Insider Threat

SSA Faulted on Lax Infosec Enforcement

IG: Installation of Unauthorized Software Goes Unpunished
SSA Faulted on Lax Infosec Enforcement
Should employees and contractors who install unauthorized software on their government PCs and laptops be disciplined?

Not if they do so unintentionally, a senior Social Security Administration official says.

The inspector general of the Social Security Administration has issued an evaluation report, The Social Security Administration's Approval and Monitoring of the Use of Software, that faults the Social Security Administration with lax enforcement of its policy that prohibits employees and contractors for installing non-standard software on their computers. The report cited seven incidents this past year when individuals weren't disciplined for installing non-standard software without obtaining a waiver; the installed programs contained malware.

Responding to the inspector general audit, James Winn, executive counselor to the commissioner, said only two of the individuals knowingly installed non-standard software without authorization. "We will take disciplinary action, if appropriate, when an employee consciously installs unapproved software," Winn said in a written response to the audit. "For the remaining cases, employees did so unwittingly, and we do not believe disciplinary action was warranted."

Neither the audit nor Winn's response explained what type of disciplinary measures, if any, were taken against the two individuals. Attempts have been made to reach Winn and the inspector general, but no response had been received by the time of the posting of this article.

According to the inspector general, from Oct. 30, 2009, through this past Sept. 21, the Social Security Administration had nearly 200 malware incidents report in its change, asset and problem reporting system. Often, the report pointed out, malware code is delivered to computers through e-mails and messaging systems and website visits. But in seven incidents, the malware was contained in unauthorized software. In five cases, the installed software contained keyloggers; in two instances, the software contained Trojan horses.

"Although we only reviewed seven software-related security incidents, the potential for a larger issue may exist if adequate controls are not implemented to prevent the installation of unauthorized software," Inspector General Patrick O'Carroll Jr. said in the 21-page report.

The inspector general said the agency should consider revising its software approval policy to indicate clearly that software authorized by the local manager must first go through a central management focal point, such as the agency's chief information officer. "If SSA does not revise its software approval policy, the potential exists for software to be installed on agency computers without proper authorization," O'Carroll said. "Consequently, the risk that malicious code could compromise or delete sensitive data and impede network operations would still exist. A revised policy would help minimize this risk."

Winn concurred with most of the IG's recommendations. One, however, he said he'd have to mull over. The IG recommended the Social Security Administration obtain electronic tools to inventory all types of software on agency computers and prevent unauthorized software from being installed. He said the agency will reevaluate its policies to approve and monitor software usage and assess existing technical capabilities to identify gaps. But, Winn said, local managers and security officers continue to play an important role.

"While we regularly scan our workstations and remove known malware, local managers and security officers within each component must continue their active role in the approval and oversight processes," he said. "We will maintain our efforts to prevent the introduction of malicious or destructive software onto our workstations. At the same time, we will weigh the requirements of local managers and security officers within each component and make sure they have access to the non-standard software they need to do their work."


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.