Bureau of Labor Statistics' IT unit redoubles site protection, security

Bureau of Labor Statistics' IT unit redoubles site protection, security

By Shruti Dat'

GCN Staff

The Bureau of Labor Statistics Office of Technology and Survey Processing is implementing a series of corrective measures to deter Web site intrusions and other information technology mishaps.

Three incidents triggered a Labor Department Office of Inspector General's examination of OTSP. Details are in a report published last month, BLS Information Technology, Survey Processing and Administrative Controls Must Be Improved.

Last Nov. 4, BLS accidentally posted the October 1998 employment data, which was scheduled for release two days later.

Inconsistent security policies then led to the posting on Jan. 12 of the Producer Price Index one day ahead of time, the IG reported.

'People doing the processing were not as knowledgeable, in hindsight, as they needed to be,' said Tom Zuromskis, BLS director of technology computing services. 'We've taken away their ability to post data directly.'

Then, on Jan. 22, a computer hacker defaced the bureau's Web page, which was designed with Microsoft FrontPage.

'BLS had installed the product according to the defaults and had not enabled all security features. This oversight allowed the hacker to deface the Web page,' the IG reported.

The IG's report identified internal control deficiencies in Web site operations, mainframe access security, application and system software testing and protection, and LAN infrastructure.

The IG pointed out the Web site hacking occurred due to inadequate internal control structures in OTSP's Labor Statistics Group, which is responsible for posting news releases and related data to the BLS public Web site. The report noted five other problems:

• Timely training was not provided when new processes were implemented.

• Application software development and change control procedures were inadequate.

• System software and application programs were being tested simultaneously in the same environment.

• The Labor Statistics Group lacked formal lines of communication and definition of responsibilities.

• Staff members outside the Labor Statistics Group posted information to the Web site.

Zuromskis said the bureau is taking three steps to rectify the problem: rebuilding the server, tapping the expertise of the National Security Agency, and beefing up the amount of time and effort it puts into staying on top of new vulnerabilities.

In February, NSA began a security review of the BLS Web site. The NSA tests, which revealed high-risk vulnerabilities, have been incorporated into the IG report.

BLS will also conduct more auditing and reviews of its contractor, SunGard Computer Services of Voorhees, N.J., Zuromskis said. The IG reported access control deficiencies in tape cartridge security at SunGard for BLS information.

The IG also reported BLS did not categorize personnel appropriately according to who had access to sensitive data.

'We've gone through every office and had everyone categorized'employees and federal contractors'and folks in our office administration are mapping person-to-person sensitivity classifications across the agency,' Zuromskis said.

He said that BLS has also implemented a multilevel review before posting information on the Web site.

The information is created by the program officers and passed to the Office of Publications and Special Studies. Next, an IT quality control group responsible for the contents of the Web site looks it over. Then, systems administrators responsible for the infrastructure of the Web site post the information.

BLS is also installing more firewalls, intrusion detection software and public-key infrastructure technology; moving from shared hubs to a fully switched-network environment; and incorporating training in internal IT operations, Zuromskis said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.