Access to Social Security Administration Data Provided by Disability Determination
Services Positional Profiles (Limited Distribution)
Our objective was to determine whether the positional profiles assigned to Disability Determination Services' (DDS) employees provide more access to the Social Security Administration (SSA) data than that needed to do their jobs.
SSA's systems access policy is built on the principle that employees should only have access to the private/sensitive data necessary to perform their jobs. This policy applies to all SSA and DDS employees.
SSA uses Top Secret software to enforce its data access policies. Systems access control is achieved through the use of a Personal Identification Number (PIN), passwords linked to the PIN, and profiles. SSA policy requires all users granted access to change their passwords every 30 days or Top Secret will suspend access.
The profile is one of Top Secret's primary access control mechanisms. Each profile contains a unique mix of facilities and transactions that determines what access to systems resources that specific position needs.
We found areas where controls should be improved. We made, and SSA agreed with, four recommendations. SSA's Offices of Operations and Systems informed us they have already begun taking steps to address the internal control weaknesses we identified
This report contains restricted information for official use. Distribution is limited to authorized officials.