US OFFICE OF PERSONNEL MANAGE1vlENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS . EillalAuditReport Subject: . ..AUDIT OF THE SECURITY OF PERSONALLY .. "..· IDltNTIFIABLE.INF01ThiATION IN TIlE FEDERAL .,':,. "'~~¥.~S!IG~~IlYE:Stll.VICES DIVISION ()FTHE '.' ··';U~S.OFFICEOF.PERSONNELMANAGEMENT' . " _;r' . '. _ ,""., _ '", ,', ." • . ' . , . . .• . . .. '.•. . ··.RePQrtNO~· 4A~IS~OO-08..014 . Date: 'April .21, 2009 --CAUTION- This 9udil,reporl hasbeendistributed toFederal officials ,,,hi> are responsible for the administration ofthe audited program. Thi~ ~udilreport may contain proprietary data which is protected by Federal law (IS U.S.c. 1905); therefore, while this audit , .reporl is avail a ble under the Freedom of Information Act, caution needs to beexerdSl!d lxfore rdeasing tbe report to the ' gen'eral pil bJi c. ' , . UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington. DC 20415 Office of the Inspector General AUDIT REPORT AUDIT OF THE SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION IN THE FEDERAL INVESTIGATIVE SERVICES DIVISION OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT Report No. 4A-IS-OO-08-014 Date: April 21, 2009 Michael R. Esser Assistant Inspector General for Audits www.opm.gov www.usajobs.gov UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington. DC 20415 Office of the Inspector General EXECUTIVE SUMMARY AUDIT OF THE SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION IN THE FEDERAL INVESTIGATIVE SERVICES DIVISION OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT Report No. 4A-IS-OO-08-014 Date: April 21« 2009 The Office of the Inspector General has completed a performance audit on personally identifiable information (PH) in the Federal Investigative Services Division (FISD) of the U.S. Office of Personnel Management (OPM). Our main objective was to determine whether FISD has effectively implemented controls for the storage, security, and transmission of PI!. In order to make this determination, our audit included the following specific objectives: (1) determine whether FISD's and contractors' employees are adhering to the contract temls, OPM and Federal policy, and internal policies regarding the controls over PII; (2) determine whether all personnel have been adequately trained in the proper handling ofPII; and (3) determine whether FISD's and contractors' employees are properly reportipg incidents of the loss or compromise of information containing PlI. Our audit was conducted from March 25 through December 2, 2008 at OPM headquarters, located in Washington D.C.; FISD headquarters, located in Boyers, Pennsylvania; and contractor sites located in Chantilly, Virginia; Loveland, Colorado; and Boyers, Pennsylvania. Our audit disclosed seven areas requiring improvement, including instances in which FISD requirements or policies and procedures were not followed by the Contractors, as weJl as instances in which FISD controls were inadequate or absent altogether. A. Training 1. No Security Awareness Training for New Hires Procedural FISD's contractors did not provide OPM Information Technology Security Awareness Training to new employees within 30 days of their initial hiring. www._ www.usajobs.gov 2. No PII Training for Contractors Procedural FISD did not require Goodwill employees to be trained on the collection of bins containing documentation to be shredded, observation of the shredding process, and safeguarding of PII. In addition, we could not determine whether Iron Mountain employees, responsible for handling the bins, have received appropriate PII training. B. Incident Reporting 1. Lack of Controls for Contractor Incident Reporting Procedural FISD’s contractors did not report the loss of PII in accordance with FISD’s “Loss or Compromise of Personally Identifiable Information” policy. 2. Lack of Controls for FISD Incident Reporting Procedural FISD’s controls for reporting the loss or compromise of PII do not ensure that incidents are reported timely, in accordance with their “Loss or Compromise of PII” policy. C. Investigative Case Notes 1. Lack of Controls for the Timely Return of Investigative Procedural Case Notes FISD’s contractors do not have controls in place to ensure that case notes are returned to their Program Management Office within two weeks, as required by their contract with FISD. 2. Lack of Controls over the Return of Investigative Case Procedural Notes FISD investigative case notes were destroyed prior to the expiration of the three-year retention period. In addition, FISD does not have a method for ensuring that background investigators return investigative case notes once the background case is closed. ii D. Telework 1. Lack of Controls for the Handling of PII While Procedural Employees Telework FISD does not have an adequate method of tracking the removal and return of background cases and related case materials while employees telework. iii TABLE OF CONTENTS Page EXECUTIVE SUMMARY ………………......................................... i I. INTRODUCTION AND BACKGROUND ........................................ 1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ............................ 4 III. AUDIT FINDINGS AND RECOMMENDATIONS ......................... 6 A. Training 1. No Security Awareness Training for New Hires…….……….. 6 2. No PII Training for Contractors ……………..………………. 8 B. Incident Reporting 1. Lack of Controls for Contractor Incident Reporting …..…….. 9 2. Lack of Controls for FISD Incident Reporting …...…………. 11 C. Investigative Case Notes 1. Lack of Controls for the Timely Return of Investigative Case Notes …………………………………………………...…….. 12 2. Lack of Controls over the Return of Investigative Case Notes ………………………………………………...………. 13 D. Telework 1. Lack of Controls for the Handling of PII While Employees Telework………………………………………………...…… 15 IV. MAJOR CONTRIBUTORS TO THIS REPORT…………………... 17 APPENDIX (Federal Investigative Services Division’s response, dated January 30, 2009, to our draft report.) I. INTRODUCTION AND BACKGROUND Introduction This final audit report details the findings, conclusions, and recommendations resulting from our performance audit of the Security of Personally Identifiable Information (PII) in the Federal Investigative Services Division (FISD) of the U.S. Office of Personnel Management (OPM). The audit was performed by OPM's Office of the Inspector General (OIG), at the request of former Director Linda M. Springer and as authorized by the Inspector General Act of 1978, as amended. Background FISD, headquartered in Boyers, Pennsylvania, conducts background investigations for Federal agencies so they can make suitability and national security decisions regarding personnel. FISD is responsible for conducting approximately 90 percent of all personnel background investigations for the Federal Government. FISD currently contracts with three investigative contractors: US Investigations Services, Inc. (USIS); CACI International, Inc. (CACI); and Kroll Government Services (Kroll), hereafter referred to as the “Contractors”, to assist with completing background investigations. In addition to the investigative contractors, FISD also contracts with Goodwill Industries of Pittsburgh (Goodwill) for services which include the collection of secured bins and observing the shredding of PII contained within the bins. Iron Mountain is responsible for handling the bins and shredding the PII documentation. FISD is in the business of collecting information, much of it of a personal nature (including PII), on Federal employees, contractors and military personnel. It is the responsibility of each employee of FISD and its Contractors to ensure that all such information entrusted to them in the course of their duties be protected and secured against compromise. FISD defines PII as any information unique to an individual which, on its own or in aggregate with other information, would tend to specifically identify that individual. PII includes: • Full Names (first and last) • Social Security Numbers Other personal data which, on its own, would not tend to identify any single individual is not considered PII, and does not require protection. This category of data includes: • Full or last names, standing alone • Dates of Birth • Places of Birth These three types of data are only considered PII when they appear in conjunction with each other (e.g., SMITH, December 21st, 1972, Portland, Oregon) or when any single type appears in conjunction with a full name and /or a Social Security number (e.g., John David, April 30, 1966). 