Generally, we found that SSA was in compliance with OMB Circular
A-130 and the provisions of the Privacy Act of 1974 relating to
security and confidentiality of records used for back-up and recovery
procedures. However, further improvements are needed to strengthen
SSA`s overall back-up and recovery planning process. BRP only
addresses SSA`s short term outage (42 days) requirements. SSA
has not planned for a long-term outage, nor set goals for the level
of data processing service they want to provide. This information
is important for determining the hardware requirements and their
availability. Also, to minimize erroneous payments and improve
efficiency, SSA should reconsider processing death notices as a
critical workload. Furthermore, we observed the cabinets for transporting
the back-up tapes to OSSF were not always locked and a lock has
not been installed on the door of the tape vault at OSSF to prevent
unauthorized access. Finally, SSA has not been verifying the contractor`s
compliance with requirements in its tape transportation contract.
Addresses Short Term Requirements
BRP document only addresses a short term solution to SSA`s
back-up and recovery needs. The short term solution is to process
only SSA`s critical workloads at a commercial back-up facility.
The critical workloads represent about 20 percent of SSA`s
total workloads and SSA has contracted with COMDISCO, to provide
the back-up services. The contract permits SSA to use COMDISCO`s
computer equipment for up to 42 days. After that, COMDISCO would
provide a room for up to 180 days with a raised floor, power, and
other supplies necessary for installing computer equipment supplied
by SSA. This arrangement is referred to as a "shell site."
However, in the event of a long-term outage, which we have
defined as greater than 42 days, we found no evidence of long-term
planning by SSA`s senior management for what level of data
processing service they expect to provide and a goal for when SSA
should be fully operational again. The expected level of data processing
service will drive the computer hardware requirements needed for
the "shell site." Without the setting of service level
goals by senior management, adequate planning cannot take place
for the acquisition, installation, and operation of computer equipment
necessary to meet management`s objectives.
SSA should have a plan for phasing in more service and have
a stated goal for when senior management would like to have data
processing services fully restored. A work group should then be
established to determine if hardware could be acquired, installed
and made operational in time to meet the service level goal. This
information should be documented in the BRP.
Death Notices Is Not Considered A Critical Workload
Because there will only be a limited number of terminals
available (20 percent of existing terminals) in the event of a
disaster, SSA, through its BRP, has identified the critical workloads
it would process. SSA made a decision to process only those events
that are favorable to the beneficiary. Examples of these events
include placing an individual in pay status, changing address information,
or increasing a benefit amount. However, SSA did not consider the
costs and benefits (such as trust fund savings and work load savings)
of considering death terminations a critical event. As a result,
the processing of death notices, which would remove beneficiaries
from payment status, would not be processed. We believe SSA should
reconsider processing death notices as a critical workload because
of the negative impact it would have on future SSA workloads and
risk of wasting program finances if death notices were not processed
in a timely manner.
Currently, over 156,000 beneficiaries are terminated monthly
because of death. In a disaster situation, if death notices were
not processed timely, SSA would be issuing over $105 million monthly
to ineligible beneficiaries. Once full data processing services
have been restored, SSA would then have to generate recovery notices.
The recovery notices would create an enormous workload for follow-up
and in some cases, the erroneous payments would not be recovered.
In making another comparison, it is currently costing SSA
$29,500 a month for the right to use COMDISCO`s computers to
process all of SSA`s critical workloads. The addition of one
more workload item, death notices, to the critical workload list
should not significantly increase the total cost of the back-up
contract. We believe, this additional cost is a modest amount when
compared to the potential loss to the trust funds of $105 million
a month, and the additional operating expense SSA would incur for
processing a large recovery workload, if death notices were not
While we generally agree with SSA`s policy for identifying
critical workloads, we also believe that SSA should reevaluate
its decision of not processing death notices as a critical workload.
A cost/benefit analysis should be performed to determine the feasibility
of processing death notices as a critical workload. This analysis
should weigh the possible additional cost to SSA, if any, against
the benefit of preventing uncollectible losses to the trust funds
and eliminating large recovery workloads.
Clear Policy For FOs To Follow For Walk-In Clients
BRP does not contain a clear policy on how the field/district
offices are to handle walk-in clients while the "system" is
being brought up at the back-up facility. The goal for SSA is to
be operational within 72 hours of the Commissioners declaring
a disaster. For the first 72 hours or so, the FOs will not
be able to get on-line to help walk-in clients. BRP does not specifically
state how the FOs are expected to treat these walk-in clients.
