oversight

Audit of the Migration of Legacy GSA Human Resource Systems to HR Links

Published by the General Services Administration, Office of Inspector General on 2021-07-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          Office of Audits
          Office of Inspector General
          U.S. General Services Administration




              Audit of the Migration of
              Legacy GSA Human Resource
              Systems to HR Links
              Report Number A190056/C/T/F21004
              July 16, 2021




A190056/C/T/F21004
Executive Summary

Audit of the Migration of Legacy GSA Human Resource Systems to HR Links
Report Number A190056/C/T/F21004
July 16, 2021

Why We Performed This Audit

This audit was included in our Fiscal Year 2019 Audit Plan after the launch of HR Links resulted
in the exposure of sensitive information. HR Links is a major software application that provides
human resource services to approximately 21,000 federal employees, including 11,000 who
work for GSA. Our objective was to determine whether GSA appropriately managed risks
associated with migrating its legacy human resource systems to HR Links, which launched on
June 4, 2018.

What We Found

GSA did not sufficiently manage risks associated with migrating its legacy human resource
systems to HR Links. We found that GSA did not adequately test HR Links or fully address
problems identified during system testing. As a result, HR Links had a series of significant
system weaknesses upon deployment. These weaknesses caused the exposure of sensitive
information (including personally identifiable information), incomplete and inaccurate
employee information, and functional deficiencies. Although GSA has addressed these
deficiencies, it should apply lessons learned from the HR Links deployment to ensure that
appropriate testing is conducted to identify and mitigate risks for future system deployments.

What We Recommend

We recommend that GSA’s Chief Human Capital Officer and Chief Information Officer, prior to
the deployment of future systems, design and implement appropriate system testing to ensure
that:
    a. Required system security controls, including those governing user roles and data
       permissions, are operating effectively;
    b. Data is complete and accurately migrated from legacy systems, if applicable; and
    c. System testing verifies that all functional requirements are met.

The GSA Chief Human Capital Officer and Chief Information Officer agreed with our finding and
recommendation. GSA’s response is included in its entirety in Appendix B – GSA Comments.




A190056/C/T/F21004                          i
Table of Contents

Introduction ....................................................................................................................... 1


Results
Finding – GSA did not adequately test HR Links or fully address problems identified during
          testing prior to system deployment, resulting in sensitive information
          exposures, incomplete and inaccurate data, and functional deficiencies. .............. 3


Conclusion .......................................................................................................................... 9
Recommendation ................................................................................................................ 9
GSA Comments ................................................................................................................... 9
OIG Response ...................................................................................................................... 9


Appendixes
Appendix A – Scope and Methodology ........................................................................... A-1
Appendix B – GSA Comments .......................................................................................... B-1
Appendix C – Report Distribution .................................................................................... C-1




A190056/C/T/F21004                                             ii
Introduction

We performed an audit of HR Links, a human resource (HR) and time and attendance (TA)
software application that supports approximately 21,000 federal employees, including 11,000
who work for GSA.

Purpose

This audit was included in our Fiscal Year 2019 Audit Plan after end users experienced multiple
issues when GSA deployed HR Links. As the shared service provider for HR and payroll services,
GSA migrated its 11,000 federal employees’ information, as well as 32 other federal client
agencies’ information, to HR Links. Due to the issues end users experienced when HR Links
launched, we sought to determine if deficiencies existed in GSA’s system migration process.

Objective

Our objective was to determine whether GSA appropriately managed risks associated with
migrating its legacy HR systems to HR Links. Specifically, we assessed whether GSA planned for
the migration, assessed risks, and performed adequate and appropriate testing on HR Links
prior to making the system available to end users in accordance with system re quirements and
other applicable federal standards.

See Appendix A – Scope and Methodology for additional details.

