IG warns Labor on information security
Among other problems, the department had a history of failing to switch off access privileges for former employees.
The Department of Labor has demonstrated "significant deficiencies" in key information security areas over the last five years, according to the DOL inspector general, who outlined a history of problems in the areas of access control, third-party oversight and configuration management.
According to the report, 11 former employees accessed agency networks with old credentials, and over a period of years the department had a history of failing to switch off access privileges for former employees.
Labor began to implement the use of personal identity verification cards only "in response to the Office of Personnel Management breach," per the report. However, the department failed to meet White House targets for identity, credential and access management in the recent cybersecurity sprint: 68 percent of privileged users and 65 percent of unprivileged users access agency networks via multifactor authentication. The administration set the bar for success at 75 percent.
The report also cites deficiencies in oversight of DOL systems operated by third parties. Problems included "physical and logical access controls not in place, improper use of shared accounts, system security assessments not performed, business impact assessments not performed, untested contingency plan, interconnections not fully documented, and agreements not in place," the report said.
OIG also warned Labor about the lack of a secure process for patching and upgrading software, and fixing vulnerabilities based on known security flaws.
The report notes that despite reports of progress, OIG "audits continue to identify similar deficiencies in information security." The report recommends that DOL adopt the same focus used to implement multi-factor authentication under the cyber sprint in remediating other access-control problems.
DOL submitted reply comments within the 10-day time frame urged by IG’s office, but an OIG representative told FCW that the responses were still being digested and no decision had been made on whether they would be released. Emails to the public affairs staff and CIO office at the Labor Department were not returned.