IG: GSA should check its HR system

The General Services Administration needs to evaluate access controls on its system that contains employees’ personal information, such as performance reviews, according to a recent report.

Jennifer Klimes, audit manager for information technology at GSA’s Inspector General's Office, recommended that agency officials check access to the Comprehensive Human Resources Integrated System (CHRIS) to determine whether controls meet management’s risk-related requirements and whether the controls to privileged information are working as intended, according to a report dated Sept. 8.

Improving the controls would help enforce Least Privilege requirements, Klimes wrote. Least Privilege is a policy that requires a system’s users be given no more access to the personally identifiable information than is necessary to perform their official duties. GSA’s chief information officer requires Least Privilege requirements for all moderate-risk systems, of which CHRIS is one.

Klimes wrote that CHRIS allows managers and supervisors to create and change employees’ performance plans, appraisals and bonus awards. “Because the system does not restrict information that can be input into the award justification data field, supervisors are free to include project-specific or other information about individuals receiving awards,” she wrote, adding, “Award-related information could be used for unofficial purposes.”

For example, she recommended that officials restrict access unless people need to get information for writing reports. Those restrictions could improve management of risks, she wrote.

GSA officials said they designed the system so managers could recognize employees who are outside of their own offices for their work, but Klimes noted that a manager’s reasons for awarding an employee can have sensitive information about other divisions and an employee’s work. Seven managers told the auditors there were instances where they were unaware that other managers had access to the information. Most of the managers said they would prefer to limit access to their own organizations, according to the report.

Klimes also recommended independent reviews of CHRIS and coordination with GSA’s Public Building Service to define responsibilities for securing the data. She also recommended addressing CHRIS’ technical vulnerabilities.

Gail Lovelace, GSA’s chief human capital officer, said in a Sept. 4 letter that she agreed with the recommendations.

“We have worked diligently during 2008 to strengthen managerial, operational and technical controls…to appropriately limit access to sensitive personal information,” Lovelace wrote.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.