Prompted by dozens of occasions in which employees improperly accessed information about Rep. Jason Chaffetz, R-Utah, USSS migrated information to systems with inadequate system security plans, expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records.
The improved IT governance framework drafted by the USSS chief information officer has yet to be fully implemented and a lack of proper IT security and privacy training mean that systems and data vulnerabilities remain.
The OIG recommended USSS Director James Clancy provide plans — with milestones and estimated completion dates — for:
- Specialized roles and responsibilities training.
- Systems operating in accordance with DHS policy.
- Implementing personal identity verification cards for logical systems access.
- Implementing privacy controls.
- Appointing a full-time, senior-level privacy officer.
- Ensuring compliance with the National Archives and Records Administration’s regulations for retention and destruction of applicant records.
- Outlining USSS IT strategies.
- Periodically updating policies and procedures.
- Addressing IT staff vacancies.
- Ensuring employee and contractor information security awareness and privacy training.
The USSS has agreed with all recommendations and the DHS chief privacy officer will conduct systemic reviews with recommendations for ensuring compliance.
The report can be downloaded in its entirety from the DHS OIG website.