IG warns Labor on information security
- By Adam Mazmanian
- Aug 18, 2015
The Department of Labor has demonstrated "significant deficiencies" in key information security areas over the last five years, according to the DOL inspector general, who outlined a history of problems in the areas of access control, third-party oversight and configuration management.
According to the report, 11 former employees accessed agency networks with old credentials, and over a period of years the department had a history of failing to switch off access privileges for former employees.
Labor began to implement the use of personal identity verification cards only "in response to the Office of Personnel Management breach," per the report. However, the department failed to meet White House targets for identity, credential and access management in the recent cybersecurity sprint: 68 percent of privileged users and 65 percent of unprivileged users access agency networks via multifactor authentication. The administration set the bar for success at 75 percent.
The report also cites deficiencies in oversight of DOL systems operated by third parties. Problems included "physical and logical access controls not in place, improper use of shared accounts, system security assessments not performed, business impact assessments not performed, untested contingency plan, interconnections not fully documented, and agreements not in place," the report said.
OIG also warned Labor about the lack of a secure process for patching and upgrading software, and fixing vulnerabilities based on known security flaws.
The report notes that despite reports of progress, OIG "audits continue to identify similar deficiencies in information security." The report recommends that DOL adopt the same focus used to implement multi-factor authentication under the cyber sprint in remediating other access-control problems.
DOL submitted reply comments within the 10-day time frame urged by IG’s office, but an OIG representative told FCW that the responses were still being digested and no decision had been made on whether they would be released. Emails to the public affairs staff and CIO office at the Labor Department were not returned.
Adam Mazmanian is executive editor of FCW.
Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.
Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.