Wednesday, June 3, 2009

Roanoke City Employees and Officials Risk SSN Disclosure

UPDATE: Good article today at the Richmond Time-Dispatch on SSN exposure.

Once a security analyst always a security and audit analyst. Today’s Roanoke Times Editorial posting “Now pass the right law” regarding government agencies securing sensitive information prompted me to finally write about a nagging security concern. The article dealt with exposure of employee and officials social security numbers.

Governments short on Information Technology staff and faced with aging hardware, old software code, and integration issues are either hiring consultants or outsourcing their IT departments completely. The State of Virginia has a $2 billion outsourcing arrangement with Northrop Grumman that has had mixed results – See the Richmond Times-Dispatch article here.

The City of Roanoke is outsourcing its mainframe system to MFX, Inc. here in the Roanoke Valley – my former employer. Now this was a good move by the City as they work to move applications off of IBM’s Z/OS operating system onto server based operating systems.

A vendor purchased financial application implementation failed first time out of the shute according to the head auditor, Drew Harmon. There are problems with integration. This is not a surprise, as rarely does “canned” vendor packages fit the mold of an existing in-house written application. So the financial application still sits on the mainframe waiting for a vendor resolution.

The employee payroll application was next to be moved off the mainframe according to Harmon but now that will wait until resolution of the finance system.

Several months ago I asked Harmon to look into my concern on the exposure of City employee information that included salary and social security numbers that remained on the output queue of the mainframe for too long a time. The report contained every city employee and official (Council and Mayor) with their salary and social security number. To explain an output queue it is where reports, forms, checks etc., sit until they are printed. It is viewable to anyone unless it is secured through the operating system’s security software. Roanoke City does not have the output queue secured at all. Anyone having TSO (Time Sharing Option) could look at the output queue and view the payroll report containing every employee’s social security number.

Not everyone has TSO access but it does include besides city IT programmers MFX, Inc. system services personnel and computer operators.

During the transition of the mainframe to MFX the lack of security was startling to a security analyst use to extensive security measures deployed in the private sector. When passed to MFX it was pointed out that all the information was a matter of public record anyway so there was no concern.

At Monday’s Council briefing I again asked Harmon if payroll was still on the mainframe and if he had looked into my concern on the exposure of employee social security numbers. According to Harmon the policy for keeping reports on the output queue has been tightened.

Let me be clear that no one at MFX has the time or inclination to browse the City’s output queue. All employees and contractors are honest, hardworking IT professionals. However, what if this was not the case? Snap the report to a dataset (file), download it, and email it … eegad!

Posted By Valerie Garner

Categories: Commentary, Finance, Roanoke City Politics

Tags: , ,


No Comments

Comments are not moderated. Notify any abuse at put ABUSE in the subject and the offensive post.

Leave a Reply