Lowest Possible Score for TSP Security Audit

by | Mar 5, 2018

Last Updated November 8, 2022

audit

The agency that administers the Thrift Savings Plan, the Federal Retirement Thrift Investment Board, received the lowest of 5 possible scores on a recent audit to determine its compliance with federal information security standards.

The consulting firm, Williams Adley, sent auditors who examined the information security program at the FRTIB under the Federal Information Security Modernization Act. The agency scored a Level 1 in accordance with the law’s fiscal 2017 inspector general reporting metrics out of 5, in the first annual study of FRTIB’s policies.

Auditors found some of the IT policies “ad hoc” in nature, despite FRTIB starting several initiatives to upgrade its IT infrastructure and cyber security recently. In comparison, an effective information security program scored at Level 4, which includes the collection of “quantitative and qualitative measures on the effectiveness of policies, procedures, and strategy” at an agency and assessment for needed changes.

“FRTIB has not fully developed and implemented an effective organization-wide information security program,” the auditors said. “Williams Adley identified a number of control deficiencies related to people, process, and technology across all 7 IG FISMA metric domains.”

However, officials at FRTIB explained their poor scoring. For a policy to be considered toward improving an agency’s FISMA score, it must be in place for an entire fiscal year. Otherwise, any changes to their information security policies made after September 30, 2016, wouldn’t be considered in the audit.

TSP Executive Director Ravindra Deo echoed this saying, “Any change needs to be operating for the entire year to show up in the score.”

Auditors listed many factors leading to the “ad hoc” scoring, including a “control-driven” or reactionary information security process, inadequately defined responsibilities and “inappropriate” oversight between FRTIB and its contractors, and efforts that focus on symptoms or problems, rather than root causes.

The audit recommended FRTIB “clearly define an organization-wide risk-based information security program” and also reevaluate its governance structure to ensure better oversight and monitoring of information security issues.

The agency said they are moving forward with plans to implement these recommendations.

Message us & find out if you qualify today!

  • This field is for validation purposes and should be left unchanged.

Recent Articles

When and How You’ll Get Your Federal Disability Retirement Payments

If your health has taken an unexpected turn and you’re facing a disabling medical condition, the last thing you should be worried about is how to make ends meet. But that’s the reality for many federal employees struggling with a medical condition. If the fear of...

Federal Employee Resources

Our ever growing library of federal employee resources give you the knowledge you need to make smart choices about your future.

FAQs

Frequently Asked Questions

Get the answers you need on-demand, from a team of federal employee benefits professionals.

View FAQ
Webinars

Federal Benefit Webinars

Twice per month we host webinars to help federal employees better understand their benefits and answer their questions LIVE.

See Webinar Schedule
Guides

Benefit Guides

From guides to detailed charts, these educational resources will help clarify confusing federal employee benefits topics.

See our resources