Audit Report
This report reflects the findings of the Office of Inspector General at the time that the audit report was issued. More current information may be available as a result of the resolution of this audit by the Department of Labor program agency and the auditee. For further information concerning the resolution of this report's findings, please contact the program agency.
Report Number: 09-99-007-11-001
Issue Date: July 20, 1999
On November 4, 1998, the Bureau of Labor Statistics (BLS) accidentally released the October 1998 employment data. The October employment data was supposed to be released on November 6, 1998, at 8:30 A.M. The early release of sensitive economic data affected financial markets. The BLS Commissioner requested the Office of Inspector General (OIG) perform a comprehensive audit of the activities associated with the dissemination of sensitive BLS economic data.
On January 5, 1999, OIG started field work on the BLS economic data security audit. Within 3 weeks BLS experienced two additional data security compromises: (1) BLS released the Producer Price Index on January 12, 1999 (1 day early) and (2) an unidentified intruder (computer hacker) defaced BLS’ web page on January 22, 1999.
Our audit efforts focused on physical and automated security practices and procedures in three specific areas:
(1) information
technology;
(2) program
survey offices; and
(3) administration.
In general, our audit work demonstrated that, over a period of time, BLS operated and managed its information technology, program survey offices and certain administrative procedures without the benefit of sound internal controls. Our findings revealed pervasive problems existed in BLS’ internal control structures. The audit report issued contains 41 recommendations which when implemented should eliminate or mitigate our findings. In our opinion, the absence of an effective, strong internal control environment contributed to the two premature releases of sensitive economic data and the penetration of BLS’ web page.
INFORMATION TECHNOLOGY: SECURITY VULNERABILITIES IDENTIFIED. In BLS, the Office of Technology and Survey Processing (OTSP) is delegated responsibility for information technology. In OTSP, we concentrated on identifying and evaluating information technology internal controls developed and implemented to protect BLS’ processing environment and sensitive economic data. We identified internal control deficiencies in four information technology environments.
(1) Web site operations
(2) Mainframe computer access security
(3) Application and system software testing and protection
(4) Local Area Network infrastructure
We consider these areas to be critical in successfully managing and protecting BLS’ information. The vulnerabilities arising from these internal control deficiencies threaten the integrity of BLS’ data. In our opinion, the January prerelease resulted from ineffective practices related to software testing and protection.
PROGRAM SURVEY OFFICES: INCONSISTENT SECURITY PRACTICES IDENTIFIED. We analyzed the processes and procedures required to produce sensitive economic data (Producer Price Index, Consumer Price Index, Employment Situation, etc.) for release to the media and the general public. We documented inconsistencies among the program survey offices in their efforts to protect the preparation (confidentiality) and release (time- sensitivity) of economic data. The policies and procedures varied for news release preparation; further, in some instances, the polices and procedures were fragmented and incomplete. Some of BLS’ program survey offices did not provide appropriate levels of protection for documents and electronic files containing time-sensitive and confidential data. We concluded the weaknesses in policies and procedures over the preparation and release of economic information significantly contributed to the prerelease incident in November.
ADMINISTRATION: DEFICIENT PERSONNEL SECURITY
AND MANAGEMENT CONTROL. We audited BLS’ administrative
activities impacting on information technology - personnel and management
oversight. We determined BLS had not accurately classified position
sensitivity. The sensitivity classifications for most of the positions
we reviewed were inaccurate-indicating most were non-sensitive when in
fact the individual occupying the position had access to sensitive information.
This finding, when combined with the fact many of the staff with access
to sensitive information did not have appropriate security clearances,
demonstrated a lack of control. We also found staff with access
to economic data was not provided periodic
training and reminders on ethics responsibilities and investment restrictions.
We determined that BLS had undergone a number of internal and external
management reviews and audits. Many of these studies contained effective
recommendations which, if implemented, might have afforded BLS greater
protection over its economic data. Unfortunately, BLS did not follow
up to ensure the issues identified were corrected or the recommendations
for corrective action implemented. In our opinion, the administrative
activities we reviewed failed to provide a fundamental framework for (1)
ensuring BLS’ Federal and contractor staffs understand the significance
of the information they handle and work with and (2) providing management
an early warning system to identify when established procedures are breaking
down or are ineffective in protecting BLS information assets.
OIG’S CONCLUSION
BLS’ data has become increasingly difficult to protect due to advances over the past few years in easy-to-use, high-level-inquiry languages; the spread of ever more powerful microprocessors; the accelerating use of the Internet; and, the general increase in computer literacy, world wide. These advances mandate BLS invest in durable, dynamic security practices and internal control structures to reduce the risk of inadvertent or deliberate disclosure and corruption of information assets. It is imperative BLS acts promptly to correct the identified deficiencies. Further errors in the timing of news releases or other security breaches may compromise BLS’ reputation and credibility, as well as erode public confidence in BLS reports.
We are generally satisfied with actions BLS is taking or has completed to resolve our findings. Our primary concern, at this time, is some BLS corrective actions will not be completed and implemented until 2002. We urge BLS to expedite its corrective actions wherever possible.
ACTIONS TAKEN BY THE BUREAU OF LABOR STATISTICS
We found BLS managers and staff to be professional in their concerns over the events leading up to the audit and their desire to promptly take corrective actions identified by the audit team (and, in some cases, their own internal review teams). They provided the audit team their in-depth analysis of the events leading up to the two premature releases and the hacking into the BLS web page. In many instances, BLS took corrective actions before we could document the problem and develop recommendations. We found our lines of communication and exchanges of information with BLS’ managers and staff to be highly effective.