Background

GSA provides HR and payroll services for GSA and 32 other federal agencies, supporting
approximately 21,000 federal employees. In November 2016, GSA awarded a 10-year, $149
million contract to International Business Machines (IBM) for HR Links, a commercial-off-the-
shelf product used for human capital management. GSA’s migration to HR Links replaced the
following legacy systems:

   •   The Comprehensive Human Resources Integrated System (CHRIS), which was used to
       manage HR transactions, such as performance appraisals;
   •   The Electronic Time and Attendance Management System (ETAMS), which was used to
       manage employee timesheets; and
   •   The Authorized Leave and Overtime Help Application (ALOHA), which was used to
       manage employee leave requests.

Prior to HR Links, GSA managed its HR and TA transactions in these separate legacy systems. HR
Links combined the management of HR and TA transactions.

GSA’s migration to HR Links. The HR Links migration occurred from November 2016 to June
2018. IBM configured HR Links to meet the requirements of GSA and its client agencies. GSA’s



A190056/C/T/F21004                         1
Office of Human Resources Management and Office of GSA IT worked collaboratively with IBM
to design, build, and test HR Links.

HR Links system security. In HR Links, system security consists of two attributes assigned to a
user’s profile: user roles and data permissions. These attributes are designed to work together
to define the actions a user may take in the system and the scope of information they are able
to access. HR Links user roles and data permissions are described below.

   •   User roles in the system are assigned to a user’s profile depending on their day -to-day
       responsibilities at GSA, such as time administrator or HR administrator. Users with the
       time administrator role perform higher-level TA tasks, such as reviewing timesheets and
       approving leave if no other user is available. Users with the HR administrator role are
       able to approve employee promotions and raises. However, user roles alone do not
       grant the ability to access other employees’ information or requests.

   •   Users’ data permissions control the specific employee information and requests they
       are able to view. For example, an HR administrator may have data permissions to view
       only the employees they support. A time administrator with data permissions to an
       entire department can view the TA information and requests for all employees in the
       department. Accordingly, HR Links must be configured to manage data permissions to
       protect employee information from unauthorized disclosure.




A190056/C/T/F21004                          2
Results

Finding – GSA did not adequately test HR Links or fully address problems identified during
testing prior to system deployment, resulting in sensitive information exposures, incomplete
and inaccurate data, and functional deficiencies.

GSA did not sufficiently manage risks associated with migrating its legacy HR systems to HR
Links. We found that GSA did not adequately test HR Links or fully address problems identified
during system testing. As a result, HR Links had a series of significant system weaknesses upon
deployment. As described below, these weaknesses caused the exposure of sensitive
information (including personally identifiable information [PII]), incomplete and inaccurate
employee information, and functional deficiencies. According to GSA personnel, the system
testing was challenged by project delays that affected the test data and testing schedule.
Although GSA has since addressed the deployment issues, it should apply lessons learned from
the HR Links deployment to ensure that appropriate testing is conducted to identify and
mitigate risks for future system deployments.

Inappropriate Information Access Resulted in the Exposure of Sensitive Information

The Federal Information Security Modernization Act of 2014 requires that information systems
limit users’ access to only the information for which they are authorized. 1 To meet this
requirement and protect the confidentiality and integrity of system information, it is critical
that agencies thoroughly test a system’s access controls prior to deployment to verify that
users can only access the information necessary to fulfill their job responsibilities. However, we
found that GSA’s testing of HR Links did not identify system security weaknesses that resulted
in sensitive information exposures and inappropriate access.

Exposure of sensitive information. As described below, GSA’s HR Links testing failed to identify
access control deficiencies that resulted in the exposure of sensitive information, such as PII
and employment-sensitive information, for 92 users.

       Help desk ticket exposure. GSA’s HR Links testing failed to identify misconfigured access
        controls that enabled a user to view other users’ help desk tickets, as well as any
        sensitive information or attachments included with the tickets. As a result, HR Links
        exposed PII and employment-sensitive information for at least six individuals, including
        a birth certificate, college transcript, performance appraisal, and insurance application.
        HR Links testing did not verify that users were limited to viewing only their own help
        desk tickets. GSA determined that two individuals’ PII was accessed in this incident.

