EXECUTIVE SUMMARY
OBJECTIVE
The objectives of this review were to determine whether
the Social Security Administration (SSA) accurately extracted and
transmitted earnings data from its Master Earnings File (MEF) onto
the Social Security Initiated Personal Earnings and Benefit Estimate
Statements (SIPEBES) and whether controls at the contractor, who
prints and distributes SIPEBES, are adequate to safeguard this data
against improper disclosure.
BACKGROUND
SIPEBES. SIPEBES. Section 1143 of the
Social Security Act requires SSA to begin an automatic distribution
of yearly earnings and benefit estimate statements to eligible individuals.
SIPEBES provides individuals with the opportunity to review their
earnings records for accuracy. It also serves as a useful tool for
individuals in planning for their economic security in the event
of retirement, disability, or death. SIPEBES provides individuals
with their earnings history year by year, estimated Social Security
taxes paid, and an estimate of future retirement and disability benefits,
as well as potential survivor benefits should the individual die.
Distribution of SIPEBES began in February 1995 to individuals
60 years of age and older. Since then, other age groups have and
will continue to be added in phases until Fiscal Year (FY) 2000 when
all age groups in the program (about 123 million individuals) will
receive yearly statements.
SIPEBES Contractor. SIPEBES Contractor.
KPT Incorporated (KPT), located in Dallas, Texas, is the current
contractor who prints and distributes SIPEBES to individuals for
SSA. KPT was selected by the Government Printing Office (GPO) from
a number of competitive bidders to perform the work for Calendar
Years (CY) 1997 and 1998. The company has past experience distributing
similar earnings statements for SSA. In CY 1995, KPT distributed
Personal Earnings and Benefit Estimate Statements that were requested
by individuals.
Our review was performed in accordance with generally
accepted government auditing standards and included tests of internal
controls and compliance with laws and regulations, to the extent
necessary, to meet the objectives of our audit. Field work was performed
at SSA Headquarters in Baltimore, Maryland; at KPT in Dallas, Texas;
and at our field office in Philadelphia, Pennsylvania, between December 1996
and May 1997.
RESULTS OF REVIEW
The earnings reported to the public on their
SIPEBES accurately reflected SSA`s earnings records. The
earnings reported to the public on their SIPEBES accurately reflected
SSA`s earnings records. There were no reportable discrepancies.
Our testing of completed SIPEBES combined with our examination
of SSA`s functional requirements and validation tests to
ensure the system`s accuracy showed that the system was working
properly.
In general, the physical security controls at
the SIPEBES contractor`s site were adequate. In general,
the physical security controls at the SIPEBES contractor`s
site were adequate. We saw no indication of any significant internal
control breakdowns of physical security at the site. The contractor
management showed a supportive attitude toward their control
responsibilities and contractor personnel were generally aware
of the control procedures they were to follow and their respective
responsibilities.
The security requirements in place for the SIPEBES
information system, covering the contractor, need to be improved
to meet established security plan requirements. The security
requirements in place for the SIPEBES information system, covering
the contractor, need to be improved to meet established security
plan requirements. The current security requirements are mainly
contained in 1) a contract with the SIPEBES contractor and 2)
a general security plan submitted to SSA by the contractor. Neither
the contract nor the general security plan, however, address
all established security plan requirements. We believe that SSA
needs a written security plan which follows established security
plan requirements for this sensitive information system to be
in full compliance with the law. The Privacy Act of 1974, the
Computer Security Act of 1987, and the Office of Management and
Budget (OMB) Circular A-130, together, require SSA management
to establish special security plans in writing to cover all employees
for sensitive information systems such as SIPEBES.
RECOMMENDATIONS
We recommend that SSA develop a security plan which
includes:
specific security requirements for contractor personnel
to follow, and the consequences for not following them;
systems security awareness initiatives and security-related
training programs for contractor personnel based on the requirements;
and
periodic security inspections at the contractors
site to ensure that the plan is operating and/or to determine whether
further improvements are needed.
