Security threats at the National Finance Center, which administers thousands of federal employees' payrolls as well as the Thrift Savings Plan, have been addressed, NFC officials said Thursday.
The General Accounting Office two weeks ago reported that security weaknesses at NFC put federal payroll, personnel and investment data at risk of being stolen or changed by unauthorized users.
Subsequently, Sen. Dick Lugar, R. Ind., asked Agriculture Secretary Dan Glickman to investigate the charges and to come up with a timetable for fixing them.
"The potential for fraud and improper disclosure resulting from insecure information systems appears to be enormous," Lugar said in a letter to the administration.
But the reported threats were a bit blown out of proportion, NFC indicated in its response to the GAO report.
"The [GAO] audit was not news, it was history," John Ortego, director of the NFC, said.
The field work for the GAO audit was completed more than a year before the release of the report. And NFC began to tackle the security issues that GAO auditors brought to light as soon as the audit was completed, officials at NFC said.
An external audit agency, KPMG, also reviewed NFC's security prior to GAO's audit. KPMG was unable to penetrate the NFC computers from the outside and found few significant security weaknesses.
But the GAO report focused mainly on internal security issues, such as the number of employees with access to files. "The threats they discussed were internal-where one of my own people does harm to me," Ortego said.
Typically, however, the worst threats to information security at NFC are external-from hacker communities. Nonetheless, NFC requires all employees to complete a background check that includes investigation of criminal charges, before access to protected data is allowed.
"We perform due diligence on the quality and dependability of our workforce, we would always do that," an NFC spokesman said.
The agency has since restricted employee access to sensitive data, even though officials disagreed with GAO on the number of people that should be allowed access.
Ortego said the agency increased its security measures well before the GAO report was released. Among the steps that have been taken:
- an initial internal network security policy is in effect,
- intrusion detection systems and firewalls are in place,
- a self-policing scanner program, which detects new vulnerabilities as they arise, has been installed, and
- employee access to financial data has been restricted.
NFC has been in touch with Lugar's staff and will be issuing extensive comments to GAO over the next 60 days, Ortego said.