Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
Shows & Panels
Securing TSP operations a 'never-ending battle,' auditor says
Tuesday - 4/29/2014, 10:13am EDT
That's according to recent audits of the TSP program undertaken by the Labor Department, which were presented to the Federal Retirement Thrift Investment Board Monday.
The Labor Department ramped up its audits of the TSP last year, performing a total of 11 reviews of the program in 2013.
Ian Dingwall, Labor's chief accountant, cited the growing size of the TSP for the increased oversight.
"As you know, this is an enormously large financial institution," Dingwall said. According to new figures presented at the meeting, the total amount of assets under TSP management reached a total of $405 billion last month.
Many of the audit findings and recommendations identified by Labor dealt with cybersecurity and IT, areas that have come under scrutiny after it was revealed in May 2012 that a cyber attack against a TSP contractor compromised some 120,000 accounts.
Securing TSP's operations in cyberspace remains a "never ending battle," Dingwall said. "It's amazing how many people want access to the government's Thrift Savings Plan data."
The issues reported in the recent audits include:
- One report found weaknesses in physical access to the TSP's data centers. For
example, the agency didn't regularly check which employees had access to data
centers, which led, in one case, to an employee retaining access even after
leaving the agency. "By not reviewing, approving and disabling physical access, an
increased risk exists that individuals may have unnecessary or inappropriate
access to TSP systems and data, putting the agency at risk or inadvertent or
deliberate disclosure, modification or destruction of data," the audit reported.
TSP Executive Director Greg Long, in his written response to the report, said the
issue has since been corrected.
- Another report pointed out an incomplete, "ad hoc" process for monitoring the
TSP website for potential incidents, which "increases the risk that incidents may
not be appropriately identified, handled or resolved in a timely manner." The
agency said it will develop additional policies to correct the issue.
- The agency also lacks a comprehensive inventory for tracking all of its hardware assets, another report found. "Without proper asset tracking, an increased risk exists that the agency could lose hardware assets containing sensitive participant information and the loss may go undetected." In his response to the report, Long said the agency would award its lead technology contractor, SAIC, a new task order to develop an asset-management program.
Dingwall said the TSP has been diligent about following up with Labor to address open audit recommendations. All told, by Labor's count, 70 recommendations have yet to be implemented by the agency.
Dingwall also pointed to an improved relationship between auditors and TSP staff.
"It hasn't been as acrimonious as we've had in the past," he said. "We're getting along. I think the staff now realizes closing audit recommendations is part of their day job."
For his part, Long said the agency is now better equipped to address issues uncovered in audits.
"We now have the people, the resources, the infrastructure that we didn't have three years ago to close these recommendations," he said.
In fact, the TSP board, which for years has relied solely on outside auditors, is in the beginning stages of building its own internal audit staff.