AGENCY COMMENTS
SSA responded to a draft of this report and agreed
with our findings and recommendations to address the internal control
weaknesses identified in that report. Some minor revisions have been
incorporated into this report based on SSAs comments. SSAs
written response is included in its entirety as Appendix A.
INTRODUCTION
OBJECTIVES
The objectives of our review were to determine whether
SSA accurately extracted and transmitted earnings data from its MEF
onto SIPEBES and whether controls at the contractor, who prints and
distributes SIPEBES, are adequate to safeguard this data against
improper disclosure.
BACKGROUND
Overview of the SIPEBES Program. Overview
of the SIPEBES Program. Section 1143 of the Social Security Act requires
SSA to begin an automatic distribution of yearly earnings and benefit
estimate statements to eligible individuals. Eligible individuals
are persons age 25 and older who are nonbeneficiaries, have a Social
Security number (SSN), and have wages or net earnings from self-employment.
SIPEBES distribution began in FY 1995 with statements
issued to individuals 60 years of age and older. Since then,
distribution has expanded in phases to include younger workers. Beginning
in FY 2000, SSA`s ultimate goal, through one or more contractors,
is to send out about 123 million statements yearly to all eligible
individuals.
SSA expects the initial statements to produce significant
general inquiries, earnings corrections, and other public contact
workloads. The public will be able to review their earnings record
and, with appropriate documentation, have SSA make corrections if
necessary. Maintaining accurate earnings records for individuals
is very important, since Social Security benefit payments are based
on average lifetime earnings.
In addition to providing yearly earnings history, estimated
Social Security taxes paid, and benefit estimates, SIPEBES contains
other information. Also shown is a message from the Commissioner
of Social Security explaining the purpose of SIPEBES; identifying
information such as name, SSN(s), and date of birth; Medicare wages
and estimated Medicare taxes paid; and answers to some frequently
asked questions.
SIPEBES Contractor. SIPEBES Contractor.
KPT, located in Dallas, Texas, is the current contractor who prints
and distributes SIPEBES to eligible individuals. This process begins
at SSAs National Computer Center (NCC), located in Baltimore,
Maryland. The NCC electronically transmits SIPEBES data to KPT from
SSA`s records on a daily basis. From these transmissions, KPT
prints this data onto SIPEBES forms and then delivers them to the
U.S. Post Office where they are mailed to individuals.
This contractor has past experience performing similar
work for SSA. In 1995, GPO awarded KPT a 1-year competitive contract
to print and distribute similar earnings statements known as OR-PEBES
(On Request Personal Earnings and Benefit Estimate Statements). Recently,
KPT was awarded the SIPEBES competitive contract by GPO. This contract
period covers about 2 years and will expire on December 31, 1998.
Security Requirements. Security Requirements.
There are a number of security requirements applicable to the SIPEBES
information system:
The Privacy Act of 1974, requires Federal agencies
that maintain a system of records to establish rules of conduct
and instruction for persons involved with that system. In addition,
section 552(e)(10) of the Privacy Act requires Federal agencies
to establish appropriate administrative, technical, and physical
safeguards to ensure the security and confidentiality of records,
and to protect against any anticipated threats or hazards to their
security or integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information
is maintained.
The Computer Security Act of 1987 requires agencies
to develop security plans for all Federal computer systems that
contain sensitive data, and to provide mandatory training in security
for all individuals with access to the systems.
OMB Circular A-130, Appendix III, Security of Federal
Automated Information Resources, in accordance with the Computer
Security Act of 1987, requires Federal agencies to establish a
security awareness and training program. The Circular also requires
agencies to provide mandatory, periodic training in computer security
awareness and accepted security practice for all employees who
are involved with the management, use, or operation of a Federal
computer system within or under the supervision of the Federal
agency. The requirement includes contractors, as well as employees
of the agency.
OMB Circular No. 123, Management Accountability and
Control, and the Federal Managers Financial Integrity Act
require reporting as a deficiency, significant weaknesses identified
during the review of security controls.
SSAs Systems Security Handbook summarizes the
statutory requirements SSA is subject to in order to protect the
sensitive information it gathers and maintains. It also states
the administrative controls SSA must establish to prevent fraud,
waste, and abuse. The Agency must also ensure that contractor personnel
abide by these systems security requirements.