       Address change requests. GSA’s testing of access controls governing address change
        requests in HR Links was not comprehensive. When a user changes their home address

1
 The Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283,
requires federal agencies to develop, document, and implement an agency-wide program to provide information
security for the information and systems that support the operations and assets of the agency.


A190056/C/T/F21004                                  3
       in HR Links, the system automatically sends a confirmation email. These emails include
       hyperlinks that, when opened, should take the user to their specific address change
       request in HR Links. GSA’s testing verified that notification emails were sent to users as
       required, but failed to identify an access control weakness that enabled users to view all
       address change requests when opening the hyperlink. As a result, the names and home
       addresses for 68 employees were accessible to other employees through an address
       change self-service page. GSA determined that 19 individuals’ PII was accessed in this
       incident.

      Shared unique identifier. GSA’s testing was insufficient to ensure that each user was
       limited to accessing their own user account. In configuring the system, GSA did not use a
       unique identifier to create each employee’s user account. Consequently, individuals
       who shared the same first and last name were not uniquely identified and signed into an
       account that was not their own. GSA did not detect this problem during testing, which
       resulted in the exposure of individuals’ names, social security numbers, and home
       addresses. GSA determined that 18 individuals’ PII was accessed in this incident.

On June 7, 2018, 3 days after HR Links’ launch, we notified GSA’s Chief Human Capital Officer
and Chief Information Officer of the PII exposures in HR Links caused by the access control
weaknesses identified above. In response, GSA corrected these issues. GSA also conducted a
review of the 92 individuals whose sensitive information was exposed in HR Links. GSA
determined that 39 individuals’ PII was accessed and assessed the risk of harm to these
individuals. GSA determined that 21 of the 39 individuals should receive notification of their
PII’s exposure. For the remaining 18 individuals, GSA contacted the employees who were
incorrectly granted access to another employee’s profile to determine if PII had been stored or
disseminated. These individuals attested that they did not store or disseminate PII. GSA
concluded that the risk of harm to the affected 18 individuals was low and that notification of
their PII’s exposure was not required, in accordance with the Office of Management and
Budget’s M-17-12, Preparing for and Responding to a Breach of Personally Identifiable
Information and the GSA Information Breach Notification Policy.

Inappropriate information access. HR Links testing also failed to identify misconfigured user
roles and data permissions for time administration and HR personnel. The misconfigured user
roles and data permissions resulted in excessive or inadequate access to information and, in
some cases, prevented these users from performing their work.

      Time administration personnel access. Time administration personnel enter, adjust, or
       approve time requests for a group or groups of employees who they are assigned to
       support. However, GSA did not limit time administration personnel’s access to their
       assigned employees and failed to detect the misconfiguration during testing.

       After the HR Links launch, 35 help desk tickets were submitted reporting that time
       administration personnel were able to view and approve employee TA information and
       requests for employees they were not assigned to support. In some cases, these time
       administration personnel were granted inappropriate access to TA information and


A190056/C/T/F21004                          4
       requests for all GSA employees. Conversely, 94 help desk tickets were submitted
       reporting that time administration personnel could not view and approve TA
       information and requests for the departments they supported.

      Excessive access to HR transactions. GSA officials did not configure data permissions to
       limit HR personnel’s access to only those employees they support and did not detect the
       potential problems arising from this misconfiguration through system testing. As a
       result, some HR personnel were unintentionally given access to view and process all HR
       transactions in HR Links instead of only transactions for the employees they support. In
       one instance, an administrator denied an employee promotion transaction they should
       not have been able to access, which disrupted the promotion process.

Taken together, the deficiencies described above demonstrate that GSA’s testing was
insufficient to identify system security weaknesses, which resulted in exposures of sensitive
user information and inappropriate access. GSA should ensure that system roles and data
permissions are accurately defined and sufficiently tested in advance of future system
deployments to properly control employees’ access to information.

