2000 - Audit Report

U.S. Department of Labor
Office of Inspector General
Office of Audit

LIMITED SCOPE AUDIT OF CONTROLS OVER THE OFFICE OF WORKFORCE SECURITY UI WEEKLY CLAIMS PRESS RELEASE

Information obtained from the Internet may not be in the same format as a hard copy obtained from the Office. Depending on the requester, the quantity of information provided may also vary. In order to appeal any deleted information received via the Internet, you must make a formal written request for the same material. Further, some of the audit reports issued prior to FY 1998 may no longer be available. They may have been destroyed in accordance with our records retnetion schedule. However, any request for audit reports or other audit materials should be sent to the OIG, Disclosure Officer, Room S1303, 200 Constitution Avenue, N.W., Washington, D. C. 20210.

Unless otherwise stated, the audit reports provided on this web page reflect the findings of the OIG at the time that the audit report was issued. The auditee may have more current information available as a result of audit resolution activities.

The OIG is using Adobe Acrobat 4.0 to prepare its audit reports for the internet. If you experience problems accessing the PDF files, you may want to download the latest version of the Adobe Acrobat Reader by clicking on the link provided.

[ Link to Acrobat 4.0 Reader ]

The Unemployment Insurance (UI) Weekly Claims Press Release is issued by the U.S. Department of Labor (DOL) every Thursday morning at 8:30 a.m. The UI Weekly Claims Press Release contains the National total of initial claims for UI and is one of the leading economic indicators that may affect the financial and monetary markets. Therefore, there is a need to protect the data and the UI Weekly Claims Press Release from unauthorized use and release while it is in embargoed status.

The Office of Inspector General (OIG) performed a limited scope audit to assess (1) the internal controls used to ensure the accuracy and completeness of the data used to produce the UI Weekly Claims Press Release, and (2) the internal controls over issuing the UI Weekly Claims Press Release and safeguarding the embargoed information against unauthorized use or early release to the public (prerelease). Our audit covered all aspects of the UI Weekly Claims Press Release process, from the compiling of the data by DRR to the release of the UI Weekly Claims Press Release by OIPA.

We found there were several significant control weaknesses that must be corrected to adequately safeguard the information against unauthorized use or prerelease to the public. In the area of data processing and report production we found (1) that the embargoed data and UI Weekly Claims Press Release are processed and produced in an unsecured office environment; (2) there are security vulnerabilities in the procedures used to deliver advance copies of the UI Weekly Claims Press Release package to the four high-level DOL officials the day before the UI Weekly Claims Press Release is officially released; (3) a library management system is not used to track multiple versions of software production programs used to compile the data; (4) there is no security clearance policy for individuals with access to embargoed data; (5) situations can occur where one person controls the entire UI Weekly Claims Press Release process; and (6) there are no formal procedures for responding to security incidents.

We also found that the ETA LAN server used to store the UI Weekly Claim Press Release and supporting documents has several weaknesses that compromise the security level needed for embargoed documents. An excessive number of network administrators have access to the server containing the embargoed documents and the embargoed documents are not encrypted while stored on the server. Additionally, periodic security evaluations using a security software package are not performed.

We recommended that ETA promptly correct the internal control weaknesses. Our major recommendations to ETA were to (1) create a restricted access office area for processing the embargoed data and producing the UI Weekly Claims Press Release; (2) strengthen the procedures used to deliver the advance copies of the UI Weekly Claims Press Release package; (3) develop and implement a security clearance policy for individuals with access to embargoed data; and (4) use a use a stand-alone computer located in a secure area to store the embargoed UI Weekly Claims Press Release and supporting documents before the official release time.

Overall, ETA responded that it did not consider the findings in the report as significant control weaknesses. ETA has already taken action on some of the report recommendations. However, in referring to the recommendation for restricted office space, ETA stated that although it would be desirable, at the current time there are severe limitations on space availability. ETA further stated that the space where the embargoed data and the UI Weekly Claims Press Release are processed and produced is scheduled to be reconfigured in 2002 and the current space plans will be reviewed to see if alterations can be made to isolate the area. Concerning security clearances, ETA stated that the Federal staff currently working on the UI Weekly Claims Press Release Process have been doing so for a long time. Therefore, ETA does not believe that a security clearance investigation is warranted for them. However, ETA will implement a policy to require a background investigation for any new employee who has access to the embargoed data.

We disagree with ETA s conclusion that the findings in the report are not significant control weaknesses. Because the UI Weekly Claims Press Release contains embargoed data, it is critical that the data be protected until it is released at the prescribed time. ETA must recognize that in managing security of sensitive information, the risks associated with the UI Weekly Claims Press Release process should be identified and reduced. Unauthorized use and disclosure of the embargoed data and the UI Weekly Claims Press Release can affect the financial markets and damage DOL s reputation for managing sensitive information. Therefore, it is necessary that ETA take appropriate measures to protect the embargoed data and press release and minimize the risk against unauthorized use and disclosure. By failing to recognize the significance of the report findings and the need for timely corrective action, ETA is accepting more risk than is necessary under the circumstances. We believe that ETA must take immediate corrective action, as recommended in this report, to improve the security over the UI Weekly Claims Press Release process.

Report No. 03-00-011-03-315 (August 21, 2000)

[ Get Complete Report PDF ] 26 pp. {51 k}

REPORTS BY FISCAL YEAR

[ 2000 Reports ]

[ 1999 Reports ]

[ 1998 Reports ]

[ Prior to 1998 ]

GO TO --

[ Annual Audit Plans ]

[ Audit Process ]

[ Audit Reports ]

[ FOIA ]