SCOPE
Our audit was conducted in accordance with generally
accepted government auditing standards and included tests of internal
controls and compliance with laws and regulations, to the extent
necessary, to meet the objectives of our audit.
To achieve our first objective, we compared the earnings
shown on 300 completed SIPEBES to SSAs earning records.
These 300 SIPEBES were processed by the contractor over a 3-day period
(100 each day) and were judgmentally selected by the auditors. They
were chosen from batches printed at KPT during the early stages of
initial production. The contractor printed an additional copy of
the selected SIPEBES for the auditors to evaluate. The yearly earnings
shown in the columns titled "Social Security Your Reported Earnings" and "Medicare
Your Reported Earnings," were matched against the yearly earnings
shown on SSAs MEF.
We also reviewed and evaluated SSAs validation
of the computer system used to transmit SIPEBES data from the NCC
to the contractor. Systems validation is a user-acceptance process
which ensures the released software meets the functional requirements
and does not adversely affect any other parts of the system.
To accomplish our second objective, we interviewed
KPT management and staff; reviewed their general security plan, policies,
and procedures; and observed and assessed their SIPEBES control environment
over a 4-day period. We also made inquiries about security policies
and procedures with SSA personnel at Headquarters, and with the responsible
GPO contracting officer.
Because our review was limited, it would not necessarily
have disclosed all internal control deficiencies that may have existed
at the time of our audit. We did not review SSAs system that
posts earnings to MEF and estimates benefits on SIPEBES. Our review
was conducted in Dallas, Texas; Baltimore, Maryland; and Philadelphia,
Pennsylvania. The audit field work was conducted from December 1996
to May 1997.
RESULTS OF REVIEW
ACCURACY OF SIPEBES
Comparison of SIPEBES to MEF
SSA`s SIPEBES system accurately transfers individuals recorded
earnings from its internal records onto SIPEBES. In addition, SSA
adequately tested the system prior to implementing it. We compared
the earnings shown on 300 judgmentally selected SIPEBES to earnings
recorded on SSAs records. These SIPEBES were selected from
batches run by the contractor. Our comparison of selected SIPEBES
information to SSAs MEF found no discrepancies that would cause
SIPEBES misstatements. However, there were several instances where
earnings records showed earnings in excess of the taxable maximum.
The SIPEBES program correctly extracted the taxable maximum for statement
purposes.
Systems Validation
We reviewed SSAs validation process to determine
whether SSAs system was certified as being capable to accurately
transfer earnings data from SSA records to SIPEBES. SSA uses its
Software Engineering Technology (SET) Manual to define the process
of systems development and maintenance. The SET Manual details the
policies, standards, and guidelines used in the systems life-cycle
development process.
SSA followed the criteria as stated in the SET Manual
in evaluating the system prior to releasing it for use and had a
validation plan listing validation data base requirements, transaction
definitions, and a validation schedule. SIPEBES format specifications
were prepared by SSA for the vendor. Validation runs and reports
were documented, and as a final step in the evaluation process, a
system release certification was prepared.
The system release certification states that: (1) changes
have been tested; (2) the release contains all agreed to changes,
and only those changes; (3) system capacity and security requirements
are met; (4) operating procedures have been provided; (5) required
documentation has been prepared; and (6) control, auditability, security,
and privacy requirements have been met.
PHYSICAL SECURITY
AT KPT
In general, the physical security controls at KPT are
adequate. We saw no indication of any significant internal control
security breakdowns. The company has about 52 employees working 3
shifts in its 1 location. The facility is a 50,000-square foot building
located in north Dallas. There are nine entrances including a main
entrance, a client service entrance, two loading docks, and five
other doors. All entrances are secured, and there are a total of
eight security cameras throughout the building, including two at
the loading docks.
Both the data processing and printing rooms are secured
areas with working security cameras. Transfer logs are used to record
the movement of SIPEBES from these areas to the mailroom. The forms
are secured with plastic wrapping in the mailroom and delivered to
a U.S. Post Office weekly.