1 Each background investigative contract includes specific requirements for safeguarding investigative materials containing PII, which include the following: • Contractors are responsible for the security, integrity and appropriate authorized use of their systems used for the transaction of all Government business; • Contractors shall provide acceptable secured capability/secure storage for all investigative materials (case files, computers, etc.), which must be locked in a secured area when not under the direct supervision of Contractor personnel; • Each field office location that will receive case papers or that will have supervisory or clerical staff responsible for assigning and following up on OPM cases must have dedicated computers and printers that are approved by OPM, prior to implementation; and • Certain personnel performing work under the contracts must possess minimum qualifications, and training that meets OPM requirements; however, all contract personnel conducting work on the contract must be trained through the approved Contractor training plan. OPM is responsible for protecting its information resources, including handwritten notes, case papers, copies of reports, and OPM-imaged hard drives, from loss, theft, misuse, destruction, and unauthorized access, disclosure, modification and duplication. Therefore, OPM created a Security and Privacy Policy, dated September 2007, that is applicable to OPM employees, contractors, and all others who have access to OPM information resources, systems, networks, information and facilities. FISD has developed and issued various policies related to the protection of PII to its employees and Contractors. These policies include protocols and timeliness standards to follow in order to protect PII while in an employee's possession or in transport; the storage of PII; and how to report incidents involving the loss, theft, or abuse of PII. In addition, there are training requirements that must be met by FISD employees and its Contractors. OPM requires that new employees complete an Information Technology (IT) Security Awareness Training within 30 days of initial hiring. OPM also requires a mandatory annual IT Security Awareness Training for all OPM employees, contractors, and subcontractors. All Contractors and FISD employees conducting background investigations must also be trained on FISD’s requirements for background investigations. Investigators initially receive classroom training prior to receiving their first case load as a background investigator. Required training will be commensurate with prior experience. Within three months of the establishment of an Investigative Contract, the Contractor shall provide FISD approved training to all investigative personnel and reviewers identified in the contract proposal as being personnel they will assign to the contract. FISD will assist Contractors in the development of their training by providing materials on the minimum coverage topics, which must include orientation on FISD investigative requirements including controls over PII. The Contractor shall augment the training (i.e., additional classroom lessons, ride-alongs, mentoring, etc.) using the Contractor’s existing staff to ensure compliance with OPM’s policies as outlined in the OPM FISD Investigator’s Handbook 2 and appropriate Revision Notices. All training material may be supplemented by the Contractor; however, all such materials must be approved by FISD and are the property of FISD. No previous audits of FISD’s controls over PII have been performed. The initial results of our audit were discussed with OPM officials during an exit conference. A draft report was issued on December 16, 2008. FISD’s response to the draft report was considered for this final report and is included as an Appendix. 3 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objectives The primary objective of our audit was to determine whether FISD has effectively implemented controls for the storage, security, and transmission of PII. Specifically, our objectives were to: • Determine whether FISD’s and Contractors’ employees are adhering to the contract terms, OPM and Federal policy, and internal policies regarding the controls over PII; • Determine whether all personnel have been adequately trained in the proper handling of PII; and • Determine whether FISD’s and Contractors’ employees are properly reporting incidents of the loss or compromise of information containing PII. The recommendations included in this final report address these objectives. Scope and Methodology Our performance audit was conducted in accordance with generally accepted government auditing standards as established by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The scope of our audit covered FISD’s and Contractors’ current policies and procedures governing PII. We performed this audit from March 25 through December 2, 2008 at FISD offices located in OPM headquarters in Washington, D.C. and Boyers, Pennsylvania. In addition, we visited Contractors’ sites located in Chantilly, Virginia; Boyers, Pennsylvania; and Loveland, Colorado. To accomplish the audit objectives noted above, we: • Reviewed FISD’s and Contractors’ policies regarding the storage, security, and transmission of PII; • Reviewed FISD’s and Contractors’ policies for training employees and contractors on the protection of PII; • Reviewed FISD’s and Contractors’ policies for reporting incidents including the loss or compromise of PII; • Sampled and tested FISD’s and Contractors’ training records and incident reports; and • Interviewed FISD’s and Contractors’ personnel. In planning our work and gaining an understanding of the internal controls over the storage, security, and transmission of PII, we considered the internal control structure to the extent 4 necessary to develop our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. The purpose of our audit was not to provide an opinion on internal controls, but merely to evaluate controls over the processes that were included in the scope of our audit. Our audit included such tests of FISD’s and the Contractors’ records and other procedures as we considered necessary under the circumstances. The results of our tests indicate that, with respect to the items tested, FISD and the Contractors complied with their policies and procedures and contract terms as they relate to PII, except for the areas set forth in the details of this audit report. In conducting our audit, we tested FISD’s and the Contractors’ compliance with their policies and procedures by selecting judgmental and random samples of training records, telework logs, incident reports, and closed cases. We tested a judgmental sample of 5 out of 32 CACI employees hired during the month of December 2007; 5 out of 50 Kroll employees hired between October 1, 2006 and September 30, 2007; and 5 out of 57 USIS employees hired between October 1, 2006 and September 30, 2007 to determine if they completed OPM’s Information Technology (IT) Security Awareness Training within 30 days of initial hiring. For closed cases, we judgmentally selected 10 out of 28 cases that were closed by CACI as of April 24, 2008; 10 out of 209 cases that were closed by Kroll on February 27, 2008; 10 out of an unknown number of cases that were closed by USIS as of February 29, 2008; and 10 out of 12,363 cases that were closed by FISD investigators between February 1 and February 29, 2008. We requested the case materials to determine if the notes were returned to and maintained at the respective headquarters. We judgmentally selected the 3 incidents reported by CACI; the 7 incidents reported by Kroll; and 5 out of 13 USIS incidents that were reported between November 1, 2007 and April 18, 2008. We also selected 2 out of 11 FISD incidents reported between November 1, 2007 and March 31, 2008 related to the loss of PII to determine whether FISD and Contractor employees reported incidents in accordance with FISD’s PII policies. In addition, we randomly selected logs of the FISD employees who teleworked from Boyers, Pennsylvania and Fort Meade, Maryland during the months of August and November 2007 to determine if employees were adhering to their groups’ telework policies. The results from the various samples were not projected to the population. 