November 2, 2012

The audit and advisory firm KPMG conducts periodic audits of the Thrift Savings Plan. In 2010 it audited the “Lifecycle Funds Process.” In 2011 it audited the “Withdrawals Process” and later the “Government Securities Investment Fund Investment Operations.” Each contained results of the audit, along with a list of individuals interviewed, documents reviewed, and the “Agency’s responses” to the findings as an appendix.

Most recently, KPMG completed an audit of the “computer access and technical security controls” of the TSP, which is dated July 30, 2012. The audit was originally scheduled to take place in the spring of 2011, but it was postponed until January 2012 at the request of the FRTIB staff “in order to provide the Agency [TSP administrators] additional time to implement proper security controls,” according to the audit. The delay in the audit happened to be when the “unauthorized access of certain personal information” of 123,000 TSP participants took place. The audit did not review the unauthorized access, however.

Even after this year-long interval, the auditors reported that “[d]uring the planning phase of the audit, we determined that a number of related prior year recommendations continued to remain open,” so the auditors “revised the scope of the audit to focus on determining the status of the open prior…TSP recommendations.” In other words, the auditors had to ditch plans for their original audit in order to check up on older recommendations (some from 2007, even) that remained “open” – they were and still are issues.

The following sums up the urgency of the audit, quoted from page ii of the report (italics added for emphasis):

“[W]e conclude that the Agency has not fully implemented corrective action for any of the seven open…TSP recommendations in this area. To strengthen the Agency’s security and information technology (IT) program, focused efforts are needed to more timely implement all prior recommendations…We strongly recommend timely implementation to address these previously reported recommendations and to strengthen the overall security program and IT control environment related to access administration, security configuration, incident response, appropriate segregation of duties, information privacy, contractor oversight, and risk evaluation.”

The seven “prior year recommendations” date back to 2007 and 2008.

To be fair, the auditors noted progress particularly in the first three recommendations of 2007.

However, there remained some significant and worrisome issues that need to be addressed among these first three recommendations, according to the auditors. For example:

• the “agency no longer had a TSP System Security Plan, and therefore was unable to update the incident response provisions” (recommendation 1);

• “…access administration procedures for granting access to sensitive and critical datasets” had not been implemented (recommendation 2);

• “…procedures for logging and monitoring mainframe use and administering access” were “weak and lacked approval by Agency management,” and “team leads were allowed to approve their own access,” while some individuals had “excessive access” (recommendation 3)

Many points contained in the 2008 recommendations were open, as well. Some of the more worrying areas were as follows:

• “…[t]he Agency had not formalized policies related to incident response or the process for handling incidents related to the breach of information such as PII [Personally Identifiable Information]”

• “…a formal PIA [Privacy Impact Assessment] had not been performed” over the TSP system “following Privacy Act and OMB guidance”

• “…formal plans of action and milestones (POA&Ms) to capture security weaknesses, corrective action plans, milestones, and target completion dates for weakness remediation” remained “in draft status”

• “The Agency has not performed an E-Authentication risk assessment to further evaluate authentication requirements and identify current weaknesses such as participant credentials being stored as open text in the OmniPlus recordkeeping system.”

These and other “open” recommendations can be found in the original audit, “Performance Audit of the Thrift Savings Plan Computer Access and Technical Security Controls,” which was just made publicly available last Friday here. A summary of the recommendations begins on page III.21.

Curiously, the audit says the “Agency’s responses to these recommendations are included as an appendix within this report (Appendix D).” However, the audit does not include Appendix D, it stops at Appendix C.

I’ve sent requests to TSP administrators for a copy of Appendix D, and/or for Appendix D to be uploaded to the FRTIB Web site. I’ve also requested information regarding any updates TSP administrators might have made, because several months have passed since the audit results were first briefed to staff on June 19, 2012. If anything, I’m very interested to find out what administrators’ responses have been to the results of the audit. So far however, I have not received a response, and as of this posting Appendix D has not been uploaded to the FRTIB site.

At any rate, the audit indicates that the TSP is still facing significant – and very troubling – security issues. I will admit that I became very concerned after reading the full audit report, and I can only hope that TSP administrators are working to address these issues as soon as possible.

Related topics: tsp-updates