On February 9, 2007, the OIG issued Audit Report Number 07-13, Review of the Small Business Administration’s Protection of Sensitive Agency Information. Following numerous incidents involving the compromise or loss of sensitive personal information, the Office of Management and Budget issued Memorandum 06-16, Protection of Sensitive Agency Information on June 23, 2006. This Memorandum required federal agencies to take certain actions to protect sensitive information entrusted to them, which were to be implemented by August 7, 2006.
The OIG evaluated SBA’s progress in implementing actions directed by OMB, and found that: (1) the SBA had not encrypted sensitive data on mobile computers and devices; (2) the SBA had not implemented a remote two-factor authentication for accessing the agency network; (3) the SBA did not have a “time-out” function for email remote access, and (4) logs of computer-readable data extracts were not maintained. The OIG made five recommendations.