Date: September 5, 2001

Refer To:

To: Larry G. Massanari
Acting Commissioner of Social Security

From: Inspector General

Subject: The Social Security Administration’s Compliance with the Government Information Security Reform Act (A-14-01-21055)

The attached report provides the results of our assessment of the Social Security Administration’s (SSA) security program and practices, as required by the Government Information Security Reform Act (GISRA), Public Law No. 106-398. This report, pursuant to Office of Management and Budget (OMB) Memorandum 01-24, Reporting Instructions for GISRA, is to be included in your September 2001 submission to OMB.

GISRA focuses on the program management, implementation, and evaluation aspects of the security of unclassified and national security systems. It requires Federal agencies to conduct annual program reviews and the agencies’ Office of Inspectors General to perform annual independent evaluations for both unclassified and national security programs.

Our GISRA assessment was based on the results of various audits, reviews, evaluations, and assessments. As part of the assessment, this Office reviewed and relied on the PricewaterhouseCoopers LLP (PwC) Fiscal Year 2001 GISRA "Agreed-Upon Procedures" report, SSA Janus report on penetration testing, the Deloitte & Touche vulnerability assessments, as well as various audits and evaluations performed by the Office of the Inspector General and other private contractors. Our assessment determined that, while SSA met the general GISRA requirements, there are opportunities for the Agency to strengthen its information security framework to ensure full compliance with GISRA. A detail of specific security issues and PwC "agreed-upon procedures" documentation will be communicated to the Agency under separate cover as a limited distribution document.

We hope this information will be useful to the Agency in its continued efforts to strengthen systems security.

/s/

James G. Huse, Jr.

Attachment

The objective of this assessment was to determine the efficiency and effectiveness of the Social Security Administration’s (SSA) overall security program, and practices as required by the Government Information Security Reform Act (GISRA). The Office of the Inspector General (OIG) concluded that SSA generally meets the requirements of GISRA; however, there are opportunities for the Agency to strengthen its information security framework to ensure full compliance with GISRA and the information security-related laws and regulations that provide the foundation for GISRA.

This Office contracted with PricewaterhouseCoopers LLP (PwC) to perform the Fiscal Year (FY) 2001 financial statement audit of SSA. To meet the requirements under GISRA, OIG contracted with PwC to issue an opinion and separate report on SSA’s compliance with GISRA. The American Institute of Certified Public Accountants, (AICPA) auditing standards requires an assertion from management for the auditor to render an opinion unless an examination is required by law or regulation.

While opinion level work is not required by GISRA, the OIG determined that this was the appropriate level of work. Agency officials expressed concerns about what they considered to be a lack of guidance regarding opinion level work for GISRA. Therefore, SSA management chose not to make withheld assertions on its compliance with GISRA, and, as a result, PwC withdrew from the portion of its contract that requires an opinion on the Agency’s compliance with GISRA and the Federal Financial Management Improvement Act of 1996 (FFMIA). The Agency’s failure to provide the necessary assertions regarding GISRA and FFMIA compliance does not preclude the OIG from performing the necessary work to issue a report containing its own independent assessment of whether or not the Agency is in compliance with GISRA and FFMIA. Using GISRA, along with guidance provided by the National Institute of Standards and Technology (NIST); the Federal Information System Control and Audit Manual; and other relevant information, security laws, and regulations as a framework, this Office contracted with PwC to perform an "Agreed-Upon Procedures" engagement to assist the Office of Audit in performing an independent assessment of the Agency’s compliance with GISRA.

This GISRA assessment was based on the results of the PwC’s FY 2001 GISRA "Agreed-Upon Procedures" report and working papers, the SSA Janus report on penetration testing, the Deloitte & Touche vulnerability assessments, as well as various audits and evaluations performed by other contractors, PwC, and the OIG.

We performed fieldwork at SSA facilities nationwide from April 2 through August 31, 2001. This assessment was performed in accordance with generally accepted government auditing standards. Additional details of the scope and methodology may be found in the detailed report.

One of the most significant issues in SSA’s current security environment is the need for SSA to strengthen its controls to protect information. Since the FY 1997 financial statement audit, PwC has cited SSA’s protection of information as a reportable condition. While these deficiencies do not rise to the level of a material weakness under the Chief Financial Officers Act reporting requirements, they are significant enough to warrant public disclosure as a reportable condition.

More recently, in SSA’s FY 2000 Performance and Accountability Report, PwC continued to report the deficiencies in the Agency’s ability to protect information. In this report, PwC provided SSA with a diagram of the components of an effective information security framework and identified where deficiencies exist in the Agency’s current entity-wide security framework. PwC identified opportunities for the Agency to further strengthen its entity-wide security framework throughout the organization. The general areas of exposure within SSA include:

• Logical access controls at non-Headquarters locations, including SSA’s Program Service Centers, Data Operations Center, and selected Disability Determination Services facilities; and
• Policies and rules governing the operation of firewalls on the SSA network.

In addition, in June 2001, OIG reported that SSA has a fragmented computer security structure that lacks continuity and authority. This Office recommended that SSA centralize its system security management structure to comply with GISRA and all applicable laws to ensure that all key security components responsible for Agency-wide security policy and administration report directly to the Chief Information Officer.

Until corrected, deficiencies in SSA’s entity-wide security framework will continue to impair SSA’s ability to effectively mitigate the risks of unauthorized access and/or disclosure of sensitive information. This will become increasingly important as SSA moves forth with initiatives to use the Internet and Web-based applications to deliver service to the American public.

Each Federal agency must implement and maintain a security program to adequately secure its information and systems assets. An agency security program must: 1) ensure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification of information.

