The Social Security Administration has a process to identify hardware devices connected to its network, but the network scanning tool it uses is unable to provide sufficient hardware identification, the agency’s inspector general has said in calling for better device detection and monitoring.
It found that the SSA’s device inventory is incomplete and inaccurate, and said the SSA did not approve all of the hardware devices connected to its network, and that although the SSA has processes to monitor the security level of connected devices, these processes were inconsistent with agency policy in effect at the time of the audit.
SSA’s fiscal 2012 report under the Federal Information Security Management Act stated that its automated processes identified 276,165 hardware devices connected to its network, but in January 2013, another scan showed about 326,000 connected hardware devices. The discrepancy could be due to the replacement of desktops and rebooting servers in January, according to the IG.
It said it selected 183 devices to review and found that for 48 hardware devices, the device specifications, machine name, or network address was incomplete.
Further, as of January 2013, SSA had 4,940 hardware devices that were not associated with an operating system and were reported as "unknown," meaning the scanning tool could not identify an operating system, the IG said.
SSA agreed with recommendations to embrace a risk-based process to ensure only approved and security-compliant hardware devices are connected to its network, as well as to revise its policy to document who or which agency component manages each hardware device connected to its network and is responsible for adequately securing those devices.