Oct 11, 2014

Risk Of Unauthorized Access To Social Security Computers

     Sometimes, Social Security's Office of Inspector General (OIG) completes a report but doesn't want to release it to the public. In these cases OIG issues a "Limited Distribution" report. All that is available to the public is a brief blurb. Here are some excerpts from one of these recent "Limited Distribution" blurbs:
The National Institute of Standards and Technology recommends that security issues be patched timely to maintain the operational availability, confidentiality, and integrity of information technology systems. ...
SSA [Social Security Administration] did not have a comprehensive server patch management program. Consequently, the Agency did not always address known vulnerabilities timely. Specifically, we found that the Agency did not always : 
  • patch Windows servers according to its patch management policies ; 
  • have effective policies and procedures to ensure UNIX servers were patched timely; or 
  • address software vulnerabilities on the Windows servers. 
Without an effective patch management process in place, systems are at risk of unauthorized access

No comments: