Audit Report on the Controls in the New York City Housing Authority’s Data Center

AUDIT REPORT IN BRIEF

We performed an audit on the controls in the New York City Housing Authority’s (NYCHA) Data Center . NYCHA’s Department of Operations is responsible for the planning, development, operations, and maintenance of all computer systems within the NYCHA network. The NYCHA Local Area Network (LAN) provides the connection between all of its computer systems and the Internet.

Audit Findings and Conclusions

NYCHA’s computer operations and contingency plans generally comply with Comptroller’s Internal Control and Accountability Directive 18. In addition, NYCHA has an Internet Connectivity Plan that conforms to the Department of Investigation’s Citywide Information Security Architecture, Formulation and Enforcement Policies. However, NYCHA does not have adequate controls to identify and eliminate the user IDs of inactive users. In addition, there is a lack of written program-change control procedures; computer hardware and software items on hand are not annually reconciled with inventory records; and NYCHA’s disaster recovery plan does not include its LAN.

Recommendations

NYCHA should:

• Complete and implement procedures for security controls over user accounts.
• Terminate inactive accounts identified in this audit.
• Periodically identify and terminate inactive user accounts.
• Implement written procedures for making changes to computer applications and system software. These procedures should contain documentation requirements for user testing and acceptance of software changes.
• Reconcile its inventory of hardware and software on an annual basis, as required by Directive 18.
• Complete its draft LAN disaster recovery plan and incorporate it into the overall agency disaster recovery plan.