5 III. AUDIT FINDINGS AND RECOMMENDATIONS Our audit disclosed that FISD and their Contractors have controls in place for computers and portable devices that safeguard PII. We also noted that security inspections and risk assessments were conducted at FISD’s and Contractors’ facilities to evaluate and measure the effectiveness and efficiency of each facility that handles, processes, and stores equipment, case materials, and other items as required by security policies and standards. However, we also identified areas, described below, that require improvements due to the Contractors not following FISD requirements or policies and procedures, or due to FISD controls that were inadequate or absent altogether. A. Training 1. No Security Awareness Training for New Hires CACI and Kroll did not provide OPM IT Security Awareness Training to new employees within 30 days of their initial hiring. We judgmentally selected 5 out of 32 CACI employees hired during the month of December 2007; 5 out of 50 Kroll employees hired between October 1, 2006 and September 30, 2007; and 5 out of 57 USIS employees hired between October 1, 2006 and September 30, 2007 to determine if they completed the IT Security Awareness Training within 30 days of initial hiring. The results of our review disclosed that the CACI and Kroll employees did not complete the training, as required by the FISD contract. CACI and Kroll stated that they provide the OPM IT Security Awareness Training on an annual basis when the OPM IT security staff provides them with the training materials. New investigators receive IT Security Awareness Training in the New Investigator Training and therefore they do not feel that it is necessary to provide a separate IT Security Awareness Training for the new hires. OPM’s Information Security and Privacy Policy, dated September 2007, Section A.2.9.2, states that “All OPM employees and contractors accessing OPM information resources will attend information security and privacy awareness training before being granted access to OPM information resources.” The FISD contract states that “OPM information technology [IT] security staff will approve the training materials and follow up with contractor to ensure timely completion. OPM will require a memorandum that initial IT Security Awareness Training has been completed within thirty (30) days of initial hiring of a new employee. Subsequently, the contractor shall provide, on an annual basis (on the anniversary date of the award of the contract), a memorandum indicating that refresher IT Security Awareness training has been completed.” As a result of not providing new employees with OPM’s IT Security Awareness Training, there is an increased risk that new employees will not be aware of their responsibilities in 6 dealing with PII and sensitive information, etc., and information that is accessed through OPM’s systems may be compromised. Recommendation 1 We recommend that FISD require CACI and Kroll to provide the OPM IT Security Awareness Training to all of their new employees within 30 days of their initial hire date, and document completion of this training by issuing a memorandum to OPM, as required by their contract. FISD’s Response: FISD concurs with this recommendation and stated that Kroll and CACI are submitting monthly reports that identify new hires and separations. These reports include clarification that the new hires have received security awareness training within 30 days of hire indicated either by a checkmark or overall statement on the reports. OIG Comment: FISD provided copies of management reports and training completion certificates for Kroll employees. We selected a sample of 2 Kroll employees from the reports provided and verified that the employees completed training within 30 days of their hire date. In addition, FISD provided management reports and training certificates for CACI employees. We selected a sample of 4 CACI employees from the reports and determined that all employees completed the training within 30 days of their hire date with the exception of one who completed the training four months after their hire date. Based on our analysis of the information provided, we have determined that OPM has taken appropriate action to address this recommendation and we consider the recommendation closed. Recommendation 2 We recommend that FISD require CACI and Kroll to provide monthly management reports that list the names of new employees that have been hired during that period. FISD should utilize these reports, along with the training completion memoranda provided by CACI and Kroll, to ensure that new employees and sub-contractors are being trained prior to being granted access to OPM systems, as required by OPM’s Information Security and Privacy Policy. FISD’s Response: FISD concurs with this recommendation and stated that effective February 1, 2009 all contractors will be required to submit monthly management reports identifying all new hires that have completed security awareness training and completion certificates to the contractor’s respective oversight teams. The list of new hires will be reconciled against the certificates received to confirm compliance with the training requirement. 7 OIG Comment: We reviewed management reports identifying new hires and training completion certificates; however, we were not provided with evidence that FISD is reconciling the reports against the training completion certificates. 2. No PII Training for Contractors FISD did not require Goodwill employees to be trained on the collection of bins containing documentation to be shredded, observation of the shredding process, and safeguarding of PII. In addition, we could not determine whether Iron Mountain (IM) employees, responsible for handling the bins, have received appropriate training. On a daily basis, the full bins, which are located throughout FISD headquarters, are moved to and stored in the Goodwill area until they are transported to the IM facility where the documents containing PII will be shredded. IM is responsible for retrieving the full bins from the Goodwill area and transporting them to its facility. During transport, Goodwill employees ensure that the IM truck and the bins are not compromised. Upon arrival at the IM facility, IM employees unload the bins from the truck; unlock the bins; and empty the bins, which contain documents including PII, for shredding. IM employees shred the documentation and return the empty bins to the Goodwill area at FISD headquarters. Goodwill employees supervise the unloading and shredding of the PII materials at the IM facility. Goodwill is also responsible for ensuring that its employees receive training related to the collecting, transporting, and storing of the bins and for observing the shredding of PII. FISD does not have controls in place to ensure that its contractors are appropriately training employees on the collection and observation of the shredding process, including the handling of PII. OPM’s contract with Goodwill Industries of Pittsburgh, Section 2.10.4, Shredding Container Collection, states that the “Contractor shall ensure that employees responsible for shredding container collection have had the appropriate training.” Appropriate training would include Goodwill’s responsibilities for the collection of bins and the observation of the shredding process and all PII related responsibilities. Not training all personnel involved with the container collection and shredding process may lead to the compromise, loss, and/or theft of PII. Recommendation 3 We recommend that FISD implement internal control procedures to ensure that Goodwill and IM provide training to employees for the collection, transportation, and destruction of documents, including PII. Internal controls should include a requirement for contractors to provide documentation to FISD to support the completion of training. 