U.S. Department of Labor
Office of Inspector General

Audit Report

BLS INFORMATION TECHNOLOGY, SURVEY PROCESSING, AND ADMINISTRATIVE CONTROLS MUST BE IMPROVED

This document is a summary of a printed document. The printed document may contain charts and photographs which are not reproduced in this electronic version. If you require the printed version of this document, contact the Freedom of Information Act Officer, Office of Inspector General, U.S. Department of Labor, Washington, DC 20210, or call (202) 219-4930.

This report reflects the findings of the Office of Inspector General at the time that the audit report was issued. More current information may be available as a result of the resolution of this audit by the Department of Labor program agency and the auditee. For further information concerning the resolution of this report's findings, please contact the program agency.

Report Title:  BLS Information Technology, Survey Processing, and Administrative
                        Controls Must be Improved

Report Number:  09-99-007-11-001

Issue Date:     July 20, 1999
 

On November 4, 1998, the Bureau of Labor Statistics (BLS) accidentally released the October 1998 employment data.  The October employment data was supposed to be released on November 6, 1998, at 8:30 A.M.  The early release of sensitive economic data affected financial markets.  The BLS Commissioner requested the Office of Inspector General (OIG) perform a comprehensive audit of the activities associated with the dissemination of sensitive BLS economic data.

On January 5, 1999, OIG started field work on the BLS economic data security audit.  Within 3 weeks BLS experienced two additional data security compromises: (1) BLS released the Producer Price Index on January 12, 1999 (1 day early) and (2) an unidentified intruder (computer hacker) defaced BLS’ web page on January 22, 1999.

Our audit efforts focused on physical and automated security practices and procedures in three specific areas:

          (1)  information technology;
          (2)  program survey offices; and
          (3)  administration.

In general, our audit work demonstrated that, over a period of time, BLS operated and managed its information technology, program survey offices and certain administrative procedures without the benefit of sound internal controls.  Our findings revealed pervasive problems existed in BLS’ internal control structures.  The audit report issued contains 41 recommendations which when implemented should eliminate or mitigate our findings.  In our opinion, the absence of an effective, strong internal control environment contributed to the two premature releases of sensitive economic data and the penetration of BLS’ web page.

INFORMATION TECHNOLOGY:  SECURITY VULNERABILITIES IDENTIFIED.  In BLS, the Office of Technology and Survey Processing (OTSP) is delegated responsibility for information technology.   In OTSP, we concentrated on identifying and evaluating information technology internal controls developed and implemented to protect BLS’ processing environment and sensitive economic data.   We identified internal control deficiencies in four information technology environments.

               (1)  Web site operations
               (2)  Mainframe computer access security
               (3)  Application and system software testing and protection
               (4)  Local Area Network infrastructure

We consider these areas to be critical in successfully managing and protecting BLS’ information.  The vulnerabilities arising from these internal control deficiencies threaten the integrity of BLS’ data.  In our opinion, the January prerelease resulted from ineffective practices related to software testing and protection.

PROGRAM SURVEY OFFICES:  INCONSISTENT SECURITY PRACTICES IDENTIFIED.  We analyzed the processes and procedures required to produce sensitive economic data (Producer Price Index, Consumer Price Index, Employment Situation, etc.) for release to the media and the general public.  We documented inconsistencies among the program survey offices in their efforts to protect the preparation (confidentiality) and release (time- sensitivity) of economic data.  The policies and procedures varied for news release preparation;  further, in some instances, the polices and procedures were fragmented and incomplete.  Some of BLS’ program survey offices did not provide appropriate levels of protection for documents and electronic files containing time-sensitive and confidential data.  We concluded the weaknesses in policies and procedures over the preparation and release of economic information significantly contributed to the prerelease incident in November.

ADMINISTRATION:  DEFICIENT PERSONNEL SECURITY AND MANAGEMENT CONTROL.   We audited BLS’ administrative activities impacting on information technology - personnel and management oversight.  We determined BLS had not accurately classified position sensitivity.  The sensitivity classifications for most of the positions we reviewed were inaccurate-indicating most were non-sensitive when in fact the individual occupying the position had access to sensitive information.  This finding, when combined with the fact many of the staff with access to sensitive information did not have appropriate security clearances, demonstrated a  lack of control.  We also found staff with access to economic data was not provided periodic
training and reminders on ethics responsibilities and investment restrictions.   We determined that BLS had undergone a number of internal and external management reviews and audits.  Many of these studies contained effective recommendations which, if implemented, might have afforded BLS greater protection over its economic data.  Unfortunately, BLS did not follow up to ensure the issues identified were corrected or the recommendations for corrective action implemented.  In our opinion, the administrative activities we reviewed failed to provide a fundamental framework for (1) ensuring BLS’ Federal and contractor staffs understand the significance of the information they handle and work with and (2) providing management an early warning system to identify when established procedures are breaking down or are ineffective in protecting BLS information assets.

OIG’S CONCLUSION

BLS’ data has become increasingly difficult to protect due to advances over the past few years in easy-to-use, high-level-inquiry languages; the spread of ever more powerful microprocessors; the accelerating use of the Internet; and, the general increase in computer literacy, world wide.  These advances mandate BLS invest in durable, dynamic security practices and internal control structures to reduce the risk of inadvertent or deliberate disclosure and corruption of information assets.  It is imperative BLS acts promptly to correct the identified deficiencies.  Further errors in the timing of news releases or other security breaches may compromise BLS’ reputation and credibility, as well as erode public confidence in BLS reports.

We are generally satisfied with actions BLS is taking or has completed to resolve our findings.  Our primary concern, at this time, is some BLS corrective actions will not be completed and implemented until 2002.  We urge BLS to expedite its corrective actions wherever possible.

ACTIONS TAKEN BY THE BUREAU OF LABOR STATISTICS

We found BLS managers and staff to be professional in their concerns over the events leading up to the audit and their desire to promptly take corrective actions identified by the audit team (and, in some cases, their own internal review teams).  They provided the audit team their in-depth analysis of the events leading up to the two premature releases and the hacking into the BLS web page.  In many instances, BLS took corrective actions before we could document the problem and develop recommendations. We found our lines of communication and exchanges of information with BLS’ managers and staff to be highly effective.

Report in PDFFull Text of Report


Return to Audit ReportsReturn to Audit Reports            Return to Audit Reports (Text Only)