Deficiencies in Data Migration Led to Incomplete and Inaccurate Information

GSA’s testing did not ensure that all necessary legacy system information was migrated in
accordance with mandatory system requirements. GSA’s transition to HR Links required the
migration of employee data from the three legacy HR systems to HR Links. Accordingly,
thorough testing of migrated information was required to verify that mandatory system
requirements were met and reduce the risk of business disruptions. However, as described
below, GSA’s testing of HR Links failed to identify missing and inaccurate employee data
migrated from legacy systems.

      Missing supervisor of record. In HR Links, every position must contain a supervisor of
       record to enable the system to route HR and TA requests properly. However, GSA
       migrated incomplete supervisor of record information from legacy HR systems to HR
       Links; therefore, 517 employees were unable to route their HR and TA requests.
       Although similar problems were encountered during testing, GSA did not take corrective
       action to ensure that all employee positions identified a supervisor of record prior to the
       deployment of HR Links.

      Invalid department identification (ID). HR Links uses department IDs to assign data
       permissions to groups of employees in an office or organization. An employee must be
       assigned to a department ID in HR Links or they will not be visible within the system to
       other appropriate users, including time administration and HR personnel, and will have
       limited use of the system. However, GSA’s testing did not verify that all employees were
       assigned to a valid department ID. As a result, some employees were not visible to other
       appropriate users and were unable to access any HR or TA functions because they were
       not assigned to a valid HR Links department ID. GSA officials stated that they were
       unable to provide the number of employees affected by this issue.


A190056/C/T/F21004                          5
      Incorrect accounting group. In HR Links, some employees must be assigned to an
       accounting group that enables them to select specific labor codes for their timesheet.
       These labor codes allow employees to charge their time to various job duties, such as
       managing regional operations or legislative affairs. When GSA deployed HR Links, 170
       employees were assigned to the wrong accounting group. Some of these employees
       were inappropriately required to select labor codes; others were unable to select their
       correct labor codes. When these employees attempted to submit their timesheets in HR
       Links, the system rejected their timesheets because they did not contain the expected
       labor codes.

       During testing, GSA did not verify that all employees were assigned to the correct
       accounting group and did not detect this problem before system deployment. According
       to GSA officials, this problem was caused by GSA developing incorrect instructions for
       assigning employees to accounting groups. GSA corrected this issue by updating the
       instructions and reassigning the affected employees to the correct accounting groups.

GSA’s HR Links testing failed to identify missing and inaccurate employee data migrated from
legacy HR systems. GSA officials informed us that they were aware that the data in legacy
systems was imperfect, and the project could have benefitted from additional effort s to
prepare the data for migration. Ultimately, GSA chose to migrate data from the legacy systems
and fix issues as they arose after deploying HR Links. Although GSA has since addressed these
data integrity issues, GSA should apply the lessons learned to future system deployments.

Functional Deficiencies

HR Links’ testing failed to identify deficiencies in system functionality. Thorough functional
testing verifies that the system meets user expectations, satisfies GSA business requirements,
and reduces the risk of business disruptions during the system transition. However, as
described below, we identified misconfigurations and functional limitations that caused errors
in processing timesheets, automated approval of HR transactions, supervisory functions, and
system-generated emails.

      Timesheet processing. Although GSA tested employee timesheet submission
       functionality, GSA officials stated that a business rule that validates employee leave
       balances was not properly configured. The misconfigured business rule did not compare
       the amount of leave requested against the employee’s leave balance, causing many
       timesheets to generate error messages for employees with sufficient leave.

      Automated approval of HR transactions. GSA was unable to automate the end-to-end
       approval of HR transactions, such as employee promotions, within HR Links. GSA was
       unable to configure HR Links to route transactions to the appropriate HR personnel
       because it was unclear how approval responsibilities for HR user roles would transfer
       from legacy HR systems. Ultimately, GSA chose to abandon this HR Links functionality
       and conduct most of the approval process for personnel transactions outside of HR
       Links.


