Strengthening OSHA's Software Management Controls Can
Prevent Unauthorized Software Use and Potential Software Piracy
23-02-005-10-001
This document is a summary of a printed document. The printed document
may contain charts and photographs which are not reproduced in this
electronic version. If you require the printed version of this document,
contact the Freedom of Information Act Officer, Office of Inspector
General, U.S. Department of Labor, Washington, DC 20210, or call
(202) 693-5116.
This report reflects the findings of the Office of Inspector General at
the time that the audit report was issued. More current information may
be available as a result of the resolution of this audit by the Department
of Labor program agency and the auditee. For further information concerning
the resolution of this report's findings, please contact the program agency.
OIG has started using Acrobat 4.0 to prepare it's latest Audit reports. If
you are experiencing problems downloading some of the larger PDF files, you
may want to download the latest version of the Adobe Acrobat Reader by
clicking the link provided below.
The Office of Inspector General (OIG) conducted an audit to determine whether the Occupational Safety and Health Administration (OSHA) has proper procedures in place to ensure authorized computer software products are not used in violation of copyright laws, and whether unauthorized software products exist on the agency's computers.
During our audit, we scanned 166 randomly selected computers in OSHA's National, regional and area offices, and OSHA's Technical Center (laboratory) in
Salt Lake City, Utah. We found 221 unauthorized software products, including 27 different computer games. We found no violations of copyright laws for authorized software products.
In addition to the potential software piracy issue, the installation and use of unauthorized software products creates other unnecessary risks for OSHA, such as the possible introduction of computer viruses. The use of unauthorized software can also degrade computer functionality, as the unauthorized products consume memory and processing time.
Inadequate software management policy and procedures contribute to the installation and use of unauthorized software on agency computers. For example, OSHA does not conduct periodic software inventories and, as a result, cannot maintain a complete and accurate listing of unauthorized software.
To improve agency software management and prevent the installation of unauthorized software products, we recommend that the Assistant Secretary for Occupational Safety and Health:
- Remove all unauthorized software applications and games identified by our audit, including older version, software products. Legally purchased older software products should be removed from individual workstations and stored in a safe location.
- Develop and perform a periodic (at least once per year) software inventory and use this inventory to maintain an updated list of all OSHA authorized software.
- Revise and update OSHA Directive PRO 3.5 dated June 9, 1993, to include current hardware and software standards and establish procedures on the monitoring of information technology (IT) assets including a review of IT Acquisition forms and license agreements.
---- ---- ----
Based on OSHA's response to the draft report, and the planned corrective actions, the OIG has resolved all of the above recommendations. OSHA agreed to take steps for the purpose of addressing and resolving OIG's recommendations (Appendix A). However, OSHA has taken exception to the Webshots purchase example used by OIG in the draft report. OSHA does not discourage the use of screen savers, and OSHA believes the discussion of the Webshots purchase was unnecessary since it went beyond the stated scope of the audit. While the OIG acknowledges OSHA's request to delete the discussion of the Webshots purchase, the OIG does not view the information as extraneous to the audit report.
Get Complete Report