TSP tries to remain vigilant in data security

In light of the well publicized Veterans Affairs Department data breach last month, another federal agency with its hands on a lot of personal information -- the Thrift Savings Plan -- is concentrating on information security.

The TSP houses Social Security numbers, names, addresses and more than $180 billion in retirement savings for about 3.6 million current and former federal employees. Mark Hagerty, the plan's chief information officer, told the TSP Board Tuesday he is comfortable with the security measures in place but is looking to expand them.

Participants will switch to using account numbers, rather than Social Security numbers, to access their TSP accounts online. That change will come in the next few months, Hagerty said.

"It's a very fluid environment," he said. "For every mitigating strategy we put in place, the creative minds of the bad guys come up with ways around it."

Hagerty, who came to the TSP from the National Security Agency, would not disclose all of the efforts that the TSP is taking to enhance its data security, so as to avoid giving "some young kid a challenge," but he did say that the agency is working on a program to trace laptops and destroy data remotely if needed.

Current TSP policy is that any data in transit is encrypted and password-protected. Employees must carry information, such as that stored on a CD, separately from a company laptop, and the TSP does periodic physical audits of employees to ensure adherence to that policy.

The TSP also uses a number of advanced firewalls to protect its data. It is more secure than that held by many private sector companies, Hagerty said, because it is kept in house.

"Our data is not out in the public space," he said. "We don't share it or use it in an open environment."

After an e-mail hoax targeting participants in March, in which a message guided recipients to a TSP look-alike Web site and sought personal data including Social Security numbers, the agency entered into a working relationship with the Secret Service, which Hagerty said is very helpful and supportive of the retirement plan's information security efforts.

A "three-letter agency" (referring to the acronym) also conducts an annual review of the TSP's security measures, but Hagerty declined in an interview to specify which one for security reasons.

TSP Board Chairman Andrew Saul told Hagerty at the board meeting Tuesday to come to the board if his office needs more funding for the efforts.