and to pursue administrative and criminal actions against individual employees who misuse the telephone system. The U.S. Department of Agriculture, another large and decentralized Federal agency, established a system of records for call detail records, stating as one objective, ". . . deterring or detecting possible misuses of long distance services. . ." (Departmental Regulation 3040-2, dated August 31, 1995).

David C. Williams

Back to top



Office of the Inspector General

F. William Fernandez, Director, Program Audits (West)
Jack H. Trudel, Deputy Director, San Francisco
David Gallo, Senior Auditor
Timothy Meinholz, Auditor

  Link to U.S. Government portal Privacy Policy | Website Policies & Other Important Information | Site Map
Need Larger Text?
  Last reviewed or modified