Although we are not required by GISRA to comment on the Agency’s self-assessment, we made the following observations for SSA’s consideration in developing future information security evaluation plans. To comply with GISRA, SSA completed the Self-Assessment Guide for Information Technology. SSA provided the applicable portions of the NIST framework questionnaire to the appropriate security specialists. These individuals completed the questionnaire based on their current knowledge of security policies and practices. The security specialists were not provided any additional documentation with the questionnaire. According to Agency officials, it was not necessary to distribute copies of these documents because the security specialists should be familiar with the day-to-day security policies and practices and have already received them through the Agency’s report distribution protocol.

SSA accumulated these completed portions of the questionnaire and hired KPMG, LLP to validate its completion of the NIST self-assessment questionnaire. In addition, SSA hired contractors to benchmark its information systems, security technology, and procedures, and to perform vulnerability assessments for its critical assets. While these efforts are laudable attempts to obtain baseline data on information security practices, they do not reach the core issue--the effectiveness of the controls. Admittedly, SSA acknowledges the reviews the contractors conducted were not audits and did not involve testing of the control procedures discussed in the contractors’ reports. Ideally, a more constructive review would have included testing to ensure the control environment is operating as intended. Also, SSA should have used all available audit information and any other pertinent data in completing its self-assessment.

The GISRA evaluation is an opportunity for SSA to improve its risk and vulnerability assessment practices and thereby strengthen its entity-wide security framework. While it is certainly within the discretion of Agency management to determine its assessment protocol, we believe the Agency can maximize the effectiveness of its risk and vulnerability assessments by ensuring deficiencies regarding critical information are provided to the individuals making those assessments. The Agency relies on the OIG and other auditors as a resource for an objective assessment of its control environment. These reports provide insight on whether or not the Agency’s policies are being practiced across the organization and would, therefore, be critical to any assessment of risks or vulnerabilities.

For example, when reviewing the list of documents reviewed by KPMG, this Office noted it contained only one OIG-related document. In addition, key reports from other Agency contractors, the Deloitte & Touche June and July 2001 vulnerability assessment reports, and other OIG reports were not on the list of items reviewed. Although Agency officials informed us that KPMG had access to all documents; the firms final report listed 82 documents of which only one, The FY 2000 SSA’s Accountability Report, related to OIG work. Therefore, KPMG was only reviewing how well SSA completed the questionnaire, not how well the program actually worked. The effectiveness of the assessment process was hampered because critical documents identifying system deficiencies were not considered as a part of the assessments.

By not including this critical information, one could draw inaccurate conclusions as to the level of risk or exposure to vulnerabilities existing for certain security control features. The completed NIST questionnaire presents a picture of an information security program without significant security deficiencies. However, OIG audit reports, PwC's "agreed-upon procedures" and financial statement audits reports, as well as reports from contractors hired by SSA, demonstrate the need for improvement in the information security program. For example, SSA has not corrected all of thethe many deficiencies that caused the reportable condition identified by PwC. These deficiencies are the direct result of the lack of an overall information security management structure. A solid information security management structure is essential when addressing the development of a strong information security program, which rapidly resolves all security issues. In June 2001, the OIG issued a report describing deficiencies in the Agency's information security structure. These deficiencies appear repeatedly from year-to-year. Some of these deficiencies include inadequate configuration of hardware and software, physical security, logical access controls, continuity of operation, software change control and development, and ineffective monitoring of the implementation of Information Technology (IT) policy. Moreover, SSA's contractors have noted other systemic information security problems in addition to the deficiencies noted by the OIG and PwC. Deloitte & Touche vulnerability assessments have disclosed system issues that cut across systems and applications. Janus Associates, hired by SSA to perform penetration testing, commented that SSA's approach to information security needs to be proactive and some of the same findings are being identified year after year.

To achieve the full intent of GISRA, which is to evaluate the effectiveness of security programs and procedures, the Agency must move towards a more comprehensive evaluation plan. In completing the NIST self-assessment, SSA must consider the weaknesses, which have been identified in OIG, PwC and its own reports.

Summary

The impact of the information system security weaknesses is increasing for several reasons. SSA is moving to placeut an even greater level of services on-line, which increases SSA's exposure for risks to its systems. Also, SSA is placing a greater reliance on technology to accommodate the expected increase in workload and expected decrease in manpower. Technology changes so quickly that the individuals who would exploit the information security weaknesses are also gaining new means and opportunities to do so. The OIG’s assessment determined that, while SSA met the general GISRA requirements, there are opportunities for the Agency to strengthen its information security framework to ensure full compliance with GISRA.

We acknowledge SSA has made strides in its information protection efforts. The establishment of a Critical Infrastructure Protection program, the creation of an incident response team, the completion of Project Matrix Step I, and the Agency’s willingness to share information regarding common vulnerabilities with the Federal Computer Security Incident Response Capability, all indicate a culture of security awareness. SSA has the potential to be the unquestioned leader in the area of Federal information protection. The observations and recommendations made in OIG reports and other auditors’ reports will assist the Agency in reaching that goal. Through the collaborative efforts of Agency management and OIG, the challenge of protecting sensitive information can be accomplished.

In meeting its overall security program needs, this assessment found that SSA uses accreditations, program reviews, and independent evaluations to assess the performance of its security program. SSA does provide security training to the individuals with security responsibility and considers IT security in the budget process. However, SSA does not have specific performance measures, has not evaluated all of its critical assets, does not globally track IT security training taken by its security staff, and does not itemize IT security costs by projects. The following OIG detailed report responds to the individual questions 2-13 specified in OMB’s Reporting Instructions for the Government Security Reform Act.