A190056/C/T/F21004                         6
      Supervisory functions. HR Links did not satisfy GSA’s mandatory system requirements in
       three supervisory functions:

           1. Supervisors were only able to delegate all of their employees or none of their
              employees to an alternate supervisor;
           2. Neither higher-level supervisors nor administrators were able to approve
              employee requests on behalf of supervisors who were unavailable; and
           3. Supervisors with employees detailed to their team were unable to manage their
              temporary employees’ performance appraisals in HR Links.

       GSA officials stated that HR Links was unable to support the existing GSA business
       process without enhancements to the existing design. In November 2018, GSA deployed
       functionality in HR Links that fully resolved the above limitations. Tests related to this
       functionality appear to have failed during system testing, but deficiencies were not
       corrected prior to deployment.

      System-generated emails. The launch of HR Links experienced three email functionality
       issues that did not meet mandatory system requirements:

           1. GSA’s email servers rejected HR Links notification emails or incorrectly
              categorized the notification emails as spam. HR Links generates notification
              emails that inform personnel that they have pending HR and TA requests
              requiring their approval. GSA email servers were not configured to properly
              route HR Links notification emails;
           2. Users were unable to view their TA requests because hyperlinks embedded in
              notification emails directed users to invalid webpages; and
           3. A misconfiguration caused employees to receive email notifications that stated
              their timesheet had been modified for “%5” instead of a valid pay period.

GSA could have detected the functionality deficiencies identified above through more robust
testing. While GSA has either corrected the deficiencies or elected to move away from certa in
functionality, it should assess the limitations in its testing that failed to detect these errors to
improve future system deployments.

In sum, GSA’s HR Links testing was inadequate to meet its stated purpose of “validating
business requirements and confirming business readiness.” GSA’s testing did not identify
inaccuracies in employee data or functional deficiencies. In addition, GSA failed to address
problems identified during testing prior to launching HR Links. While these problems did not
have a catastrophic effect on HR Links, they resulted in exposures of sensitive information,
incomplete and inaccurate information, and functional deficiencies.




A190056/C/T/F21004                            7
Testing Challenges

During our audit, HR Links technical specialists and program management officials identified a
number of challenges that contributed to GSA’s inadequate testing. For example, the HR Links
test plan called for the use of live employee data to test HR Links’ interfaces with other GSA
systems. However, live data was not available until after the completion of interface testing.
GSA required an authorization to operate (ATO) for HR Links to exchange live data, but the ATO
for HR Links came later than anticipated due to a lengthy security assessment process. 2 In one
situation we identified, GSA chose to move forward with testing by using data that had
employee PII removed because HR Links had not yet received an ATO. The lack of live data
during interface testing likely limited GSA’s ability to verify the accuracy of employee
information migrated from legacy HR systems to HR Links.

The delay in the HR Links ATO also added challenges to the HR Links deployment. HR Links
technical specialists stated that the deployment was completed under a compressed schedule
due to the delayed ATO. Rather than complete test phases sequentially, in accordance with the
HR Links test plan, technical specialists stated that test phases were overlapped to
accommodate the compressed schedule. Technical specialists also asserted that the project
would have benefited from gaps between the different test phases and extra time to conduct a
thorough quality assurance process. HR Links program management officials stated that
additional delays to the launch of HR Links would have resulted in additional cost, and that all
HR Links tests were completed prior to deployment.

GSA should assess these challenges, along with our report finding, to identify opportunities for
improvement in future system deployments. In particular, GSA should focus on enhancements
to system testing to ensure that future system deployments are not adversely affected by
system security weaknesses, incomplete and inaccurate data migration, and deficiencies in
functionality encountered during the HR Links deployment.




