IG urges SSA to keep better track of software employees download

The Social Security Administration must do a better job of monitoring software employees install on computers to cut down on malware incidents, according to a report from the agency's inspector general.

SSA employees and contractors are allowed to download only software the agency has approved or developed in-house. If other software is "critical to an SSA function and there is no comparable agency software solution," then employees must receive a written waiver from their security officer.

But workers do not always comply with the rules, SSA Inspector General Patrick O'Carroll found in the report.

SSA had nearly 200 malware incidents from Oct. 30, 2009, to Sept. 21, 2010, investigators said. Typically malware is delivered through e-mail, but in seven cases the IG reviewed, employees allowed malware onto their computers when they downloaded unauthorized software without obtaining a waiver.

O'Carroll noted nonstandard software could infect the agency's operating system, hijack computer programs, and possibly extract personal information to be used for identify theft.

The IG suggested the agency improve its software approval process by running all software by managers in a central location such as the Office of the Chief Information Officer before local managers OK it. Auditors also recommended SSA remind employees of policies on downloading software.

And they advised disciplining employees in some cases. SSA did not take any documented action against the employees who unintentionally installed the nonstandard software in the seven incidents analyzed, the IG said.

SSA Executive Counselor to the Commissioner James A. Winn agreed with all the IG's suggestions. He noted progress, including restructuring the CIO's office to add an electronic information exchange unit and issuing a July 2010 reminder to employees that installation and use of unauthorized software is prohibited.

"We will reevaluate our current policies and procedures for approving and monitoring software usage," Winn wrote in a response to the report. "We will also assess our current technical capabilities and identify any technology gaps."