The Office of Personnel Management (OPM) Office of the Inspector General (OIG) recommended improvements to OPM’s security management, logical access, and configuration management in an audit of the agency’s financial records released on Nov. 18.
The auditors wrote that in Fiscal Year 2019, OPM produced accurate and fair financial statements in accordance with U.S. accounting principles. However, OPM suffers from a lack of internal information system controls that could compromise the reliability and integrity of agency data and financial statements, the inspector general said.
Many of the system deficiencies in FY2019 carried over from FY2018. The OIG report noted that the persistent problems could be due to a variety of factors including: lack of centralized procedures; failure to address risks and recommendations in newly designed controls; insufficient governance; and a lack of time to implement risk mitigation strategies.
OIG first raised concerns with OPM’s security management procedures, saying the agency lacks an understanding of all devices and control on its systems, and therefore cannot provide comprehensive security oversight or risk mitigation. That lack of insight also increases the possibility of unauthorized access to sensitive information, and puts financial systems at risk of being compromised. To improve security management, OIG made five recommendations:
- Review and update System Security Plans and Authority to Operate Packages;
- Enhance the processes in place to track inventory of OPM systems;
- Implement a system that tracks the employment status of OPM contractors;
- Assign specific individuals to oversee and monitor Plans of Actions and Milestones to ensure that security weaknesses are remediated in a timely manner; and
- Establish a way to document users with significant information system responsibility to ensure that appropriate training is completed.
OPM also struggles to keep up with authorization of new hires and reassignments, the report states. Without proper authorization, employees may not be able to access functions that are necessary to perform their job duties. Users with too much access, on the other hand, increase the risk of unauthorized transactions. OIG made several recommendations to OPM to fix logical access issues including:
- Implement two-factor authentication for applications;
- Establish a way to document all users who have access to systems and users who have had their access revoked;
- Configure password and inactivity parameters to align with agency policies; and
- Perform a periodic review of personnel with access to information systems.
Lastly, the lack of configuration management procedures at OPM leaves the agency susceptible to unauthorized changes to the information systems environment, OIG reported. As a result, changes could go unrecognized and undermine the financial review and approval process. OIG provided five recommendations to OPM for improving configuration management:
- Establish a method to systematically track all configuration items that are migrated to production;
- Separate users with the ability to develop and migrate changes to production;
- Conduct post-implementation reviews to validate the authorization of changes;
- Require mandatory security configuration settings; and
- Update patch management procedures to reflect current operation conditions.
OPM concurred with the OIG recommendations and said it would implement a corrective action plan in the new fiscal year.