Report Summary
Social Security Administration
Office of the Inspector General

The Social Security Administration's Electronic Mail Security Review (Limited Distribution) (A-14-06-16047)

The objective of our review was to evaluate the adequacy of the Social Security Administration's (SSA) electronic mail (e-mail) services security controls designed to ensure confidentiality, availability, and integrity of sensitive information. As part of the audit, we evaluated SSA's management, operational, and technical controls related to e-mail security for consistency with Federal standards and guidelines and industry best practices.

E-mail is perhaps the most popularly used system for exchanging information over the Internet and is a critical tool used by SSA to complete its mission. Sensitive data is often sent via e-mail within the Agency as well as between SSA and outside entities. In today's network environment, e-mail is also a preferred path by hackers to distribute viruses, worms, spam, and other attacks. The servers that operate the e-mail system are among the most targeted and attacked machines within an organization's network -- second only to web servers. It is critical for any organization to protect information sent or received via e-mail from unauthorized use, disclosure, modification, destruction, or exploitation.

We found that SSA's e-mail security controls reasonably ensure the confidentiality, integrity, and availability of the Agency's e-mail system. While the Agency is working diligently to protect its e-mail system, the following areas need improvement:

E-mail policies need to be updated to comply with Federal standards;
Configuration settings for patches need to be installed correctly;
Information may be viewed through Outlook Web Access on a wireless network by unauthorized individuals;
E-mail is not tested in the Disaster Recovery Exercise;
All e-mail risks may not be fully identified in the Agency's Certification and Accreditation program;
Retention policy needs to be updated in the Information Systems Security Handbook and employees notified; and
Employees need to be aware of content filtering capabilities.

We made nine recommendations to SSA. The Agency fully agreed with seven of them.

This report contains restricted information for official use. Distribution is limited to authorized officials.