IG: GSA should check its HR system

The General Services Administration needs to evaluate access controls on its system that contains employees’ personal information, such as performance reviews, according to a recent report.

Jennifer Klimes, audit manager for information technology at GSA’s Inspector General's Office, recommended that agency officials check access to the Comprehensive Human Resources Integrated System (CHRIS) to determine whether controls meet management’s risk-related requirements and whether the controls to privileged information are working as intended, according to a report dated Sept. 8.

Improving the controls would help enforce Least Privilege requirements, Klimes wrote. Least Privilege is a policy that requires a system’s users be given no more access to the personally identifiable information than is necessary to perform their official duties. GSA’s chief information officer requires Least Privilege requirements for all moderate-risk systems, of which CHRIS is one.

Klimes wrote that CHRIS allows managers and supervisors to create and change employees’ performance plans, appraisals and bonus awards. “Because the system does not restrict information that can be input into the award justification data field, supervisors are free to include project-specific or other information about individuals receiving awards,” she wrote, adding, “Award-related information could be used for unofficial purposes.”

For example, she recommended that officials restrict access unless people need to get information for writing reports. Those restrictions could improve management of risks, she wrote.

GSA officials said they designed the system so managers could recognize employees who are outside of their own offices for their work, but Klimes noted that a manager’s reasons for awarding an employee can have sensitive information about other divisions and an employee’s work. Seven managers told the auditors there were instances where they were unaware that other managers had access to the information. Most of the managers said they would prefer to limit access to their own organizations, according to the report.

Klimes also recommended independent reviews of CHRIS and coordination with GSA’s Public Building Service to define responsibilities for securing the data. She also recommended addressing CHRIS’ technical vulnerabilities.

Gail Lovelace, GSA’s chief human capital officer, said in a Sept. 4 letter that she agreed with the recommendations.

“We have worked diligently during 2008 to strengthen managerial, operational and technical controls…to appropriately limit access to sensitive personal information,” Lovelace wrote.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.