With SSA having over 1,300 FOs and not having a stated policy,
there may be an inconsistency in the level of service provided
to walk-in clients during the first 72 hours. Several scenarios
may occur. Some FOs may try to take all the information on paper
necessary for processing a claim at a later time for when the processing
capability is restored. Other FOs may take certain client information
such as name, address, Social Security number, telephone number,
and reason for visit, then recontact the client when processing
capability is restored. Other FOs may not take any information
and tell the walk-in client to recontact the office in a few days.
SSA should incorporate within BRP a clear policy on what
information the FOs are to take from walk-in clients while processing
capability is being restored at the back-up facility. A clear policy
will help eliminate the confusion and inconsistency in the level
of service provided to the client.
Containing The Back-Up Tapes For OSSF Were Observed Unlocked
NCC ships daily to the MW building (OCRO) the back-up tapes
from the previous day`s updates. MW serves as an interim storage
site, where twice weekly the tapes are shipped from MW to the permanent
OSSF located in Boyers, Pennsylvania.
On May 1, 1996 we reviewed the tape receiving and handling
procedures at the MW building. We found that on several occasions,
unlocked tape cabinets had been shipped to the MW building from
Office of Systems (OS) personnel at NCC. We determined that the
unlocked cabinets were caused by the failure of OS personnel to
follow established procedures and by supervisors not verifying
procedures were followed. An unlocked tape cabinet permits unauthorized
disclosure to the casual or curious observer. Therefore, SSA is
not in full compliance with provisions of the Privacy Act of 1974
which apply to security and confidentiality of records used in
back-up and recovery procedures. The Privacy Act of 1974 requires
SSA to "establish appropriate administrative, technical, and
physical safeguards to insure the security and confidentiality
of records and to protect against any anticipated threats or hazards
to the security or integrity which could result in substantial
harm, embarrassment, inconvenience, or unfairness to any individual
on whom information is maintained."
Management should remind OS personnel of the importance of
locking the cabinets before transporting the back-up tapes to OSSF.
Supervisors at NCC should verify that the cabinets are locked before
transporting the back-up tapes.
To The Back-Up Tape Vault At OSSF Did Not Have A Lock To Prevent Unauthorized
Physical security over the back-up tape vault at OSSF is
not effectively maintained because the entrance to the back-up
tape vault does not have a lock to prevent unauthorized access.
SSA has about 78,500 square feet of storage space at OSSF, including
about 6,250 square feet for the back-up tape vault. Currently,
35 people from OCRO permanently work at OSSF, including 10 people
with authorized access to the tape vault room. The remaining OCRO
personnel handle requests for information to be retrieved or work
the SS-5 process which is a processing request for Social Security
cards that come directly by mail from district offices.
The back-up tapes are delivered by the transportation contractor
to OSSF late (10:00 p.m. to 12:00 p.m.) on Mondays and Thursdays.
The truck stays in the secured OSSF truck coral until the next
morning when the back-up tapes are delivered to OCRO`s back
door. Once received, OCRO personnel verify that the shipment of
tapes has the proper sequence number and the cargo seal has not
been broken. OCRO personnel use a fork lift to remove the tape
cabinets since the truck does not have a gate lift and OCRO does
not have a loading dock. The tape cabinets are placed in a staging
area inside OCRO`s secured space but outside the tape vault
room. The cabinets are unlocked (same key for all cabinets) and
loaded on to smaller carts of about 50 tapes in order to get through
the air lock at the entrance into the tape vault room. The cabinets
will not fit through the air lock.
The entrance of the air lock did not have a cipher lock to
prevent unauthorized access by OCRO personnel into the tape vault
area. The lack of a physical security device permits easy access
for the back-up tapes to be stolen or destroyed. If any of the
tapes were stolen or destroyed and a disaster were declared at
the NCC, it could result in a permanent loss of critical beneficiary
data to SSA.
We were told that only 10 people--the office manager, the
6 technicians who work in the tape vault, the janitor, and two
mechanical maintenance people--are allowed in the tape vault. However,
we found there was nothing to prevent the other 25 OCRO personnel
in the immediate area from entering the tape vault. In 1990, major
improvements were made in the tape vault room to reduce air dust
that could cause tape damage. The OSSF vendor installed a suspended
metal ceiling, a vinyl tile floor and an air lock entrance, but
did not replace the lock. We believe that it was an oversight that
a cipher lock was not installed on the new air lock entrance.
SSA should install a lock on the tape vault door at OSSF
to prevent unauthorized access by OCRO personnel and to comply
with the confidentiality provisions of the Privacy Act of 1974.
