Social Security Administration

Pursuant to a congressional request, GAO provided answers to questions relating to its May 6, 1997, testimony on the Social Security Administration's (SSA) use of the Internet to provide Personal Earnings and Benefit Estimate Statements (PEBES) to individuals.

GAO noted that: (1) discussion should include a focus on system security for the following reasons; (a) there have been recent problems in implementing currently available commercial encryption processes; and computer systems that use these processes have been successfully attacked; (b) SSA is using the same encryption techniques as banks and other on-line businesses; (c) because of security concerns, some commercial enterprises have not implemented full Internet-based electronic commerce; and (d) the risk associated with commercial systems should be viewed very differently from those associated with SSA's on-line service; (2) in deciding to establish the PEBES service, SSA hoped that providing U.S. workers with better information about Social Security would help rebuild public confidence in its programs and offer a useful financial planning tool; (3) in making information readily available via the Internet, however, many opportunities for serious misuse of sensitive information exits; (4) effective risk management is necessary to ensure that the most appropriate technical safeguards are identified and implemented to protect against security threats; (5) risk management would include assessing the vulnerabilities involved in using the Internet to provide this service, and then implementing appropriate security controls to reduce risk to an acceptable level; (6) it is essential that federal agencies implement information security programs that proactively and systematically assess risk, monitor the effectiveness of security controls, and respond to identified problems; (7) as the senior official designated to oversee information resources management (IRM), SSA's chief information officer (CIO) should have primary responsibility for ensuring that the on-line PEBES initiative represents a sound information technology investment based on factors such as the project's cost, risk, return on investment, and support of mission-related outcomes; (8) another key responsibility of the CIO is ensuring the privacy and security of information contained in the agency's information systems; (9) GAO does not have sufficient information to provide an estimate of the cost that SSA would have to incur to develop a secured Internet, however, on the basis of GAO reviews of satellite systems owned by the Department of Defense, GAO believes that developing a comparable network for SSA would be very costly; and (10) improving the potential for detecting and acting against security breaches will depend, in large part, on the extent to which federal agencies and departments implement effective information security.