Third-party auditors found several deficiencies in the Department of Labor’s (DoL) information security program and determined it was not effective.
The Labor Department Office of Inspector General contacted KPMG LLP to conduct an independent audit of DoL’s Fiscal Year 2020 information security program. The audit assessed security controls in over five cybersecurity function areas.
DoL spends approximately $666 million annually on IT assets that support programs needed to fulfill its mission. IT plays an integral role in providing services and operations needed to fulfill DoL’s mission.
“It’s imperative that DoL maintain a strong IT security program to protect these assets. Ineffective information security programs increase the risk of unavailable service, security breaches, and unreliable information,” the audit noted.
According to the audit, to be considered an effective information security program, the Department of Homeland Security requires implemented security controls labeled “Managed and Measurable” for most cybersecurity functions. However, while auditors found that DoL’s information security program included all five cybersecurity functions, the program had not achieved the level of managed and measurable in three of the five cybersecurity functions: Identify, Detect and Recover.
KPMG made 25 recommendations to improve DoL’s information security program, including establishing performance metrics. Auditors also alerted the Labor Department to deficiencies in the performance of security control assessments, account management controls, and maintenance of system security plans. Of the 25 recommendations, 18 recommendations were made related to those control deficiencies.
DoL Chief Information Officer Gundeep Ahluwalia said DoL agreed with the overall findings by KPMG and is currently addressing or developing plans to address all recommendations.