In FY 2001, the Department's IT budget exceeded a quarter of a billion dollars and covered 67 mission critical applications and general support systems. These large and complex systems process information and data on: benefit eligibility and compensation; injury and illness statistics; union representation and elections; economic indicators; pension and welfare benefit plans; employer/contractor hiring status and wage practices; and grant funds distribution.

A high-quality IT environment is key to obtaining the programmatic and financial information needed to manage for results. As the Department continues to expand its use of IT (e.g., in procurement, payroll, benefit payments, labor market information, enforcement, and training), it becomes increasingly important to audit the development and implementation of IT systems. It is critical to ensure that these systems meet their intended objectives at reasonable costs. Moreover, it is crucial to protect these IT assets and the information contained within them (e.g., for privacy rights). The OIG is involved in auditing these IT systems, as well as providing consultative assistance, in order to improve the management of departmental IT assets. For example the OIG:

• will continue to prioritize its resources and develop a focused cyber-security testing and evaluation capability to perform independent audits and evaluations of additional mission critical systems, new IT initiatives, DOL-wide and agency- specific security programs, and related business contingency and IT disaster recovery plans;
• is playing a key role in ensuring that the Department and its agencies manage information and operate its IT resources based on a reliable risk-based security program that is consistent with the intent of Congress and the Government Information Security Reform Act (GISRA); and
• will perform vulnerability analyses by doing on-site inspections and using computer laboratory analyses to determine the effectiveness of cyber and physical controls designed to prevent potential threats and identify intrusions.

Our efforts involve verifying and validating completed risk assessments, and the results from these efforts will be given to DOL and component agency executive and managers for them to make decisions to strengthen their information and IT controls. Following are highlights of our work in the IT area.

DOL IT Infrastructure Was Vulnerable to Intrusion

As required by Presidential Decision Directive 63 (PDD 63) and in accordance with DOL's Cyber Security Program Plan we tested five agency components' general support systems and identified material weaknesses in procedures and practices in the following areas:

• management controls, which include security control reviews, system security plans, and certification and accreditation; and
• technical controls, which include identification and authentication, logical access controls, audit trails and incident response capabilities.

During our integrity testing of internal network systems, the OIG discovered easy access to critical files and programs by exploiting technical weaknesses (i.e. system security, root access, etc.) within the Operating System. The OIG was able to utilize weak passwords (easily recognizable words, dates, etc.), default passwords, and unpatched system vulnerabilities to compromise the network's general support systems.

We alerted the affected agencies, which expeditiously acted to begin to correct the OIG-identified technical weaknesses in their general support systems. Agencies are continuing their efforts to resolve these problems. (OA Report Nos. 03-01-005-07-001, issued July 12, 2001; 23-01-006-10-001, issued September 24, 2001; 23-01-004-03-315, issued September 26, 2001; and 23-01-011-06-001, issued September 28, 2001)

DOL Relied on Outdated Information to Protect its IT Infrastructure

In addition to the vulnerability assessments, the OIG also audited the Department's planning and assessment activities for protecting its physical (non-cyber-based) critical infrastructures. PDD 63 requires a national effort to assure the security of the Nation's critical infrastructure. Critical infrastructure is defined as those physical and cyber-based systems that are essential to the minimum operations of the economy and government, and include telecommunications, banking and finance, energy, transportation, and government services. In addition to requirements for state and local governments and private sector partners, PDD 63 requires that by 2003, the Federal Government shall have achieved the ability to protect its critical infrastructures from intentional acts that would significantly diminish its ability to perform essential national security missions and ensure the general public health and safety.

We found the Department's efforts to protect its minimum essential infrastructure was outdated and limited in focus. For example, its 1999 Critical Infrastructure Protection Plan (CIPP), which is required by PDD 63, was not kept current with the inventory of critical cyber systems and related physical facilities. Additionally, the Department relied on assessments and/or surveys conducted by other Federal Government interests such as the General Services Administration.

The Department agreed with our findings and recommendations and has stated its intentions to implement improvements. For example, DOL stated that it has drafted an updated CIPP and has established additional milestones covering a period of August 2001 to July 2003 to improve its overall protection of the Department's critical infrastructure. The OIG feels that the Departments proactive approach will lead to its meeting the requirements of PDD 63. (OA Report No. 23-01-002-07-711, issued July 20, 2001)

DOL Needs to Implement Controls to Limit Risk of its IT Operations

The OIG performed an evaluation of eight Departmental applications in accordance with GISRA. The evaluations covered a subset of DOL's 67 mission-critical systems. During our review, we found that although the Department has issued much guidance to its agencies relating to IT security, the biggest challenge facing the Department will be to ensure that agencies continue to implement the management and technical controls necessary to limit the risk to operations and assets under their control.

We identified high risk control issues that if unaddressed, have the potential to impair the Department's ability to execute it's core business functions (including payroll and benefits functions), or compromise the confidentiality, integrity or availability of system and information resources. These include: risk management, life cycle issues, authorization processing, system security plan, contingency planning, documentation and incident response. The Department's Chief Information Officer reported similar findings to the Office of Management and Budget (OMB) and is also required to address all vulnerabilities identified by the OIG in a mitigation plan that is due to OMB on October 31, 2001. (OA Report Nos. 23-01-005-11-001, issued September 24, 2001; 23-01-006-10-001, issued September 24, 2001; 23-01-007-04-001, issued September 25, 2001; 23-01-008-04-001, issued September 25, 2001; and 23-01-011-06-001, issued September 28, 2001)