8 FISD’s Response: FISD concurs with this recommendation and stated that all affected employees completed training by January 21, 2009. OIG Comment: FISD provided training materials, training sign-in sheets, and listings of Goodwill and Iron Mountain employees. We reviewed this documentation and verified that current Goodwill and Iron Mountain employees completed PII training. However, FISD did not provide documentation (i.e., internal control procedures) to ensure that all new hires after January 21, 2009 will be trained on the security of PII and the container collection and shredding processes. B. Incident Reporting 1. Lack of Controls for Contractor Incident Reporting The Contractors did not report the loss of PII in accordance with FISD’s “Loss or Compromise of Personally Identifiable Information” policy. We judgmentally selected incidents related to the loss of PII that were reported to OPM’s Situation Room between November 1, 2007 and April 18, 2008. We selected the 3 incidents reported by CACI; the 7 incidents reported by Kroll; and 5 out of 13 USIS incidents for review. We reviewed the incident files to determine whether the Contractors handled PII and reported incidents in accordance with FISD’s policies and procedures. FISD’s policy for the “Loss or Compromise of Personally Identifiable Information”, effective November 19, 2007, states that when an incident is detected the following parties must be notified within 30 minutes, regardless of the time of day: • local police department if the information is lost due to a theft; • OPM’s Situation Room; and • immediate Supervisor/Designee. In addition, the FISD policy states that the supervisor or designee must perform the following steps when notified of an incident: • Immediately send an email, with all details known thus far, to the employee’s second level supervisor and the FISD Incident Response Team, and • Within four hours of notification, working with the employee, the supervisor or designee must prepare an incident report, document the timeline of events, and prepare an inventory of the case material potentially compromised. These documents must be sent to the second level supervisor and the FISD Incident Response Team. 9 The Contractors’ controls are not effective to ensure that incidents are being reported properly and timely, in accordance with PII policies. Specifically, we found that: • Six incidents were not reported to the OPM Situation Room within 30 minutes of the incident being discovered; • Five incidents were not reported to the supervisor/designee within 30 minutes of the incident being discovered; • FISD’s Incident Response Team was not immediately notified of three incidents; and • Four incident reports were not issued to FISD within four hours. In addition, there was a lack of documentation to determine whether: • The OPM Situation Room was notified of one incident within 30 minutes after detection of the potential loss of PII; • The supervisor/designee was notified of three incidents within 30 minutes after detection of the potential loss of PII; • The employee’s second level supervisor and the FISD Incident Response Team were immediately notified of three incidents; and • Incident reports, documenting the timeline of events, and an inventory of the case materials potentially compromised, was prepared within four hours of notification of four incidents. Details for each incident were provided to FISD separate from this report. If incidents of the loss of PII are not reported in accordance with FISD’s policies, there is an increased risk that PII will be compromised. Recommendation 4 We recommend that FISD ensure that its Contractors strengthen their controls over incident reporting to ensure that incidents are reported in accordance with FISD’s “Loss or Compromise of Personally Identifiable Information” policy. FISD’s Response: FISD stated that documentation is available to support the two Kroll cases where FISD indicated that the Incident Response Team had been immediately notified and the reports were prepared within four hours. In addition, they state, “We do not disagree with the finding associated with the remaining two and FISD is in the process of re-writing its PII Policy to enhance this process which should be issued to all Federal and Contractor staff in March 2009.” OIG Comment: We reviewed documentation (i.e., incident report forms, email notifications, etc.) that FISD provided; however, the documentation was not sufficient to show that the Kroll Supervisor/Security Officer was immediately notified of the two incidents. The incident 10 reports/forms, email notifications, etc., did not document the time the incident was discovered by the investigator for one of the two Kroll incidents. As a result, we could not determine whether the OPM Situation Room was notified within 30 minutes of the investigator’s discovery of the PII incident. 2. Lack of Controls for FISD Incident Reporting FISD’s controls for reporting the loss or compromise of PII do not ensure that incidents are reported timely, in accordance with their “Loss or Compromise of Personally Identifiable Information” policy. We judgmentally selected 2 out of 11 incidents related to the loss of PII that were reported by FISD to OPM’s Situation Room between November 1, 2007 and March 31, 2008. We reviewed the incident files to determine whether FISD handled PII and reported incidents in accordance with FISD’s policies and procedures. At the time of our audit, FISD did not have a standardized reporting format to ensure that the protocols of their “Loss or Compromise of Personally Identifiable Information” policy are documented and completed in a timely manner. Specifically, we found that neither of the two incidents reviewed were reported by FISD employees to the OPM Situation Room within 30 minutes of discovery. In addition, one incident was not immediately reported by the Supervisor/Designee to the FISD Incident Response Team nor was the incident report sent to the FISD Incident Response Team within four hours of discovery, as required by the policies. Details of the incidents were provided to FISD separate from this report. FISD’s policy for the “Loss or Compromise of Personally Identifiable Information”, effective November 19, 2007, states that when an incident is detected by a FISD employee the following parties must be notified within 30 minutes, regardless of the time of day: • local police department if the information is lost due to a theft; • OPM’s Situation Room; and • immediate Supervisor/Designee. In addition, FISD’s policy states that the Supervisor/Designee must perform the following protocols when notified of an incident: • Immediately send an email, with all details known thus far, to the FISD Incident Response Team, and • Within four hours of notification, working with the employee, the Supervisor/Designee must prepare an incident report, document the timeline of events, and prepare an inventory of the case material potentially compromised. These documents must be sent to the second level supervisor and the FISD Incident Response Team. 11 If incidents are not reported timely, there is a delay in notifying the affected individuals of the situation and the options available to protect their identities from the possibility of theft. Recommendation 5 We recommend that FISD establish a standardized reporting format to ensure that incidents are documented and reported to the appropriate parties within the timeliness standards outlined in their “Loss or Compromise of Personally Identifiable Information” policy. FISD’s Response: FISD stated that “A standard format was established and issued to all FISD personnel….The form will be modified to specifically include Supervisor/Designee responsibilities to ensure that timeliness requirements are met. Anticipated completion date is February 28, 2009.” C. Investigative Case Notes 1. Lack of Controls for the Timely Return of Investigative Case Notes CACI and Kroll do not have controls in place to ensure that investigative case notes are returned to headquarters within two weeks, as required by their contract with FISD. Details regarding the case notes were provided to FISD separate from this report. We judgmentally selected 10 out of 28 cases that were closed by CACI as of April 24, 2008; 10 out of 209 cases that were closed by Kroll on February 27, 2008; and 10 out of an unknown number of cases that were closed by USIS as of February 29, 2008. We reviewed these case materials to determine if the related case notes were maintained at the Contractors’ headquarters and were returned within two weeks of the completion of each case. Upon completion of a background investigation (case), investigators transmit the closed case to FISD via the Personnel Investigations Processing System (PIPS). All case notes and documentation related to the closed case must be returned to their appropriate headquarters within two weeks after an investigation is completed. Both CACI and Kroll have methods of tracking cases when they are initially sent to investigators and when the case materials are returned to headquarters. For instance, CACI uses a log to track when cases are sent to investigators, when the closed cases are transmitted to FISD in PIPS, and the date that case notes are received by headquarters. Kroll uses