We found that KPT management understood and implemented
their control obligations and KPT personnel were generally aware
of the control procedures they were to follow and their respective
responsibilities.
ABSENCE
OF ESTABLISHED SECURITY PLAN REQUIREMENTS
The current written plan for the SIPEBES information
system covering contractor employees needs to be improved to meet
the requirements of the Computer Security Act of 1987 and OMB Circular
A-130. The current security requirements are included mainly in:
(1) a contract with the SIPEBES contractor; and (2) a general security
plan submitted to GPO by the contractor. The general security plan
submitted by the contractor, however, does not address all established
security plan requirements. Further, SSA failed to ensure that GPO
had all mandated security requirements in place in the KPT contract.
Specifically lacking were: (1) employee rules of conduct; (2) systems
security awareness and training; and (3) an on-site security inspection
based on the acceptable level of risk that is established in the
rules of the system.
Employee Rules of Conduct and Instruction
Although we believe the physical security at KPT is
adequate, we found that there were no specific written rules of conduct
and instruction for employees. The Privacy Act, 5 United States
Code (U.S.C.), section 552a(e)(9) and (10), requires Federal agencies
that maintain a system of records to establish rules of conduct and
instruction for persons involved with that system.
Individuals involved with a sensitive information system
need to know what conduct is expected of them and the consequences
when they deviate from it. For example, the contractor`s employees
should know their roles and duties with regard to protecting SIPEBES
sensitive information. They should also be made aware of the law
and know the penalties for the mishandling, divulging, or other misuse
of this information.
Security Awareness and Training Programs
A security plan should contain requirements for systems
security awareness initiatives and security-related training programs
for personnel based on the requirements and what their jobs entail.
Such requirements do not exist in the contract with KPT or KPTs
general security plan. SSA needs to establish systems security awareness
and training programs for contractor employees based on rules of
conduct established in accordance with the Privacy Act of 1974, the
Computer Security Act of 1987, and OMB Circular A-130.
Security Inspections at the Contractor`s Site
As part of the security plan, SSA needs to perform
inspections at the contractors site to ensure that acceptable
levels of risk that are established in the rules for the SIPEBES
system are met. According to OMB Circular A-130, the security of
a system will degrade over time, as the technology evolves and as
people and procedures change. Therefore, the inspections should ensure
that management, operations personnel, and technical controls are
functioning effectively. Without such inspections, there may be needless
security risks.
CONCLUSIONS
AND RECOMMENDATIONS
CONCLUSIONS
Our review of completed SIPEBES and our examination
of related SSA functional requirements and validation tests for its
system`s accuracy showed that the system was working properly.
We also found that, in general, the physical security
controls at the SIPEBES contractor`s site were adequate. We saw
no indication of any significant internal control breakdowns of physical
security at the site. The contractor management showed a supportive
attitude toward their control responsibilities and contractor personnel
were generally aware of the control procedures they were to follow
and their respective responsibilities.
SSA, however, needs to develop a security plan for
the SIPEBES information system. To be in full compliance with governing
laws, SSA needs to take action to develop its own security plan that
extends to its SIPEBES contractor.
RECOMMENDATIONS
We recommend that SSA develop a security plan, in accordance
with established law and regulations, which includes:
specific security requirements for contractor personnel
to follow, and the consequences for not following them;
systems security awareness initiatives and security-related
training programs for contractor personnel based on the requirements;
and
periodic security inspections at the contractors
site to ensure that the security plan is operating and/or to determine
whether further improvements are needed.
SSA COMMENTS
SSA responded to a draft of this report and agreed
with our findings and recommendations to address the internal control
weaknesses identified. Some minor revisions have been incorporated
into this report based on SSAs comments. SSAs written
response is included in its entirety as Appendix A.
APPENDICES
APPENDIX B
Office of the Inspector General
Roger Normand, Director, Northern Program Audit
Division
Emil Mallek, Deputy Director, Northern Program Audit Division
Richard W. Devers, Senior Auditor
Michael Thomson, Auditor
Francis Cassidy, Auditor
|