November 6, 2012

In addition to its most recent audit on security, the advisory firm KPMG has completed at least seven audits of TSP-related topics in the past four years. Two audits – both of which at least tangentially discussed Serco – stand out, given the issues related to the Serco information leak reported earlier this year and in light of the July 2012 audit. And curiously, these two audits that touched upon Serco also appear to be incomplete—they are missing the Agency’s response to KPMG’s recommendations, just like the most recent audit. In contrast, other publicly available KPMG audits over the past four years that discuss the G Fund and withdrawals, among other topics (see below), include an Appendix D and, in some cases, an extensive discussion of the audit recommendations.

The “Performance Audit of the Thrift Savings Plan Participant Support Process,” dated August 14, 2009, includes recommendations directly related to the technical and physical security of call centers, which included a Serco-managed facility that was acquired from SI International the previous year.

Some of the issues discussed in the audit concerned technical vulnerabilities at call centers. Here are a few example comments in the audit:

• “without adequate physical access controls, TSP participant information is potentially exposed to risks related to unauthorized disclosure, modification or destruction of TSP data resources”
• “call center technology is a critical component in supporting participants, and protecting participant information is an integral part of providing this support. With a heavy reliance on technology to support and protect participant information, weaknesses in the infrastructure and applications increase the risks associated with unauthorized disclosure of information.”

The audit further discussed the need to “establish…minimum security requirements” at call centers:

“If the call centers do not establish and enforce minimum security requirements to improve the security posture of information systems supporting the TSP program, they will operate at a level of risk that is inconsistent with TSP security program requirements for patching technical vulnerabilities, exposing the technology to unnecessary vulnerabilities and potential exploits. If identified vulnerabilities are not corrected, the call center infrastructure will be operating at a higher level of risk than that accepted by the TSP security program for TSP systems. If access to the LAN is not removed for separated or transferred individuals, the risk of unauthorized disclosure, modification or destruction of TSP data and systems remains.”

Similar to the most recent July 2012 audit, this audit does not include an “Appendix D” detailing “Final agency comments” or the “Executive Director’s formal reply,” although the Executive Summary of the audit directly references an Appendix D.

Separately, the “Performance Audit of the Computer Access and Technical Security Controls,” dated October 7, 2009, discusses among other things “contracted functions for IT-related services.” These services were primarily provided by Serco Inc at the time of the audit (mid-2009):

• “Production and Backup Operations – The Agency has contracted for production and backup operations services with Serco Inc. (Serco). Serco provides the day-to-day operational services over the TSP systems, which includes the administration, configuration, and management of logical access to the TSP systems. The contract’s statement of work (SOW) requires Serco to provide the Agency with a monthly report containing system performance, capacity analysis, and service level operations and performance, and a quarterly report containing all service level achievement.”

• “Application Development and System Maintenance – The Agency’s application development and maintenance services are also performed by Serco. Serco has subcontracted some application development and support services to SunGard for OmniPlus and to Jacob and Sundstrom (JASl) for system engineering and maintenance duties.”

The audit provides a summary of “open recommendations” from previous audits conducted in 2005-2008. Not to belabor the point, but the October 2009 Executive Summary wraps things up like this (italics added for emphasis)

“To strengthen the Agency’s security and information technology (IT) program, further efforts are needed to more timely implement all prior recommendations, as described in Section III of this report… [T]he Agency has plans to implement the necessary corrective actions through modernization and continuing efforts to complete, distribute, and enforce information security policies and procedures…Timely implementation is strongly recommended to address these previously reported recommendations and to strengthen certain management, operational, and technical controls over the TSP security and privacy programs.”

Interested readers can read the original 44-page report, but suffice it to say that the language above mirrors the language contained in the most recent July 2012 audit. In fact, that most recent audit references recommendations found in this October 2009 one.

Similarly, like the July 2012 and August 2009 audits, the October 2009 audit does not include an “Appendix D” detailing “Final agency comments” or the “Executive Director’s formal reply,” although the Executive Summary states that the appendix is included in the audit report. While the Executive Summary indicates that “[t]he Agency concurred or partially concurred with all open recommendations (Appendix D),” there is no documentation of this in an Appendix D, and certainly no discussion of the recommendations. Instead, there is a page labeled “Agency’s comments to final report,” followed by three blank pages.

As noted above, other publicly available KPMG audits of other facets of the TSP do include Appendix Ds, and some are quite extensive. Here is a list of the publicly available audits since mid-2008, and whether they contain Appendix Ds (note that these audits are as they appeared when accessed on the FRTIB Web site on November 3, 2012):

Audits with an Appendix D:

• System Enhancements and Development Lifecycle and Software Change Controls over the TSP System (July 7, 2008)

• Service Continuity Controls over the TSP System (July 14, 2008)

• Performance Audit of the Thrift Savings Plan Lifecycle Funds (March 26, 2010)

• Withdrawals Process (November 9, 2011)

• Government Securities Investment Fund Investment Operations (December 7, 2011)

Audits without an Appendix D:

• Participant Support Process (August 14, 2009)

• Computer Access and Technical Security Controls over the TSP System (October 7, 2009)

• Computer Access and Technical Security Controls over the TSP System (July 30, 2012)

Certainly, these are very complex issues. Many of the issues discussed in these audits did not exist when the TSP began operations in 1988. TSP administrators have made great strides in the past ten years improving and expanding services available to TSP participants.

That said, the absence of Agency responses (even short, bare-bones ones) to the security-related recommendations raised in the audits and the fact that some of these recommendations have been repeated in more than one report (e.g. in 2007 and again in 2012) give the impression – inadvertent or otherwise – that the Agency is not addressing these issues. Participants at the very least want to see a good-faith effort that the Agency is providing for the security of personal information and personal accounts – especially after the most recent security incident.

Taken together, these raise questions as to whether the Agency is focused more on TSP users’ best interests or on PR damage control. For example, the original May 25, 2012 press release announcing the unauthorized access of a Serco computer was issued later in the day on a Friday before the three-day Memorial Day weekend, and a follow-up press release was issued the following Friday after 3 pm. This gave the distinct impression that administrators were trying to manage the PR fall-out and reaction to the news rather than provide timely information.

And then we learned in the most recently released July 2012 audit that the original audit was delayed almost a year due to continuing security issues, during which time the unauthorized access occurred. Despite the extra time to address security issues, the audit found significant lingering issues.

And now we find past audits that referenced Serco also did not include Agency responses as part of an Appendix D, despite references in their Executive Summaries. This gives the further impression that TSP administrators are avoiding the publication of their responses to the findings related to security issues particularly involving Serco-managed facilities and services.

Perhaps these are just coincidences, and I’m sure that TSP administrators are doing their utmost to rectify the issues discussed in the audits discussed above. But at the same time, what appeared to be a curious omission now has the distinctive look of a pattern. TSP participants may sense this, and they justifiably feel unsettled.

Related topics: tsp-updates