IG: GSA should check its HR system

The General Services Administration needs to evaluate access controls on its system that contains employees’ personal information, such as performance reviews, according to a recent report.

Jennifer Klimes, audit manager for information technology at GSA’s Inspector General's Office, recommended that agency officials check access to the Comprehensive Human Resources Integrated System (CHRIS) to determine whether controls meet management’s risk-related requirements and whether the controls to privileged information are working as intended, according to a report dated Sept. 8.

Improving the controls would help enforce Least Privilege requirements, Klimes wrote. Least Privilege is a policy that requires a system’s users be given no more access to the personally identifiable information than is necessary to perform their official duties. GSA’s chief information officer requires Least Privilege requirements for all moderate-risk systems, of which CHRIS is one.

Klimes wrote that CHRIS allows managers and supervisors to create and change employees’ performance plans, appraisals and bonus awards. “Because the system does not restrict information that can be input into the award justification data field, supervisors are free to include project-specific or other information about individuals receiving awards,” she wrote, adding, “Award-related information could be used for unofficial purposes.”

For example, she recommended that officials restrict access unless people need to get information for writing reports. Those restrictions could improve management of risks, she wrote.

GSA officials said they designed the system so managers could recognize employees who are outside of their own offices for their work, but Klimes noted that a manager’s reasons for awarding an employee can have sensitive information about other divisions and an employee’s work. Seven managers told the auditors there were instances where they were unaware that other managers had access to the information. Most of the managers said they would prefer to limit access to their own organizations, according to the report.

Klimes also recommended independent reviews of CHRIS and coordination with GSA’s Public Building Service to define responsibilities for securing the data. She also recommended addressing CHRIS’ technical vulnerabilities.

Gail Lovelace, GSA’s chief human capital officer, said in a Sept. 4 letter that she agreed with the recommendations.

“We have worked diligently during 2008 to strengthen managerial, operational and technical controls…to appropriately limit access to sensitive personal information,” Lovelace wrote.