Payroll, TSP records at risk of fraud and abuse

Federal employees' payroll, personnel and investment data is at risk of being stolen or changed by unauthorized users due to severe security breakdowns at the National Finance Center, according to a new General Accounting Office report.

The National Finance Center, located in New Orleans, La., provides centralized and automated payroll, personnel, property management, budget and accounting services for dozens of agencies.

The NFC is part of the Agriculture Department, but it serves about 60 other agencies and bureaus through fee-for-service contracts. NFC currently provides administrative and financial services to more than 120 agencies and its payroll service covers 450,000 federal employees.

The agency is also the recordkeeper for the federal Thrift Savings Plan, which covers 2.3 million employees and invests about $62 billion.

Such sensitive information, stored in NFC's files and tapes, is not adequately safeguarded, said GAO's report, "USDA Information Security: Weaknesses at National Finance Center Increase Risk of Fraud, Misuse, and Improper Disclosure" (AIMD-99-227).

"NFC's computer systems, programs and data are at risk of inadvertent or deliberate misuse, fraudulent use, unauthorized alteration or destruction possibly occurring without detection," the report said.

GAO found several examples in which sensitive system files were accessible to a broad range of NFC employees. In one case, 86 users in at least three offices had access to read and alter payroll files and other data stored on tapes. But only one office actually needs the ability to access tape files to perform its job, GAO said.

In another case, auditors found network files could be easily accessed by unauthorized users. Certain of those files involved the government's purchase card management system, which could lead to improper payments, GAO found.

Safeguards against physical security breaches-such as locks, guards, badges and alarms-are not being used properly either, GAO said. More than 100 people had access to NFC's computer room and tape library, including maintenance and non-technical support staff. Any of these employees could sit down at the agency's unprotected console and disable security systems, leading to unauthorized access to systems or computer failures.

Passwords and other software protections aren't being used to protect private data, and network security does little to ensure against unauthorized access, the report said.

Despite attempts to develop a comprehensive security framework, NFC has a long way to go to reach an appropriate level of security, GAO concluded. NFC's computer security and planning and management program hasn't evaluated the effectiveness of its controls, and contains major security gaps, such as a lack of provisions for an intrusion detection system.

NFC Director John R. Ortego acknowledged the agency's security weaknesses. "Given the role that the NFC plays in the department and in the federal government, it is absolutely essential that we not only have adequate security, but that we are among the best, if not the best, in either government or the private sector," he said.

The agency agreed that its systems need to be better protected and said it has corrected most of the weaknesses identified. NFC has pledged to use GAO's guidelines to strengthen its computer security planning and management program.