The agency that runs federal employees’ 401(k)-style Thrift Savings Plan needs to do a better job monitoring potential cyber incidents against its website, strengthen security at its data centers and come up with a plan for tracking all of its technology hardware.
That’s according to recent audits of the TSP program undertaken by the Labor Department, which were presented to the Federal Retirement Thrift Investment Board Monday.
The Labor Department ramped up its audits of the TSP last year, performing a total of 11 reviews of the program in 2013.
Ian Dingwall, Labor’s chief accountant, cited the growing size of the TSP for the increased oversight.
“As you know, this is an enormously large financial institution,” Dingwall said. According to new figures presented at the meeting, the total amount of assets under TSP management reached a total of $405 billion last month.
Many of the audit findings and recommendations identified by Labor dealt with cybersecurity and IT, areas that have come under scrutiny after it was revealed in May 2012 that a cyber attack against a TSP contractor compromised some 120,000 accounts.
Securing TSP’s operations in cyberspace remains a “never ending battle,” Dingwall said. “It’s amazing how many people want access to the government’s Thrift Savings Plan data.”
The issues reported in the recent audits include:
One report found weaknesses in physical access to the TSP’s data centers. For example, the agency didn’t regularly check which employees had access to data centers, which led, in one case, to an employee retaining access even after leaving the agency. “By not reviewing, approving and disabling physical access, an increased risk exists that individuals may have unnecessary or inappropriate access to TSP systems and data, putting the agency at risk or inadvertent or deliberate disclosure, modification or destruction of data,” the audit reported. TSP Executive Director Greg Long, in his written response to the report, said the issue has since been corrected.
Another report pointed out an incomplete, “ad hoc” process for monitoring the TSP website for potential incidents, which “increases the risk that incidents may not be appropriately identified, handled or resolved in a timely manner.” The agency said it will develop additional policies to correct the issue.
The agency also lacks a comprehensive inventory for tracking all of its hardware assets, another report found. “Without proper asset tracking, an increased risk exists that the agency could lose hardware assets containing sensitive participant information and the loss may go undetected.” In his response to the report, Long said the agency would award its lead technology contractor, SAIC, a new task order to develop an asset-management program.
Dingwall said the TSP has been diligent about following up with Labor to address open audit recommendations. All told, by Labor’s count, 70 recommendations have yet to be implemented by the agency.
Dingwall also pointed to an improved relationship between auditors and TSP staff.
“It hasn’t been as acrimonious as we’ve had in the past,” he said. “We’re getting along. I think the staff now realizes closing audit recommendations is part of their day job.”
For his part, Long said the agency is now better equipped to address issues uncovered in audits.
“We now have the people, the resources, the infrastructure that we didn’t have three years ago to close these recommendations,” he said.
In fact, the TSP board, which for years has relied solely on outside auditors, is in the beginning stages of building its own internal audit staff.