TSP cyber security breaches have been a nightmare for the federal government for several years now and the TSP or Thrift Savings Plan Board, Federal Retirement Thrift Investment Board, is not unfazed by it. But a recent audit report says that the agency is slow at ensuring better cyber security. The Agency became a victim of a cyber attack in 2012, and since then it has not achieved the security it should have. One might wonder, after another such awful incident why wouldn’t the agency take corrective steps?
Audit Says Thrift Savings Plan Board Needs Better TSP Cyber Security
A performance audit of the thrift savings plan board was conducted for fiscal 2016. It revealed that the agency is not complying with the metrics laid out by the Homeland Security Department as per the Federal Information Security Modernization Act. All FISMA performance audits usually take in metrics from three entities, the inspector general of the organization, the chief information officer of the organization and its senior privacy official.
Though the thrift savings plan board, FRTIB has reported privacy officer and CIO results many times in the past, it conducted the first FISMA inspector general audit in fiscal 2016. As the agency doesn’t have an internal inspector general, the audit was conducted by an independent auditor, Ernst and Young.
FRTIB Audit Mistakes
In the audit, it was highlighted that the thrift savings plan board, FRTIB has not implemented a personal identification verification program for users. The agency stated that it would implement two-factor authentication for all the users by the end of the next quarter.
The agency has also failed to implement any risk management strategy or procedure that can help in accessing the functionality of the security controls. It has been an ongoing task for the organization as it stated last year that it had several functions of a risk management office in place but not all of them.
The thrift savings plan board also doesn’t have a program that will oversee the systems run by its contractors. It doesn’t even have a formal process to monitor, measure and report the information security performance of the contractors.
Ernst and Young also highlighted that one of the biggest challenges for the board is to develop a program that monitors cyber security. As of the writing of this article, it has yet to finalize a policy in this regard. Continuous monitoring training for the executives is also not there. The executives, managers and IT administrators also need to undergo specialized security awareness and privacy coaching yet as they haven’t even done it once.
The thrift savings plan board also doesn’t have any proper procedures that will ensure seamless communication with DHS in case a cyber incident occurs. There is also a lack of policies to utilize the EINSTEIN program of the department.
Cyber Security Progress
Ernst and Young also acknowledged that the board has made some progress and will continue to do so this year as well. It also recognized that all pertinent information was not mentioned in the 2016 FISMA report.
Wenner Lippner who served as a Principal at Ernst and Young at the board’s meeting held on February 27, 2017, stated that FRTIB has continued to strengthen the posture, management practices and controls regarding information security before and after the audit. E&Y has reviewed only four of 19 FRTIB systems for the 2016 audit.
The Acceptance of TSP Cyber Security Needs
The thrift savings plan board has acknowledged many of its cyber security challenges. It had also studied the best practices of the private sector last year and signaled that cyber security would be a huge project for the agency this year.
It is vital for the agency to fix its cyber security systems if it doesn’t want history to repeat itself. The agency suffered a cyber breach in 2012, and personal information of 123,000 TSP participants was compromised via one of the contractors hired by the agency. At that time, the organization received some flak from the Congress and Labor Department for not having proper security systems in place and not paying attention to the concerns shared by the outside auditors.
TSP Cyber Security Recommendations
The agency is now trying to close the audit recommendations. It closed four out of 12 recommendations during the first quarter of 2017 fiscal. In the previous quarter, it had closed five out of 63 recommendations. To date, the organization has received 165 sub-recommendations from external auditors. The Labor Department has also issued five new recommendations and re-issued another from the previous year.
The Executive Director of the TSP or Thrift Savings Plan Board, Federal Retirement Thrift Investment Board, Greg Long has stated that the audit closure rate is not acceptable. The agency has been working through responses to about 35 audits from fiscal 2016 and 2017. It also has 11 more to respond to in fiscal 2017. Long stated that this had been a cause of the significant amount of stress in the organization.