oversight

Report 2001-019- AIC - Assessment of the Implementation of the Federal Personnel/Payroll System (FPPS)

Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2002-09-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                   Assessment of the Implementation of the
                   Federal Personnel/Payroll System (FPPS)
                                OIG Report Number 01-09-AIC

                              PURPOSE OF ASSESSMENT

The Office of Inspector General (OIG) conducted an assessment of the Agency’s Federal
Personnel/Payroll System (FPPS) implementation. This assessment was conducted as part
of OIG’s ongoing effort to evaluate the Agency’s information systems as required by the
Government Information Security Reform Act1 (GISRA), Public Law 106-398, Title X,
subtitle G.


                            SCOPE AND METHODOLOGY

The scope of the assessment included reviewing: (1) the various processes used by EEOC
in the planning and implementation of FPPS; (2) the Office of Human Resources’ FPPS data
verification effort; and (3) the FPPS information system security features.

In order to make our final determinations we: (1) interviewed senior managers who are
responsible for the system; (2) spoke with the members of the implementation team 2 ; (3)
obtained and reviewed implementation planning documentation; and (4) reviewed guidance,
policies, and procedures regarding FPPS, as well as FPPS internal information security.

This evaluation was conducted in accordance with generally accepted government auditing
standards, as published in the Comptroller General’s Government Auditing Standards, 1999
Revision through Amendment Three. Our fieldwork was conducted during the November
2001 through August 2002 timeframe.


                                      BACKGROUND

The Agency’s previous personnel system, Personnel Information Resources Systems (PIRS),
was scheduled to be retired by the General Services Administration (GSA) and was no longer
to be supported after September 30, 2001.



       1
          GISRA provides a comprehensive framework for establishing and ensuring the
effectiveness of controls over information resources that support Federal operations and assets.
       2
         The FPPS Implementation Team consisted of staff from the Office of Human Resources
(OHR), Office of Information Technology (OIT), the Department of Interior’s - National
Business Center, and the Government Services Administration Payroll Center located in Kansas
City, Missouri.
OIG Report 01-09-AIC
Page Number 2


During the second quarter of FY2001, EEOC entered into a cross-servicing agreement with
the Department of Interior’s (DOI), National Business Center (NBC) to provide the Agency
with human resource management information system support.3 This agreement was borne
out of the need to replace PIRS. According to DOI-NBC, the Federal Personnel and Payroll
System (FPPS) is a modern, full featured, totally integrated system that meets or exceeds all
mandatory and regulatory requirements established by the President’s Council on
Management Improvement for Federal Automated Systems; the Paperwork Reduction Act;
and the Joint Financial Management Improvement Program. FPPS is hosted on the DOI-
NBC mainframe computer located in Denver, Colorado. FPPS was developed using modern
database and computer-aided software engineering technology, and was fully developed by
December 1998.

The Agency completed its conversion to FPPS by September 23, 2001.


                           MANAGEM ENT COMM ENTS

No management comments were provided by either the Office of Human Resources (OHR)
or the Office of Information Technology (OIT), the two Agency offices principally
responsible for the FPPS conversion.


                              ASSESSMENT FINDINGS

No Significant Problems Occurred During the FPPS Implementation

During the course of this assessment OIG found no significant problems regarding the
implementation of FPPS.

Our assessment included discussions with members of the FPPS Implementation Team to
obtain an overall understanding of the implementation process, as well as to identify any
lessons learned. Overall, the comments from those interviewed were highly positive
regarding system implementation. According to DOI-NBC’s FPPS Project Manager for
EEOC, both OIT and OHR played an important role in the overall success of FPPS’s
implementation. The Project Manager noted that the implementation was one of the fastest
and cleanest ever conducted by DOI-NBC.



       3
        NBC provides automated human resource and payroll operations cross-servicing to DOI
organizations, as well as a number of non-DOI agencies.
OIG Report 01-09-AIC
Page Number 3


Furthermore, in an effort to ensure the integrity of the data being transferred, DOI-NBC
conducted extensive parallel testing between PIRS and FPPS. The parallel testing overall
found few discrepancies4 . Those discrepancies identified were either corrected or addressed
by DOI-NBC prior to data conversion.

Significant Progress Made in Data Verification

OIG found that OHR has made significant progress regarding the verification and correction
of data being placed into FPPS.

As part of the Agency’s implementation plan, the implementation team conducted a data
verification review of PIRS data to ensure that only accurate information was entered into
FPPS. OHR established a data verification task force whose responsibility was to identify
and correct erroneous data.5 At the onset of this task, OHR reported the following data
discrepancies:

       •      109 instances where address information needed to be verified;
       •      41 other discrepancies (i.e. incorrect sex codes, tenure, and race codes);
       •      169 instances where there were appraisal discrepancies;
       •      453 instances where employees reported incorrect educational levels; and
       •      379 instances where other types of changes were needed.
       Total: 1151

OHR completed this data verification and correction effort during the calendar year 2002.

FPPS Information System Internal Security Controls are Adequate

OIG found the internal information system security controls established by the Agency for
FPPS to be adequate.

Although EEOC is not responsible for managing the FPPS computer mainframe security, the
Agency does manage its own information access control and password assignment.
Management of this process is controlled through OHR. Currently the Agency has over 800


       4
         For example, one of the differences found between the two systems was how each system
calculated state and local tax withholdings.
       5
        OHR issued a memorandum to each employee, providing a copy of their personal data
and requesting that they verify the information’s accuracy and completeness.
OIG Report 01-09-AIC
Page Number 4


employees who have access to FPPS for various purposes.