In The Contract For Transporting Back-Up Tapes Are Not Being Verified
SSA has contracted with National Underground Storage (NUS)
to transport its back-up tapes from the MW building in Baltimore,
Maryland to the OSSF in Boyers, Pennsylvania. We found that SSA
is not verifying all the requirements in the contract with NUS
and consequently, is not in compliance with provisions of the Privacy
Act of 1974 which apply to security and confidentiality of records.
We categorized the requirements into four task groups:
In the task one group, we identified those tasks which require
NUS to provide physical security over the tapes. Examples of tasks
would include: the truck must have a working alarm system, the
transport area must have a device to securely hold the carts/boxes
in place during transportation, and the truck must be telephone
equipped. Through our observations and interviews, we were satisfied
that these requirements were being met.
In the task two group, we identified those tasks which require
NUS to provide environmental security over the tapes. The transportation
contract requires NUS to maintain in the cargo area, at all times,
a temperature of 40 - 85 degrees Fahrenheit and humidity of 20
- 70 percent while transporting SSA`s back-up tapes. To determine
compliance with this requirement, we observed one of NUS`s
tape deliveries to the NCC. The NUS truck did not have a climate
control unit (air conditioning and heating unit), dedicated to
controlling, monitoring and recording the temperature and humidity
inside the cargo area. Instead, NUS modified the cab of the truck
by cutting a 3 and one-half inch hole through the cab back into
the cargo box and attached a blower in the cab to push cab air
back into the cargo area.
Modifying the truck this way does not meet the temperature
and humidity control requirement in the transportation contract
for the following reasons. First, the opening in the cargo area
is positioned so that, when cargo (a tape cabinet) is pushed up
against it, the opening is blocked and no air is able to circulate
in the cargo area. For example, the day we observed the truck there
was a tape cabinet secured up against the cargo opening and it
was impossible for any heat to circulate inside the cargo area
from the cab. We found the cabinets to be ice cold to our touch
because heat had not been circulating in the cargo area. We estimated
the temperature in the cargo area to have been between 28 and 32 degrees
during transit from Boyers, Pennsylvania to the NCC. These temperatures
are well below the minimum contract temperature of 40 degrees and
could result in the tapes freezing up.
Second, we were informed that the driver must stop in Breezewood,
Pennsylvania to rest for 8 hours after being on the road for
10 hours, as required by the U.S. Department of Transportation.
During this 8 hour rest period, the truck engine is turned off;
consequently, no air is circulating in the cargo area during this
time. The driver arrives at the rest stop around noon and the tape
cabinets sit in the afternoon sun during the hottest part of the
day. This is a problem in the summer when temperatures typically
exceed 90 degrees. Temperature in the cargo area would also be
exceeding 90 degrees, well over the maximum allowable contract
temperature of 85 degrees.
Finally, NUS is only taking the temperature and humidity
in the cargo area when the truck is leaving Boyers, Pennsylvania.
The contract calls for a specific temperature and humidity range
to be maintained at all times during transport. In order for NUS
to meet this requirement, they would have to be continually monitoring
the temperature and humidity in the cargo area during transport.
Our observations found no equipment on the NUS truck to monitor
the temperature and humidity during transport. The round trip takes
approximately 20 hours and the cargo area temperature and humidity
could dramatically change in that time period. Based on these facts,
we conclude that SSA has no assurance the cargo area has been environmentally
safe when transporting SSA`s tapes to OSSF in Boyers, Pennsylvania.
In the task three group, we identified those tasks which
require NUS to provide qualified and bonded drivers. The contract
authorizes SSA to review driving records for the last 3 years and
requires that all drivers be bonded for at least $150,000. Through
interviews we found that SSA has never requested to review driving
records or verified that the drivers are bonded for $150,000 each.
We were able to verify for ourselves, however, that the drivers
are currently bonded for $1 million each.
In the task four group, we identified the remaining tasks
not identified above. These tasks include providing timely pickup
and delivery of back-up tapes and personnel to ensure safe/secure
loading and unloading of back-up tapes at SSA loading docks. Through
interviews and reviewing time logs, we were satisfied that these
requirements were being met.
Verification of all contract requirements for compliance
is important to the overall integrity and security of the back-up
tapes. The back-up tape shipping process exposes critical media
to environmental changes in temperature and relative humidity.
Changes, especially in temperature, could damage the tapes causing
the data to be unusable in a disaster recovery situation. Also,
to help ensure that only qualified drivers are transporting SSA`s
back-up tapes, SSA should be reviewing driving records and verifying
that each driver is bonded for the amount stated in the contract.
Back to top