a PIPS report to show when closed cases are transmitted to FISD. Kroll also documents the receipt of case notes at headquarters in Microsoft Access. Even though CACI and Kroll have methods of documenting when case notes are received by their headquarters, they are not tracking the number of days between the date the cases are transmitted in PIPS and the date the case notes are received at their respective headquarters. In addition, they do not have written policies and procedures in place that require the investigators to return case notes within the two weeks after an investigation is transmitted to FISD in PIPS. 12 FISD’s contract with CACI and Kroll states that “Within two weeks of a completed investigation, the Contractor shall be in possession of all investigator and investigative technician notes, case material sent to investigators and investigative technicians and all other investigative materials. … The material retained by the Contractor shall be located at the Contractor’s Program Management Office (PMO).” If case notes are not returned within two weeks, as required by the FISD contract, there is an increased risk that PII may be compromised, lost, or stolen. Recommendation 6 We recommend that FISD require CACI and Kroll to implement controls to ensure that the investigative case notes are returned to the Contractor’s PMO within two weeks of a completed investigation, as required by the FISD Contract. FISD’s Response: FISD concurs with this recommendation and stated that “Inspections will be completed beginning in the 2nd Quarter of FY09 to review Contractor note collection procedures and to determine if the documented procedures are being followed.” 2. Lack of Controls over the Return of Investigative Case Notes We judgmentally selected 10 out of 12,363 cases that were closed by FISD investigators between February 1 and February 29, 2008. We requested the case notes to determine if the notes were returned to and maintained at FISD headquarters. We concluded that FISD could not provide the case notes related to one case because the notes were destroyed prior to the three year retention period. We also noted that FISD does not have controls (i.e., a reconciliation process) in place to ensure that all case materials are returned once a case is closed in PIPS. FISD stated that the case notes related to the one case in our sample were destroyed prior to the three year retention period because the retention policy was not clearly understood by its employee(s). Upon completion of a background investigation, the investigator will close the case in PIPS. Investigative case notes related to the closed cases are manifested by the FISD field offices, boxed up, and shipped to FISD headquarters. A tracking number is assigned to each box containing closed case materials. The tracking numbers and manifests are transmitted to FISD headquarters, where the tracking numbers are compiled into a list and verified against the boxes that are received by FISD headquarters for the week to ensure that all notes that were manifested are accounted for. Once all tracking numbers have been verified as received, the list of tracking numbers is discarded. The case notes that are returned to FISD headquarters are maintained for a period of three years before they are destroyed. FISD’s policy issued on February 22, 2008 states that all original case notes must be maintained for a period of three years after the case is closed. 13 The Office of Management and Budget (OMB) Circular A-123 states that procedures may vary; however, there should be a clear, organized strategy with a well-defined documentation process that is auditable, verifiable, and defines a specific documentation retention period. OMB Circular A-123 also requires the development and maintenance of internal control activities that comply with standards such as control environment, risk assessment, and monitoring. Without specific guidance for tracking, returning, and maintaining case notes, there is an increased risk that PII will be compromised, lost, or stolen. Recommendation 7 We recommend that FISD ensure that its employees have a clear understanding of the destruction policy related to case notes and case materials, as required by OMB A-123. FISD’s Response: FISD stated, “Once we were informed of the need to maintain these for three years we put into procedures to maintain them and currently have procedures in place to return these case notes to Boyers for the three year retention. FISD is working with records retention specialists at [the General Accountability Office] GAO and [National Archives and Records Administration] NARA to get the language changed to allow retention for 30 days versus three years…. once this policy issue is resolved, reinforcing the rules throughout FISD would be a useful initiative so our plan is to include this topic in the annual PII training that all FISD staff will be receiving later this year.” OIG Comment: We reviewed FISD’s “OPM Record Retention Transport Guidelines,” which supports that FISD has implemented procedures to retain records such as handwritten investigative case notes, case papers, and releases with original signatures for three years, in accordance with FISD’s retention policy. Thus, OPM has taken appropriate action to address this recommendation and we consider the recommendation closed. Recommendation 8 We recommend that FISD implement internal controls for monitoring the return of case notes for investigations closed in PIPS, in compliance with OMB A-123. FISD’s Response: FISD stated that its “policy has been changed to require all case notes to be returned to Boyers for storage for the three year retention period…. FISD staff regularly conducts spot checks to ensure that case notes are being returned for closed cases.” 14 OIG Comment: We reviewed FISD’s “PII Accountability” Memo and determined that these procedures address the manifesting of case notes that are shipped between the field agents and field offices. However, the memo does not address procedures and/or controls to support that FISD has a process in place for monitoring the return of case notes for investigations closed in PIPS. For example, if an investigator closed 20 cases in PIPS during the week, there should be a process in place for the Special Agent-in-Charge or Supervisor to ensure they receive the case notes for those 20 closed cases. There should be some type of reconciliation between the cases closed in PIPS and the case notes they receive. In addition, FISD did not provide documentation to show that spot checks for case notes are being conducted. D. Telework 1. Lack of Controls for the Handling of PII While Employees Telework FISD does not have an adequate method of tracking the removal and return of background cases and related case materials while employees telework. Prior to November 19, 2007, FISD permitted its employees to participate in a Flexi- Place/Telework program, which included the removal of PII. The employees who participated in this program were required to sign Flexi-Place/Telework agreements prior to removing work from FISD facilities. They were also responsible for safeguarding government records from unauthorized disclosure or damage and returning cases and case-related materials the next scheduled work day or upon completion of the assignment based on an agreement with the supervisor. FISD suspended its Flexi-Place/Telework program on November 19, 2007. We randomly selected logs of the employees who teleworked from Boyers, Pennsylvania and Fort Meade, Maryland during the months of August and November 2007. We reviewed the telework documentation to determine if employees were adhering to their groups’ telework policies. Based on our review of FISD groups’ policies and procedures for logging PII in and out for telework, we determined that the following items were not consistently evident in the files we reviewed: • supervisory approval for removal of cases/case materials; • supervisory confirmation that the information removed was returned; and • a list of all case-related information that was removed or returned to the employee’s workplace. In addition, we found that some offices within FISD did not maintain a log for the employees that removed PII while teleworking. The Suitability Adjudication, Contract Adjudication Branch, and Case Management Group’s policies and procedures state that cases and case materials must be documented in a log. In addition, the log should document the employee’s initials