OHR has established a FPPS security team that is responsible for developing and maintaining
user profiles for all users and resetting employee passwords. The security team has
implemented the following policies:

•      required office directors to send an email to the FPPS mailbox within 48-72 hours
       when a timekeeper, certifier, or releaser is no longer permitted to access the T&A
       System;

•      employed a password reset policy which provides a more secure mechanism for
       requesting and receiving newly reset passwords via e-mail and;

•      required office directors to complete an Assignment Designation Form, identifying
       the names of all employees who are responsible for processing time cards and/or
       Standard Form 52s, as well as completing an EEOC/DOI Mainframe Access Request
       Form for each authorized user.

Furthermore, we found that the FPPS security team has established specific user access
levels and system access requirements for individuals who use FPPS. Upon our review of
policies and procedures established by the National Institute of Science and Technology
(NIST), it is OIG’s opinion that the internal control security measures established by the
Agency for system access provides the Agency with adequate FPPS information security.


However, during the course of our assessment, information was disclosed to us concerning
the possible unauthorized access to sensitive FPPS information by employees of OIT. The
question was raised, by OHR, as to whether it was appropriate for OIT employees to have
access to sensitive data that resides in FPPS.

According to several members of the implementation team, OHR downloads several files
bi-weekly that contain a detailed snapshot of all information that resides in FPPS.
Information that is downloaded by OHR is generated by DOI-NBC and made available to
agencies who are supported by DOI-NBC. Preservation of these downloads is critical
because the information is overwritten each pay period and is non-recoverable. Once OHR
downloads these files, the data files are placed in a file folder that resides on an Agency
network server that services OHR and is only accessible to individuals in OHR and several
individuals in OIT who are part of the FPPS Implementation Team. OIT is in the process of
developing an Oracle database to maintain and allow access to this historical information.
According to OIT, in order to develop and populate this historical database, access to the
OIG Report 01-09-AIC
Page Number 5


downloads and subsequent access to sensitive data is necessary.


The Privacy Act [5 U.S.C. § 552a(b)] states that:


              No agency shall disclose any record which is contained in a system of
              records by any means of communication to any person, or to another
              agency, except pursuant to a written request by, or with the prior
              written consent of, the individual to whom the record pertains, unless
              disclosure of the record would be to those officers and employees of
              the agency which maintains the record who have a need for the
              record in the performance of their duties.

OIG concludes that this “need to know” exception authorizes the intra-agency disclosure of
a record for necessary, official purposes. Currently, access to this information is limited to
those who have a need to know. Based on the “need to know” exception, OIT’s access to
FPPS data files, as part of their ongoing effort to develop other Agency information systems,
is warranted and valid.

Not withstanding OIG’s findings, the General Accounting Office (GAO) report, dated July
2001, Information Security - Weak Controls Place Interior’s Financial and Other Data at
Risk, stated that DOI-NBC did not adequately limit access granted to authorized users,
control all aspects of the system software controls, or secure access to its network. The
weaknesses identified in GAO’s report affected the center’s ability to: (1) prevent and detect
unauthorized changes to financial information, including payroll and other payment data; (2)
control electronic access to sensitive personnel information; and (3) restrict physical access
to sensitive DOI-NBC financial and personnel information. GAO’s report also stated that
these weaknesses and risks also affect other agencies that use computer processing services
at DOI-NBC. On March 15, 2002, DOI-NBC issued a memorandum to National Business
Center mainframe clients regarding mainframe security changes. DOI-NBC initiated changes
regarding:

•      setting a sufficient password history retention length to disallow reuse of previous
       passwords;
•      revocation of user IDs after 3 invalid password attempts;
•      revocation of user IDs that have not been used in 90 days;
•      changing the maximum interval between required changes to be no more than 60 days
       for all clients on all mainframe systems; and
•      new password rules were developed for all mainframe systems.
OIG Report 01-09-AIC
Page Number 6




OIG reviewed DOI-NBC’s March 15, 2002, memorandum and compared it to password
security guidance provided by NIST and the General Accounting Office (GAO). OIG found
the new password controls established by DOI-NBC met guidelines established by NIST and
should provide the Agency some added assurance of external information security.

Finally, OIG determined that the Agency had not conducted its own risk assessment as to the
effectiveness of FPPS’s security controls. GISRA requires that the Agency’s Chief
Information Officer, or comparable officer, ensure that the agency effectively implement and
maintain information security polices, procedures, and control techniques. The CIO is
responsible for:

        “providing advice and other assistance to the head of the executive agency
       and other senior management personnel of the executive agency to ensure that
       information technology is acquired and information resources are managed
       in a manner that implements the policies and procedures of this division, as
       well as the priorities established by the head of the executive agency.”

Furthermore, OMB Circular A-130, Management of Federal Information Resources states
that Agency’s will:

       “ensure that information is protected commensurate with the risk and
       magnitude of the harm that would result from the loss, misuse, or
       unauthorized access to or modification of such information.”

During fiscal year 2002, OIT had an outside contractor conduct and complete a risk
assessment of FPPS in order to assess its security controls. Results from the risk assessment
found no significant technology based information security concerns, however, the risk
assessment identified the following internal control issues: (1) sensitive FPPS system access
not being granted based on the user’s job function; and (2) EEOC not documenting internal
controls and operational requirements in an EEOC system security plan. OIT, as well as
OHR, are currently in the process of addressing these issues.



                                     CONCLUSION

It is OIG’s opinion that FPPS has had a successful first year.         The success of this
OIG Report 01-09-AIC
Page Number 7


implementation is largely attributed to solid teamwork between all parties involved. OIG
found no significant problems regarding FPPS’s overall planning, its implementation, as well
as its execution. Furthermore, during the year the Agency also made significant progress
in completing its FPPS data verification effort.

Finally, in our opinion, the Agency has established acceptable internal controls to ensure that
Agency data is properly secured and access limited only to authorized personnel.