oversight

DOL Needs to Do More to Secure Employees Personally Identifiable Information in the Travel Management System

Published by the Department of Labor, Office of Inspector General on 2020-09-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

U.S. Department of Labor                            WHAT OIG FOUND
Office of Inspector General
Audit                                               DOL did not effectively manage its E2 travel
                                                    system to prevent unnecessary access to DOL
                                                    employees’ PII, as the OCFO did not manage
                                                    E2 user accounts according to DOL information
BRIEFLY…                                            security policies.

                                                    We found the OCFO had not provided sufficient
                                                    guidance to agencies’ personnel for securing
                                                    E2 user accounts during creation and account
DOL NEEDS TO DO MORE TO SECURE
                                                    maintenance. Additionally, the OCFO had not
EMPLOYEES’ PERSONALLY IDENTIFIABLE
                                                    performed the oversight necessary to ensure
INFORMATION IN THE TRAVEL
                                                    E2 user accounts were appropriately created
MANAGEMENT SYSTEM
                                                    and maintained. Furthermore, we found the
                                                    OCFO had not fully implemented the E2’s
September 10, 2020
                                                    contractual security requirements and
                                                    deliverables.
WHY OIG CONDUCTED THE REVIEW
                                                    These conditions existed as the OCFO had not
DOL’s travel management system, E2 Solutions
                                                    implemented controls to appropriately manage
(E2), is managed by the Office of the Chief
                                                    E2 user accounts and contractual requirements.
Financial Officer (OCFO) and contains
                                                    By the OCFO not ensuring E2 user accounts
personally identifiable information (PII) for all
DOL employees who use the system. PII in E2         were appropriately secured, DOL employees
                                                    were found at risk of having their PII accessed.
includes highly sensitive information, such as
employees’ social security numbers and credit
card numbers, which are common targets for          WHAT OIG RECOMMENDED
identity theft. E2 also has sensitive details
regarding DOL personnel’s travel plans.             We recommended the Chief Financial Officer:

                                                       1. Establish and implement procedures to
Concerned by the potential risk of unauthorized
                                                          ensure E2 account management practices
access to or unintentional exposure of
                                                          enforce DOL’s security policies.
employees’ PII, we reviewed OCFO’s
management of E2.
                                                       2. Establish and implement procedures to
                                                          ensure E2 is managed in compliance with
WHAT OIG DID
                                                          contractual security requirements and
                                                          DOL computer security policies for
We conducted a review to answer:
                                                          contracted information systems.
   Did DOL effectively manage its E2 travel
                                                    OCFO agreed with the our recommendations and
   system to prevent unnecessary access to
                                                    has already initiated some actions to address
   DOL employees’ PII?
                                                    these recommendations.
To determine this, we conducted interviews and
reviewed relevant DOL policies and                  READ THE FULL REPORT
procedures, federal laws, regulations, contract
                                                    The DOL OIG sometimes issues a report
requirements, and E2 user account
                                                    containing sensitive information, and may redact
permissions.
                                                    certain information or in some instances, because
                                                    of the highly sensitive nature of the entire report,
REPORT NUMBER: 23-20-003-13-001
                                                    the OIG may not make the report publicly
                                                    available. In those instances, a brief summary of
                                                    the report is posted to the website, which is the
                                                    case here.