Audit Report on Department For The Aging Controls Over Personally Identifiable Information
Audit Report In Brief
The New York City Department for the Aging (DFTA) promotes the independence, health, and well-being of older New Yorkers through advocacy, education, and the coordination and delivery of services. DFTA contracts with more than 400 local contractors to provide services to help older persons maintain or enhance their quality of life in the community. These contractors may collect personally identifiable information (PII) to provide Long Term Care Case Management program referrals or services at senior community centers.
In carrying out its mission, DFTA collects, processes, stores, and transmits many types of information about its clients. This data contains PII that is confidential or sensitive in nature, such as an individual’s name, social security number, medical history and prescriptions, income, and any reports involving abuse. This data must be safeguarded to prevent theft, misuse, or disclosure to unauthorized persons that may result in criminal activities such as identity theft or other inappropriate uses of the information.
Audit Findings and Conclusions
DFTA generally has controls over the storage of personal identifiable information it has collected. It’s “Computer Use and Electronic Processing Policy” defines personnel responsibilities to protect personal information on its systems. In addition, DFTA has case management standards for its contractors that require all case managers to be trained on the rights and privacy of clients. DFTA places records in a securely locked area, which includes locked file cabinets and storage rooms. Finally, DFTA’s program officers conduct annual assessments to evaluate performance at the long-term care contractor sites.
However, DFTA does not adequately follow the DoITT polices concerning personal information protection through its information processing system. Specially, DFTA does not have a data classification policy requiring the classification of data into public, sensitive, private, and confidential categories, as specified by the DoITT Data Classification Policy. Also, DFTA lacks an adequate user access-control and password policy which poses a threat to the security of PII by unauthorized personnel access. DFTA does not follow the DoITT information security policy to perform annual assessments of the electronic data collected and stored at contactor sites to identify patterns of security violations and to ensure that proper controls are instituted to prevent unauthorized access to PII. Finally, while DFTA has a disaster recovery plan, the agency did not conduct any disaster recovery tests as specified in the plan.
Audit Recommendations
To address these issues, we make 6 recommendations that DFTA should:
- Establish a data classification policy as specified by DoITT’s policy which requires all information collected concerning the City’s general business be classified into four categories: public, sensitive, private, or confidential.
- Comply with DoITT’s password policy to create a lockout feature that is activated within 15 minutes of unattended inactivity by users.
- Revise password policy and require passwords to contain at least eight characters at contractor sites.
- Require all users to change their passwords at least every 90 days.
- Perform annual assessments of electronic data collected and stored at the contractor sites.
- Comply with its disaster recovery plan and perform the required disaster recovery test twice per year.