to show receipt that they are in possession of the documentation prior to leaving the FISD facility; supervisory approval; and 15 acknowledgement by the supervisor that the cases and case-related materials were returned upon completion of the assignment. The Office of Management and Budget (OMB) Circular A-123 states that procedures may vary; however, there should be a clear, organized strategy with a well-defined documentation process that is auditable, verifiable, and defines a specific documentation retention period. OMB Circular A-123 also requires the development and maintenance of internal control activities that comply with standards such as control environment, risk assessment, and monitoring. OPM’s telework guide for the federal government states that managers are responsible for tracking the removal and return of potentially sensitive materials, such as personnel records and case materials. This would include the removal of PII. The lack of a FISD-wide telework policy to monitor the whereabouts of cases and case-related materials increases the risk of the loss, theft, or compromise of PII. Recommendation 9 We recommend that FISD develop internal controls to effectively monitor and document the removal and return of PII for telework. FISD’s Response: FISD concurs with this recommendation and stated, in reference to the suspension of telework and/or flexi-place for all FISD employees or contractors, that “In the event that this suspension is ever lifted, FISD will develop and put in place appropriate internal controls to ensure 100% accountability of any material removed from a FISD facility.” OIG Comment: FISD’s response suggests that internal controls will be developed after the suspension is lifted; however, our position is that the internal controls should be in place before the suspension can be lifted. 16 IV. MAJOR CONTRIBUTORS TO THIS REPORT Internal Audits Group Auditor Lead Auditor , Senior Team Leader Chief ________________________________________________________________________ 17 APPENDIX UNlTED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 2009 JAN 30 PM 2: 59 Federal Investigative Services Division January 30, 2009 MEMORANDUM FOR FROM: KATHY L. ~ Associate Director DILLAMA~ L Chief, Internal Audits Group Office of the Inspector G.ene.ral I Federal Investigative S , .. Ices Division SUBJECT: Draft Report on the Audit of the Security of Personally Identifiable Infonnation in the FederaUnvestigative Services Division of the u.S. Office of Personnel Management (Report No. 4A-IS-OO-08-014) Summary of OPM Position We have reviewed your draft audit report on the Security of Personally Identifiable Infonnation (PH) in the Federal Investigative Services Division (FISD) of the U.S. Office of Personnel Management (Report No. 4A-IS-00-08-014) and are in agreement with many of the findings and recommendations identified in the report. We recognize that even the most well run programs can benefit from an external evaluation and we appreciate the input of the Office of the Inspector General as we continue to work to enhance our security measures for protecting PII. Specific responses'to your recommendations are provided below. Respnnse to Recommendations FINDING # AI: No Security Awareness Training for New Hires CAel and Kroll do not provide OPM IT Security Awareness Training to new employees within 30 days oftheir initial hiring. We judgmentally selected 5 oul of 32 CAel employees hired during the month ofDecember 2007; 5 out of50 Kroll employees hired between October 1,2006 and September 30,2007; and 5 out of 56 lJSIS employees hired between October 1, 2006 and September 30, 2007 to determine if/hey completed the IT Security Awareness Training within 30 days ofinitial hiring. The results ofour review disclosed that the CACI and Kroll employees did not complete the training, as required by the FISD contract. CAe] and Kroll stated that they provide the OPM IT Security Awareness Training on an annual basis when the OPM ]T security staffprovides them with the training materials. New WlYw.opm.goY Our mission is to ensure the Federal Government has an effective civilian workforce www.usajobs.go~ investigators receive IT Security Awareness Training in the New Investigator Training and therefore, they do notfeel that it is necessary to provide a separate IT Security Awareness Trainingfor the new hires. OPM's Information Security and Privacy Policy, dated September 2007, Section A. 2. 9.2, states that "All OPM employees and contractors accessing OPM information resources will attend ·information security and privacy awareness training before being granted access to OPM information resources. .. The FISD contract states that "OPM information technology [IT} security staffwill approve the training materials andfollow up with contractor's to ensure timely completion aPM will require a memorandum that initial IT Security Awareness Training has been completed within thirty (30) days ofinitial hiring ofa new employee. Subsequently, the contractor shall provide, on an annual basis (on the anniversary date ofthe award ofthe contract), a memorandum indicating that refresher IT Security Awareness training has been completed. .. As a result ofnot providing new employees with OPM's IT Security Awareness Training. there is an increased risk that new employees will not be aware oftheir responsibilities in dealing with PII and sensitive information, etc. and information that is accessed through OPM's systems may be compromised. RECOMMENDATION 1: We recommend that FISD require CAeI and Kroll to provide the OPM IT Security Awareness Training to all of their new employees within 30 days of their initial hire date, and document completion of this training by issuing a memorandum to OPM, as required by their contract. MANAGEMENT RESPONSE: CONCURRENCE. Kroll and CAeI are submitting monthly reports to identify new hires and separations. The Field Investigations Oversight Branch (FIOB) is copied on these reports. These reports include clarification that the new hires have received security awareness training within 30 days of hire indicated either by a checkmark or an overall statement within the report. Samples ofthese reports as well as completion certificates were provided previously to the audit team. RECOMMENDATION 2: We recommend that FISD require CAeI and Kroll to provide monthly management reports that list the names of new employees that have been hired during that period. FISD should utilize these reports, along with the training completion memoranda provided by CACI and Kroll, to ensure that new employees and sub-contractors are being trained prior to being granted access to OPM systems, as required by OPM's Information Security and Privacy Policy_ MANAGEMENT RESPONSE: CONCURRENCE. Effective February 1,2009, FISD will require all contractors to include the respective oversight team on the monthly submission identifying all new hires that have completed security awareness training. Each oversight team will receive the list that shows completion of the training has occurred within the first 30 days of hire. Electronic copies of the certificates that are issued after the course completion will also be 2 required. The list of new hires will be reconciled against the certificates received to confirm 100% compliance with the required training. FINDING A2: No Security Awareness Training for New Hires FISD did not require Goodwill employees to be trained on the collection ofbins, observation of the shredding process, and safeguarding of Pll In addition, we could not determine whether Iron Mountain (1M) employees, responsible for handling the bins, have received appropriate training. On a daily basis, the full bins, which are located throughout FISD headquarters, are moved to and stored in the Goodwill area until they are transported to the Iron Mountain (1M) facility where the documents containing PIl wil/.be shredded 1M is responsible for retrieving the full bins from the Goodwill area and transporting them 10 its facility. During transport, Goodwill employees ensure that the 1M truck and the bins are not compromised. Upon arrival at the 1M facility, 1M employees unload the bins from the truck; unlock the bins; and empty the bins, which contain documents including PI!, for shredding. 