Like other organizations, Amtrak (the company) faces the inherent cybersecurity risk that employees or contractors are “insider threats”—that is, that they could maliciously or unintentionally use information systems or data in a manner that harms the company. Insider threats may cause more harm and are more difficult to detect than external cyber‐attackers because individuals within an organization already have access to systems and data. Amtrak Office of Inspector General’s (OIG) recent investigations identified company employees and contractors who misused or took advantage of their system access and exposed sensitive company information. Accordingly, our objective was to assess the effectiveness of company controls to protect its information systems and data from insider threats. Our recommendations included conducting an insider threat risk assessment, establishing a policy for insider threat activities, and developing a process to track and enforce company access requirements. In commenting on a draft of this report, company executives agreed with our recommendations and identified actions that the company plans to take to address them.THE TRANSPORTATION SECURITY ADMINISTRATION AND THE DEPARTMENT OF TRANSPORTATION HAVE DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECURITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For Amtrak OIG, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. This public version of the report has been redacted.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Amtrak (National Railroad Passenger Corporation) | TECHNOLOGY: Amtrak Has Opportunities to More Effectively Protect Its Information Systems and Data from Insider Threats | Audit | Agency-Wide | View Report | |
| Board of Governors of the Federal Reserve System | Results of Scoping of the Evaluation of the Board’s Intelligence Programs | Inspection / Evaluation | Agency-Wide | View Report | |
| Architect of the Capitol | Semiannual Report to Congress (SAR 23-2) | Semiannual Report | Agency-Wide | View Report | |
| U.S. Agency for International Development | Financial Audit of Action Contre La Faim Under Multiple Awards, for the Fiscal Year Ended December 31, 2021 | Other |
|
View Report | |
| Department of the Treasury | FINANCIAL MANAGEMENT: Audit of the Office of the Comptroller of the Currency's Financial Statements for the Fiscal Years 2023 and 2022 | Audit | Agency-Wide | View Report | |
| Department of the Treasury | FINANCIAL MANAGEMENT: Management Letter for the Audit of the Office of the Comptroller of the Currency's Financial Statements for Fiscal Years 2023 and 2022 | Audit | Agency-Wide | View Report | |
| Department of Health & Human Services | Washington State Did Not Ensure That Selected Nursing Homes Complied With Federal Requirements for Life Safety, Emergency Preparedness, and Infection Control | Audit |
|
View Report | |
| General Services Administration | Audit of PBS’s Lease Award and Administration for the Bureau of Land Management Field Office in Baker City, Oregon | Audit | Agency-Wide | View Report | |
| U.S. Postal Service | Security Assessment of a U.S. Postal Service Product Solutions Application | Audit | Agency-Wide | View Report | |
| Office of Personnel Management | Investigative Activities Quarterly Case Summary FY 2023 Q4 | Other | Agency-Wide | View Report | |
