U.S. Department of Labor WHAT OIG FOUND Office of Inspector General Audit DOL did not effectively manage its E2 travel system to prevent unnecessary access to DOL employees’ PII, as the OCFO did not manage E2 user accounts according to DOL information BRIEFLY… security policies. We found the OCFO had not provided sufficient guidance to agencies’ personnel for securing E2 user accounts during creation and account DOL NEEDS TO DO MORE TO SECURE maintenance. Additionally, the OCFO had not EMPLOYEES’ PERSONALLY IDENTIFIABLE performed the oversight necessary to ensure INFORMATION IN THE TRAVEL E2 user accounts were appropriately created MANAGEMENT SYSTEM and maintained. Furthermore, we found the OCFO had not fully implemented the E2’s September 10, 2020 contractual security requirements and deliverables. WHY OIG CONDUCTED THE REVIEW These conditions existed as the OCFO had not DOL’s travel management system, E2 Solutions implemented controls to appropriately manage (E2), is managed by the Office of the Chief E2 user accounts and contractual requirements. Financial Officer (OCFO) and contains By the OCFO not ensuring E2 user accounts personally identifiable information (PII) for all DOL employees who use the system. PII in E2 were appropriately secured, DOL employees were found at risk of having their PII accessed. includes highly sensitive information, such as employees’ social security numbers and credit card numbers, which are common targets for WHAT OIG RECOMMENDED identity theft. E2 also has sensitive details regarding DOL personnel’s travel plans. We recommended the Chief Financial Officer: 1. Establish and implement procedures to Concerned by the potential risk of unauthorized ensure E2 account management practices access to or unintentional exposure of enforce DOL’s security policies. employees’ PII, we reviewed OCFO’s management of E2. 2. Establish and implement procedures to ensure E2 is managed in compliance with WHAT OIG DID contractual security requirements and DOL computer security policies for We conducted a review to answer: contracted information systems. Did DOL effectively manage its E2 travel OCFO agreed with the our recommendations and system to prevent unnecessary access to has already initiated some actions to address DOL employees’ PII? these recommendations. To determine this, we conducted interviews and reviewed relevant DOL policies and READ THE FULL REPORT procedures, federal laws, regulations, contract The DOL OIG sometimes issues a report requirements, and E2 user account containing sensitive information, and may redact permissions. certain information or in some instances, because of the highly sensitive nature of the entire report, REPORT NUMBER: 23-20-003-13-001 the OIG may not make the report publicly available. In those instances, a brief summary of the report is posted to the website, which is the case here.
DOL Needs to Do More to Secure Employees Personally Identifiable Information in the Travel Management System
Published by the Department of Labor, Office of Inspector General on 2020-09-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)