1M employees shred the documentation and return the empty bins to the Goodwill area at FISD headquarters. Goodwill employees supervise the unloading and shredding ofthe PII materials at Ihe IMfacility. Goodwill is also responsible for ensuring that its employees receive training related to the collecting, transporting, and storing ofthe bins andfor observing the shredding ofPII FISD does not have controls in place to ensure that its contractors are appropriately training employees on the collection and observation ofthe shredding process, including the handling of PII. OPM's contract with Goodwill Industries ofPittsburgh, Section 2.10.4, Shredding Container Collection, states that the "Contractor shall ensure that employees responsible for shredding container collection have had the appropriate training. " Appropriate training would include Goqdwil/ 's responsibilities for the collection ofbins and the observation ofthe shredding process and all PII related responsibilities, as instructed by the Director o/OPM By not training all personnel involved with the container collection and shredding process may lead to the compromise, loss, and/or theft ofPI/. RECOMMENDATION 3: We recommend that FISD implement internal control procedures to ensure that Goodwill and 1M provide training to employees for the collection, transportation, and destruction of documents, including PII. Internal controls should include a requirement for contractors to provide documentation to FISD to support the completion of training. MANAGEMENT RESPONSE: CONCURRENCE. The FISD Security and Safety Team that has been working with Iron Mountain to complete the training and all affected employees completed training by January 21,2009. The Federal presence that has been in place until the training is complete ceased as of that date. 3 FINDING 81: Lack of Controls for Contractor Incident Reporting The Contractors did not report the loss ofP II in accordance with FISD's "Loss or Compromise ofPersonally Identifiable Information" policy. We judgmentally selected incidents related to the loss ofPII that were reported to OPM's Situation Room between November I, 2007 and AprillB, 200B. We selected the three incidents reported by CAeI; the seven incidents reported by Kroll; andjive out ofthirteen USIS incidents for review. We reviewed the incident files to determine whether the Contractors handled PIland reported incidents in accordance with FISD 's policies and procedures. The Contractors' controls are not effective to ensure that incidents are being reported properly and timely, in accordance with PII policies. Specifically, we found that: • Six incidents were not reported to the OPM Situation Room within 30 minutes of the incident being discovered; • Five incidents were not reported to the supervisor/designee within 30 minutes of the incident being discovered; • FISD's Incident Response Team was not immediately notified ofthree incidents; and • Four incident reports were nOl issued to FISD withinfour hours. In addition, there was a lack ofdocumentation to determine whether: • The OPM Situation Room was notified ofone incident within 30 minutes after detection ofthe potential loss ofPII; • The supervisor/designee was notified ofthree incidents within 30 minutes after detection ofthe potential loss ofPII; • The employee's second level supervisor and the FISD Incident Response Team were immediately notified offour incidents; and • Incident reports, documenting the timeline ofevents, and an inventory ofthe case materials potentially compromised, was prepared within four hours ofnotification ofsix incidents. Details for each incident were provided to FISD separate from this report. FISD 's policyfor the "Loss or Compromise ofPersonally Identifiable Information ", effective November 19, 2007, states that when an incident is detected the following parties must be notified within 30 minutes, regardless ofthe time ofday: • local police department if the information is lost due to a theft; • OPM's Situation Room; and • immediate Supervisor/Designee. In addition, the FISD policy states that the supervisor or designee must perform the following steps when notified ofan incident: 4 • Immediately send an email, with all details known thus far, to the employee's second level supervisor and the FISD Incident Response Team and • Withinfour hours o/notification, working with the employee, the supervisor or designee must prepare an incident report, document the time line ofevents, and prepare an inventory ofthe case material potentially compromised. These documents must be sent to the second level supervisor and the FISD Incident Response Team. If incidents ofthe loss ofPII are not reported in accordance with FISD 's policies, there is an increased risk that PII will be compromised. RECOMMENDATION 4: We recommend that FISD ensure that its Contractors strengthen their controls over incident' reporting to ensure that incidents are reported in accordance with FISD's "Loss or Compromise of Personally Identifiable Information" policy. MANAGEMENT RESPONSE: PARTIAL CONCURRENCE. FISD was able to locate the necessary documentation to support the conclusion that the two Kroll cases identified where FISD indicated that the Incident Response team had been immediately notified and that reports were prepared within 4 hours. These documents are available for review by the Audit Team. We do not disagree with the finding associated with the remaining two and FISD is in the process of re-writing its PH Policy to· enhance this process which should be issued to all Federal and Contractor staff in March 2009. FINDING B2: Lack of Controls for FISD Incident Reporting FISD's controls for reporting the loss or compromise ofPII do not ensure that incidents are report'ed timely, in accordance with their Loss or Compromise ofPII policy. We judgmentally selected 2 out of11 incidents related to the loss ofPll that were reported by FISD to OPM's Situation Room between November 1,2007 and March 31,2008. We reviewed the incident files to determine whether FISD handled Pll and reported incidents in accordance with FISD 's policies and procedures. FISD does not have a standardized reporting/ormat to ensure that the protocols oftheir "Loss or Compromise ofPI!" policy are documented and completed in a timely manner. Specifically, we found that neither ofthe two incidents reviewed were reported by FISD employees to the OPM Situation Room within 30 minutes ofdiscovery. In addition, one incident wasnot immediately reported by the Supervisor/Designee to the FISD Incident Response Team nor was the incident report sent to the FISD Incident Response Team withinfour hours of discovery, as required by the policies. Details ojthe incidents were provided to FISD separate from this report. 5 FISD 's policy for the "Loss or Compromise ofPersonally Identifiable Information ", effective November 19, 2007, states that when an incident is detected by a FISD employee the following parties must be notified within 30 minutes, regardless ofthe time ofday- • local police department if the information is lost due to a theft; • OPM's Situation Room,- and • immediate Supervisor/Designee. In addition, FISD 's policy states that the Supervisor/Designee must perform the following protocols when notified ofan incident: • Immediately send an email, with all details known thus far, to the FISD Incident Response Team, and • Within four hours ofnotification, working with the employee, the· Supervisor/Designee must prepare an incident report, document the timeline of events, and prepare an inventory ofthe case material potentially compromised. These documents must be sent to the second level supervisor and the FISD . InCident Response Team. Jfincidents are not reported limely, there is a delay in notifying the affected individuals ofthe situation and the options available to protect their identities from the possibility oftheft- RECOMMENDATION 5: We reconunend that FISD establish a standardized reporting format to ensure that incidents are documented and reported to the appropriate parties within the timeliness standards outlined in their Loss and Compromise of PII policy. MANAGEMENT RESPONSE: PARTIAL CONCURRENCE. A standard format was established and issued to all FISD personnel. It has been updated once since its initial issue. The form will be modified to specifically include Supervisor/Designee responsibilities to ensure that timeliness requirements are met. Anticipated completion date is February 28, 2009. FINDING Cl: Lack of Controls for the Timely Return of Investigative Case Notes CAeI and Kroll do not have controls in place to ensure that investigative case notes are returned to headquarters within two weeks, as required by