The U.S. Government Publishing Office’s (GPO) Office of Inspector General (IG) has flagged three continuing IT control issues at GPO involving access controls, separation of duties, and drafting of contingency plans in the event of service network service interruptions.
In a report dated Jan. 31, the IG noted that each of the three IT control issues it identified in its report for FY 2018 has been the subject of similar findings since 2011.
The three areas of concern are:
- Weaknesses identified in access controls that have allowed the possibility for a small number of former employees to access their GPO accounts for up to 66 days after they left the agency, although according to the IG none of the employees did so. “We noted that GPO’s timeliness policy is not restrictive enough to protect against the threat of a separated user access GPO systems,” the IG said. It recommenced that GPO’s CIO updated relevant policies and procedures to align with promulgation of the agency’s biweekly human capital separations report.
- Weaknesses identified in GPO’s separation of duties policy that make it difficult for management to identify and monitor network users with conflicting roles and responsibilities. GPO noted that a fix for the problem has not yet been implemented, but that testing for a remedy was expected to be completed in the early part of FY 2019. The IG recommenced that GPO’s CIO complete testing and implementation of the remedy, and update the related separations of duties matrix to clearly identify conflicting roles.
- Weaknesses identified in general support system (GSS) contingency planning, as GPO has not yet finalized, approved, and tested a draft contingency plan for its GSS. Without such a plan and testing process in place, “GPO may not be able to successfully recover data files and systems to maintain business functions during the event of a service disruption,” the IG report says. The IG recommended the agency CIO complete testing and then finalize the new GSS contingency plan.