US GOVERNMENT AUDITORS URGE BETTER SECURITY FOR COMPUTERS FederalTimes.com

Auditors urge better security for TSP board’s laptops

By STEPHEN LOSEY

February 21, 2008

The board running the Thrift Savings Plan needs to do a better job safeguarding its laptop computers, Blackberrys and other portable devices, according to an audit released Feb. 19.

The Labor Department’s Employee Benefits Security Administration conducted an audit of the Federal Retirement Thrift Investment Board and found that its laptops are not always encrypted or scanned for viruses before they are connected to the board’s network.

Auditors also found that employees’ Blackberry passwords are too short and simple to provide enough security. And the board has not yet finalized a plan for addressing potential security breaches in which personally identifiable information is lost, the audit found.

About 85 people work for the board at its Washington headquarters, and most have a laptop or desktop computer. Chief information officer Mark Hagerty said board employees do not keep the personal and financial information of TSP’s 3.8 million participants on their laptops.

The federal government experienced a string of laptop thefts and losses in 2006 that exposed the poor state of agencies’ computer security. The breaches jeopardized the personal information of tens of millions of federal employees, soldiers, veterans and other citizens.

“It’s always amazing to me how much is out there today that isn’t encrypted,” Ian Dingwall, chief accountant of the Employee Benefits Security Administration, said at the board’s monthly meeting in Washington.

TSP has had no data loss problems, but security concerns led the board in October to stop allowing participants to access their accounts with their Social Security numbers. TSP investors now use randomly generated account numbers.

The board agreed with Labor’s recommendations to completely encrypt computers and scan them for viruses, improve passwords, and finish a security breach plan.

The thrift board’s executive director, Gregory Long, said all laptops now have software that allows them to be tracked down or erased if they’re stolen . And if a lost laptop is rediscovered after its hard drive has been wiped, the board’s staff can restore the erased information, Hagerty said.

“The agency has made significant improvements, and will continue to do so,” Long said.

The board rejected one of Labor’s recommendations: to use cable locks to secure laptops to desks inside the office. The board’s laptops are most often used when on travel or telecommuting and are rarely used inside the office, Long said, so cable locks would not provide more security.

Modernization project on track

CIO Hagerty also told the board that its two-year, $15 million information technology systems modernization project is proceeding as scheduled. TSP’s network of mainframes, servers and storage computers had reached the limits of its capabilities, and the board decided in September to upgrade its systems.

TSP recently installed two new IBM mainframes, laid the groundwork for its new storage subsystems, and is buying software to protect against fraud and malicious programs such as “phishing” software.

TSP must still finish buying storage capacity, hire more IT security contractors, and complete tests of its systems, Hagerty said.

But TSP is also looking for some technology advancements before it can finish its upgrades. Hagerty said the technology used to encrypt stored data is still “somewhat immature.”

The board is continuing to work on restricting the number of interfund transfers participants can conduct each month. External affairs director Tom Trabucco said the board has heard complaints from about 50 of the more than 3,000 people identified as frequent traders. The board said that frequent trading drives the cost of administering TSP up by millions of dollars.

“There doesn’t seem to be a strong up-swell of support,” Trabucco said. “A few people even called us to apologize. They said they didn’t realize they were causing problems.”