Labor auditors concerned about TSP computer security
Officials pledge to continue working on protecting the retirement plan’s electronic records.
Thrift Savings Plan officials on Monday pledged to develop “more robust” computer security controls after a recent Labor Department audit found the board overseeing the retirement program did not completely consider prior recommendations for improvements.
The audit revealed “security and privacy risks that might exist in this large system,” said Ian Dingwall, a Labor chief accountant.
Auditors are concerned about the risk of unauthorized access to the TSP online network, Dingwall said.
The Labor Department, which contracts with outside companies such as KPMG to audit various TSP operations, conducted its last full assessment of the 401(k)-type retirement savings plan's computer access and security controls in 2008. That audit recommended that the Federal Retirement Thrift Investment Board focus on security and privacy risk assessments and develop formal corrective action plans, as well as examine the authentication of TSP participants using the website.
The latest audit assessed progress on those recommendations in fiscal 2009 and none was fully implemented. Dingwall attributed some of the board’s failure to fully examine computer security issues to other priorities, such as its work on the new Roth plan, which will be available to federal employees this spring.
A review covering fiscal 2011 computer access and security controls was postponed; the previous recommendations remain open for fiscal 2012.
Additional audits showed positive results for TSP in other areas, such as compliance with the 1986 Federal Employees Retirement System Act, which established the rules governing federal employees retirement benefits after the plan was created; processes for withdrawals; and annuities procedures.
“We hear you,” TSP Executive Director Gregory Long told Labor representatives Monday. “I think we are going to be to be a little bit more open to hear what these challenges are and working with your colleagues to address some of these concerns.”
Long said the board also was having information technology auditors look into the issue and was in the process of identifying and appointing a chief information security officer.
“If that increase in manpower is insufficient I will be going to the board to seek additional resources,” Long said.