Our objective was to determine whether the Social Security Administration (SSA) (1) assigned its claims-taking (CT) profiles only to users who needed them to perform their duties and (2) properly limited the resources included in those profiles.
In Fiscal Year 2017, SSA paid nearly $1 trillion in benefits. The Agency’s claims-takers played a key role in administering these benefits by reviewing and authorizing claims. Of the Agency’s nearly 60,000 employees, almost 20,000 rely on SSA’s information technology systems to take claims for Social Security benefits.
The Agency requires that managers authorize employee access to SSA information systems based on need to know and limit access to the least privilege required to perform job functions. SSA uses system profiles to separate duties among its users.
Each profile contains permissions to access such system resources as software applications, data files, and transactions. Based on users’ job duties, SSA assigns one or more profiles to their personal identification numbers. Users can then access the system resources included in their assigned profile(s).