DOL IT Security Audit Reveals Gaps

(Photo: Przemek Klos/Adobe Stock)

More than eight months after the Labor Department released a list of cybersecurity best practices for ERISA practitioners, the department’s Inspector General released a report that found Labor’s IT security was seriously lacking.

The report was based on an audit conducted by KPMG, which noted more than a dozen issues with the Labor Department’s information security systems.

For example, IG Carolyn Hantz said the department failed to conduct annual security control assessments for 30 systems in FY21.

“Failure to perform an annual security control assessment could lead to overlooked threats and vulnerabilities, which may result in increased risk to the confidentiality, integrity and availability of information systems and data from the DOL,” the IG said.

Hantz also said the Department of Labor did not have an effective supply chain risk management program in place and did not keep accurate records of computer equipment. The department also did not register or review DOL user accounts.

The ministry said it agrees with the IG’s assessment and that the issues noted will be resolved.

In April, EBSA published guidance intended to address cybersecurity among practitioners.

“The cybersecurity guidelines we released today are an important step in helping plan sponsors, trustees and participants protect pension benefits and personal information,” the assistant secretary said at the time. Acting for Employee Benefits Security, Ali Khawar. “These must-have tips underscore the importance plan sponsors and trustees should place on combating cybercrime and provide important advice for plan members and beneficiaries to remain vigilant against emerging cyberthreats.”

In several ways, the guidance mirrors some of the practices that Hantz said the Labor Department does not follow.

For example, the EBSA said covered plans must carry out “prudent annual risk assessments”.

“A robust cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information,” the guidance states.

However, the IG said his office found instances in which department leadership would “informally accept the risk, rather than identify, assess and respond to the risk.”

The guidelines also state that “As the senior executive, the chief information security officer (CISO) would generally establish and maintain the vision, strategy, and operation of the cybersecurity program.”

Reviewing the entire Department of Labor, Hantz said, “In reviewing KPMG’s test results, we are concerned that the CIO’s oversight of the Department’s information technology will not ensure progress in implementing implementing continuous information security monitoring controls.”


Comments are closed.