Weaknesses in the Social Security Administration’s patch management process contribute to a significant deficiency in the agency’s systems environment, the SSA inspector general has said.
The IG had an independent public accounting firm perform systems penetration tests as part of a fiscal 2013 financial audit, uncovering vulnerabilities. According to the audit, the agency did not always patch Windows servers according to its patch management policies, have effective policies and procedures to ensure UNIX servers were patched timely, or did not always address software vulnerabilities on the Windows servers.
The agency agreed with recommendations to develop and implement a comprehensive server patch management program to ensure all vulnerabilities are identified and patched timely.
