[TEXT ONLY]
This document is a summary of a printed document. The printed document may contain charts and photographs which are not reproduced in this electronic version. If you require the printed version of this document, contact the Freedom of Information Act Officer, Office of Inspector General, U.S. Department of Labor, Washington, DC 20210, or call (202) 693-5116.
This report reflects the findings of the Office of Inspector General at the time that the audit report was issued. More current information may be available as a result of the resolution of this audit by the Department of Labor program agency and the auditee. For further information concerning the resolution of this report's findings, please contact the program agency.
OIG has started using Acrobat 4.0 to prepare it's latest Audit reports. If you are experiencing problems downloading some of the larger PDF files, you may want to download the latest version of the Adobe Acrobat Reader by clicking the link provided below.
The Unemployment Insurance (UI) Weekly Claims Press Release is issued by the U.S. Department of Labor (DOL) every Thursday morning at 8:30 a.m. The UI Weekly Claims Press Release contains the National total of initial claims for UI and is one of the leading economic indicators that may affect the financial and monetary markets. Therefore, there is a need to protect the data and the UI Weekly Claims Press Release from unauthorized use and release while it is in embargoed status.
The Office of Inspector General (OIG) performed a limited scope audit to assess (1) the internal controls used to ensure the accuracy and completeness of the data used to produce the UI Weekly Claims Press Release, and (2) the internal controls over issuing the UI Weekly Claims Press Release and safeguarding the embargoed information against unauthorized use or early release to the public (prerelease). Our audit covered all aspects of the UI Weekly Claims Press Release process, from the compiling of the data by DRR to the release of the UI Weekly Claims Press Release by OIPA.
We found there were several significant control weaknesses that must be corrected to adequately safeguard the information against unauthorized use or prerelease to the public. In the area of data processing and report production we found (1) that the embargoed data and UI Weekly Claims Press Release are processed and produced in an unsecured office environment; (2) there are security vulnerabilities in the procedures used to deliver advance copies of the UI Weekly Claims Press Release package to the four high-level DOL officials the day before the UI Weekly Claims Press Release is officially released; (3) a library management system is not used to track multiple versions of software production programs used to compile the data; (4) there is no security clearance policy for individuals with access to embargoed data; (5) situations can occur where one person controls the entire UI Weekly Claims Press Release process; and (6) there are no formal procedures for responding to security incidents.
We also found that the ETA LAN server used to store the UI Weekly Claim Press Release and supporting documents has several weaknesses that compromise the security level needed for embargoed documents. An excessive number of network administrators have access to the server containing the embargoed documents and the embargoed documents are not encrypted while stored on the server. Additionally, periodic security evaluations using a security software package are not performed.
We recommended that ETA promptly correct the internal control weaknesses. Our major recommendations to ETA were to (1) create a restricted access office area for processing the embargoed data and producing the UI Weekly Claims Press Release; (2) strengthen the procedures used to deliver the advance copies of the UI Weekly Claims Press Release package; (3) develop and implement a security clearance policy for individuals with access to embargoed data; and (4) use a use a stand-alone computer located in a secure area to store the embargoed UI Weekly Claims Press Release and supporting documents before the official release time.
Overall, ETA responded that it did not consider the findings in the report as significant control weaknesses. ETA has already taken action on some of the report recommendations. However, in referring to the recommendation for restricted office space, ETA stated that although it would be desirable, at the current time there are severe limitations on space availability. ETA further stated that the space where the embargoed data and the UI Weekly Claims Press Release are processed and produced is scheduled to be reconfigured in 2002 and the current space plans will be reviewed to see if alterations can be made to isolate the area. Concerning security clearances, ETA stated that the Federal staff currently working on the UI Weekly Claims Press Release Process have been doing so for a long time. Therefore, ETA does not believe that a security clearance investigation is warranted for them. However, ETA will implement a policy to require a background investigation for any new employee who has access to the embargoed data.
We disagree with ETA’s conclusion that the
findings in the report are not significant control weaknesses. Because the
UI Weekly Claims Press Release contains embargoed data, it is critical
that the data be protected until it is released at the prescribed time.
ETA must recognize that in managing security of sensitive information, the
risks associated with the UI Weekly Claims Press Release process should be
identified and reduced. Unauthorized use and disclosure of the embargoed
data and the UI Weekly Claims Press Release can affect the financial
markets and damage DOL’s reputation for managing sensitive information.
Therefore, it is necessary that ETA take appropriate measures to protect
the embargoed data and press release and minimize the risk against
unauthorized use and disclosure. By failing to recognize the significance
of the report findings and the need for timely corrective action, ETA is
accepting more risk than is necessary under the circumstances. We believe
that ETA must take immediate corrective action, as recommended in this
report, to improve the security over the UI Weekly Claims Press Release
process.
Report No. 03-00-011-03-315 (August 21, 2000)
