Shows & Panels
Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- American Readiness: Renewable Power and Efficiency Technologies
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal News Radio's National Cyber Security Awareness Month Special Panel Discussion
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- Government Perspectives on Mobility and the Cloud
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mitigating Insider Threats in Virtual & Cloud Environments
- Modern Mission Critical Series
- The New Generation of Database
- Reimagining the Next Generation of Government
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
Securing TSP operations a 'never-ending battle,' auditor says
Tuesday - 4/29/2014, 10:13am EDT
The agency that runs federal employees' 401(k)-style Thrift Savings Plan needs to do a better job monitoring potential cyber incidents against its website, strengthen security at its data centers and come up with a plan for tracking all of its technology hardware.
That's according to recent audits of the TSP program undertaken by the Labor Department, which were presented to the Federal Retirement Thrift Investment Board Monday.
The Labor Department ramped up its audits of the TSP last year, performing a total of 11 reviews of the program in 2013.
Ian Dingwall, Labor's chief accountant, cited the growing size of the TSP for the increased oversight.
"As you know, this is an enormously large financial institution," Dingwall said. According to new figures presented at the meeting, the total amount of assets under TSP management reached a total of $405 billion last month.
Many of the audit findings and recommendations identified by Labor dealt with cybersecurity and IT, areas that have come under scrutiny after it was revealed in May 2012 that a cyber attack against a TSP contractor compromised some 120,000 accounts.
Securing TSP's operations in cyberspace remains a "never ending battle," Dingwall said. "It's amazing how many people want access to the government's Thrift Savings Plan data."
The issues reported in the recent audits include:
- One report found weaknesses in physical access to the TSP's data centers. For
example, the agency didn't regularly check which employees had access to data
centers, which led, in one case, to an employee retaining access even after
leaving the agency. "By not reviewing, approving and disabling physical access, an
increased risk exists that individuals may have unnecessary or inappropriate
access to TSP systems and data, putting the agency at risk or inadvertent or
deliberate disclosure, modification or destruction of data," the audit reported.
TSP Executive Director Greg Long, in his written response to the report, said the
issue has since been corrected.
- Another report pointed out an incomplete, "ad hoc" process for monitoring the
TSP website for potential incidents, which "increases the risk that incidents may
not be appropriately identified, handled or resolved in a timely manner." The
agency said it will develop additional policies to correct the issue.
- The agency also lacks a comprehensive inventory for tracking all of its hardware assets, another report found. "Without proper asset tracking, an increased risk exists that the agency could lose hardware assets containing sensitive participant information and the loss may go undetected." In his response to the report, Long said the agency would award its lead technology contractor, SAIC, a new task order to develop an asset-management program.
Dingwall said the TSP has been diligent about following up with Labor to address open audit recommendations. All told, by Labor's count, 70 recommendations have yet to be implemented by the agency.
Dingwall also pointed to an improved relationship between auditors and TSP staff.
"It hasn't been as acrimonious as we've had in the past," he said. "We're getting along. I think the staff now realizes closing audit recommendations is part of their day job."
For his part, Long said the agency is now better equipped to address issues uncovered in audits.
"We now have the people, the resources, the infrastructure that we didn't have three years ago to close these recommendations," he said.
In fact, the TSP board, which for years has relied solely on outside auditors, is in the beginning stages of building its own internal audit staff.