their contract with FISD. DELETED BY DIG - NOT RELEVANT TO THE REPORT . Details regarding the cases were provided Lo FISD separate from this report. We judgmentally selected 10 oul of 28 closed cases thai were tracked by CAC! as ofApril 24, 2008; 10 out of209 cases that were closed by Kroll on February 27, 2008; and 10 oul ofan unknown number ofcases that were closed by USIS as ofFebruary 29, 2008. We reviewed these case files to determine if the relaled cases notes were mainlained at Ihe Contractors' / headquarters and were returned within twa weeks ofthe completion ofeach case. 6 Upon completion ofa background investigation (case), investigators transmil the closed case to FISD via the Personnel Investigations Processing Systems (PIPS). All case notes and documentation related to the closed case must be returned to their appropriate headquarters within two weeks after an investigation is completed. Both CAC! and Kroll have methods of tracking cases when they are initially sent 10 investigators and when the cases are returned to headquarters. For instance, CACI uses a log to track when cases are sent to investigators, when the closed cases are transmitted to FISDin PIPS, and the date that case notes are received by headquarters. Kroll uses a PIPS report to show when closed cases are transmitted to FISD. Kroll also documents the receipt ofcase notes at headquarters in Microsoft Access. Even though CACI and Kroll have methods ofdocumenting when case notes are received by their headquarters they are not tracking the number ofdays between the date the cases are transmitted in PIPS and the date the case notes are received at their respective headquarters. In addition, they do not have written policies and procedures in place that require the investigators to return case notes within the two weeks after an investigation is transmitted to FISD in PIPS. FISD's contract with CAeI and Kroll states that "within two weeks ofa completed investigation, the Contractor shall be in possession ofall investigator and investigative technician notes, case material sent to investigators and investigative technicians, and all other investigative materials. ... The material retained by the Contractor shall be located at the Contractor's Program Management Office (PMO). " If case notes are not returned within two weeks, as required by the FISD contract, there is an increased risk that PII may be compromised, lost, or stolen. RECOMMENDATION 6: We reconunend that FISD require CACI and Kroll to implement controls to ensure that the i~vestigative case notes are returned to the Contractor's PMO within two weeks of a completed investigation, as required by the FISD Contract. MANAGEMENT RESPONSE: CONCURRENCE. Inspections will be completed beginning in the 2nd Quarter of FY09 to review Contractor note collection procedures and to determine if the documented procedures are being followed. Inspection locations will be selected on a random basis. In the event that a specific region is identified as having a high incident rate of reported PH loss or compromise, that region will be specifically targeted for inspection. RECOMMENDATION 7: DELETED BY DIG - NOT RELEVANT TO THE REPORT 7 DELETED BY OIG -NOT RELEVANT TO THE REPORT FINDING C2: Lack of Coo trois over the Return of Investigative Case Notes We judgmentally selected 10 auf of 12, 363 cases that were closed by FISD investigators between February J and February 29, 200B- We requested the case notes 10 determine if the notes were returned to and maintained at FISD headquarters. We concluded that FISD could not provide the case notes related to one case because the notes were destroyed prior to the three year retention period We also noted that FISD does not have controls (i.e. a reconciliation process) in place to ensure that all closed cases are returned once a case is closed in PIPS. FISD slaled that the case notes related to the one case in our sample 8 were destroyed prior to the three year retention period because the retention policy was not clearly understood by its employee(s). Upon completion 0/ a background investigation, the investigator will close the case in PIPS. Investigative case notes related to the closed cases are manifested by the FISD field offices, boxed up, and shipped to FISD headquarters. A tracking number is assigned to each box of closed cases. The tracking numbers and manifests are transmitted to FISD headquarters where the tracking numbers are compiled into a list and verified against the boxes that.are received by FISD headquarters/or the week to ensure that all notes that were manifested are accountedfor. Once all tracking numbers have been verified as received, the list oftracking numbers is discarded. The case notes that are returned to FISD headquarters are maintained for a period ofthree years before they are destroyed. FISD 's policy issued on February 22, 2008 states that all original case notes must be maintained for a period ofthree years after the case is closed. The Office ofManagement and Budget (OME) Circular A-123 states that procedures may vary; however, there should be a clear, organized method with a well-defined documentation process that is auditable, verifiable, and defines a specific documentation retention period. OMB Circular A-i23 also requires the development and maintenance o/internal control activities that comply with standards such as control environment, risk assessment, and monitoring. Without specific guidance for tracking, returning and maintaining case notes, there is an increased risk that PII will be compromised, 10SI, or stolen. RECOMMENDATION 8: We!~commend that FISD ensure that its employees have a clear understanding of the destruction policy related to case notes and case materials, as required by OMB A-123. MANAGEMENT RESPONSE: PARTIAL CONCURRENCE. While it is true the notes were destroyed prior to the three year period, at that time notes could be destroyed 30 days after the case was closed. There had been a misinterpretation of FISD's records schedule, resulting in guidance to destroy notes in 30 days after case closing. When a revised scheduled was submitted to NARA, they brought to our attention that we could not destroy original notes in less than 3 years unless we obtain GAO approval to do so. Once we were infonned of the need t<? maintain these for three years we put into procedures to maintain them and currently have procedures in place to return these case notes to Boyers for the three year retention. FISD is working with records retention specialists at GAO and NARA to get the language changed to allow retention for 30 days versus three years. However, FISD does not dispute the fact that once this policy issue is resolved, reinforcing the rules throughout FISD would be a useful initiative so our plan is to include this topic in the annual PH training that all FISD staff will be receiving later this year. 9 RECOMMENDATION 9: We recommend that FISD implement internal controls for monitoring the return of case notes for investigations closed in PIPS, in compliance with OMB A-123. MANAGEMENT RESPONSE: PARTIAL CONCURRENCE. FISD policy has been changed to require all case notes to be returned to Boyers for storage for the three year retention period. This policy has been shared with all field elements and we are confident that in the overwhelming majority of cases this policy is being followed. FISD staff regularly conducts spot checks to ensure that case notes are being returned for closed cases. RECOMMENDATION 10: We recommend that FISD develop internal controls to effectively monitor and document the removal and return of PH for telework . . MANAGEMENT RESPONSE: CONCURRENCE. The Associate Director, FISD suspended all telework and/or flex i-place for all FISD employees or contractors effective November 19,2007. In the event that this suspension is ever lifted, FISD will develop and put in place appropriate internal controls to ensure 100% accountability of any material removed from a FISD facility. . . Please contact me if you have any~ require any additional information. I have instructed my lead for this effort,~ to keep your office undated as corrective actions are completed. cc: David Cushing, Deputy CFO 10
Audit of the Security of Personally Identifiable Information in the Federal Investigative Services Division of the U.S. Office Of Personnel Management
Published by the Office of Personnel Management, Office of Inspector General on 2009-04-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)