A-14-09-19047 - Alternate Format

Report Summary
Social Security Administration Office of the Inspector General

November 2009

Fiscal Year 2009 Evaluation of the Social Security Administration’s Compliance with the Federal Information Security Management Act
(A-14-09-19047)

Objective

To determine whether the Social Security Administration’s (SSA) overall security program and practices complied with the requirements of the Federal Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2009.

Background

FISMA provides the framework for securing the Government’s information and information systems. All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget and Congress on the adequacy and effectiveness of their security programs. FISMA requires that each agency develop, document, and implement an agency-wide information security program.

To view the full report, visit http://www.ssa.gov/oig/ADOBEPDF/A-14-09-19047.pdf

Our Findings

We determined that SSA generally complied with FISMA requirements for FY 2009; however, there are areas that need improvement. SSA continues to work toward maintaining a secure environment for its information and systems. For example, SSA continues to have sound processes in a number of areas including certification and accreditation, configuration management, privacy, and system inventory.

Although the Agency continues to protect its information and systems, our FY 2009 financial statement audit identified a significant deficiency in the Agency’s controls over access to its information. SSA did not continually assess individuals’ access to the Agency’s mainframe information. The significant deficiency does not rise to the level of a significant deficiency defined under FISMA because of other compensating controls the Agency has in place, such as intrusion detection systems, guards, closed circuit televisions, automated systems checks, configuration management, and firewalls.

Our Recommendation

SSA should continue to strengthen its overall security program and practices and ensure future compliance with FISMA and other information security-related laws and regulations; therefore, we recommend SSA:

Ensure system access controls are fully implemented to meet least privilege criteria for all users of SSA’s systems. This includes regular monitoring of access to SSA’s systems.