IG: SSA Tardy in IT Security ComplianceSocial Security Didn't Fix All Problems Raised in 2001 The Social Security Administration has failed to comply with three of five recommendations made by auditors in 2001 to tighten IT security standards, the agency's inspector general said in a new report.
SSA managers felt they had complied with all five, but a review conducted by the IG this year found:
- The agency continued to have a decentralized and fragmented IT management structure;
- The Office of Chief Information Officer didn't have sufficient authority and resources to carry out its responsibilities for an information security program;
- SSA failed to sufficiently document policies and procedure to ensure system users receive timely notification of imminent security incidents;
- Its Information Systems Security Handbook failed to cover all security areas and contained outdated and inaccurate information.
"A centralized approach to security management would be in line with the current agency initiative of adopting a more integrated and seamless approach to systems development to address the Agency's growing needs effectively and efficiently," wrote SSA Inspector General Patrick P. O'Carroll Jr. in the 42-page report.
The IG recommended that SSA:
- Centralize its security management structure to ensure a coordinated approach to its agency-wide information security program.
- Clearly delineate roles, responsibilities, and lines of communication that report to a single management focal point.
- Ensure the CIO has sufficient delegated authority and resources to fulfill his security responsibilities according to applicable laws, regulations and guidance.
- Update its agency-wide Information Security Program Plan.
- As appropriate, ensure written polices and procedures require notification of all agency systems users for certain computer incidents.
- Update the Information Systems Security Handbook with the most current and accurate information and consider further delineating security roles and responsibilities of agency components and security officers related to the subject matter in each chapter. SSA should include all security policies or references in the handbook.
According to the report, the SSA agreed with recommendations 4, 5 and 6, but deferred responding to the first three, giving the CIO a chance to review the matter.