The National Institute of Standards and Technology recommends that security issues be patched timely to maintain the operational availability, confidentiality, and integrity of information technology systems. Additionally, the Government Accountability Office’s Federal Information System Control Audit Manual requires that an effective patch management process be documented and implemented. SSA’s policies and procedures also require timely patching of systems.
To test the security of SSA’s systems, the independent public accounting firm we contracted with to audit SSA’s Fiscal Year 2013 financial statements performed systems penetration tests. The firm identified weaknesses with the Agency’s patch management process, which contributed to the firm’s determination that SSA had a significant deficiency in its systems environment.
The objective of this report was to determine whether the SSA server patch management program effectively addressed known system vulnerabilities.