2
 National Institute of Standards and Technology Special Publication 800-37 Revision 2, Risk Management
Framework for Information Systems and Organizations, requires federal information systems to undergo a security
assessment and authorization process. An ATO is the successful end result of this process.


A190056/C/T/F21004                                8
Conclusion

GSA did not sufficiently manage risks associated with migrating its legacy HR systems to HR
Links. We found that GSA did not adequately test HR Links or fully address problems identified
during system testing. As a result, HR Links had a series of significant system weaknesses upon
deployment. These weaknesses caused the exposure of sensitive information (including PII),
incomplete and inaccurate employee information, and functional deficiencies.

Although GSA has addressed these deficiencies, it should apply lessons learned from the HR
Links deployment to ensure that appropriate testing is conducted to identify and mitigate risks
for future system deployments, including GSA’s government-wide payroll system, NewPay.

Recommendation

We recommend that GSA’s Chief Human Capital Officer and Chief Information Officer, prior to
the deployment of future systems, design and implement appropriate system testing to ensure
that:
    a. Required system security controls, including those governing user roles and data
       permissions, are operating effectively;
    b. Data is complete and accurately migrated from legacy systems, if applicable; and
    c. System testing verifies that all functional requirements are met.

GSA Comments

The GSA Chief Human Capital Officer and Chief Information Officer agreed with our finding and
recommendation. GSA’s response is included in its entirety in Appendix B – GSA Comments.

OIG Response

In its response to our draft report, GSA provided a technical comment related to the number of
individuals notified of the PII exposure. GSA identified a transcription error in the data it
provided during the audit and provided clarifying documentation. We have updated the report
to reflect the additional information GSA provided.

Audit Team

This audit was managed out of the Acquisition and Information Technology Audit Office and
conducted by the individuals listed below:

     Sonya D. Panzo              Associate Deputy Assistant Inspector General for Auditing
     Robert B. Fleming           Audit Manager
     James N. Shreve             Auditor-In-Charge
     Victor R. Pimentel          IT Specialist
     Carla J. Humphrey           Management Analyst



A190056/C/T/F21004                          9
Appendix A – Scope and Methodology

To evaluate the HR Links migration, we analyzed a number of information security incidents
that occurred after the system launched. Our analysis covered the time period between
November 2016 and February 2019.

To accomplish our objective, we:

      Reviewed HR Links’ system security and functional documentation;
      Reviewed the HR Links contract, system design documents, test plans and result s, and
       actions taken to resolve HR Links issues;
      Gathered evidence related to HR Links’ system security incidents;
      Reviewed 1,899 help desk tickets submitted in the 2 weeks after HR Links was launched
       on June 4, 2018;
      Evaluated HR Links system updates made in 2018 and how they affected HR Links
       system operation;
      Analyzed GSA’s information technology security policy and federal information system
       standards; and
      Interviewed GSA and IBM personnel.

We conducted the audit between February 2019 and November 2020 in accordance with
generally accepted government auditing standards. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for
our findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our finding and conclusions based on our audit
objective.

Internal Controls

Our assessment of internal controls was limited to those necessary to address the objective of
the audit.




A190056/C/T/F21004                        A-1
Appendix B – GSA Comments




A190056/C/T/F21004          B-1
Appendix C – Report Distribution

GSA Administrator (A)

GSA Deputy Administrator (AD)

Chief Human Capital Officer (C)

Chief of Staff (C)

Deputy Chief Human Capital Officer (CS)

Director of Human Resources (CR)

Chief Information Officer (I)

Chief of Staff (I)

Deputy Chief Information Officer (ID)

Associate Chief Information Officer for Enterprise Planning and Governance (IDR)

Chief Information Security Officer (IS)

Chief Financial Officer (B)

Office of Audit Management and Accountability (BA)

Assistant Inspector General for Auditing (JA)

Director, Audit Planning, Policy, and Operations Staff (JAO)




A190056/C/T/F21004                         C-1