Audit Report on the Controls of the Administration for Children’s Services Over Personally Identifiable Information

AUDIT REPORT IN BRIEF

The New York City Administration for Children’s Services protects children from abuse and neglect.  During Fiscal Year 2008, it investigated child abuse and neglect reports involving approximately 90,000 children, provided preventive services to approximately 32,000 children, provided foster care for approximately 17,000 children through 36 foster care agencies City-wide,  and helped arrange for the adoption of approximately 1,200 children.  ACS also funds and supports 257 Head Start centers and 75 preventive agencies, and enrolls approximately 102,000 children in child care programs.

In carrying-out its mission, ACS collects, processes, stores, and transmits many types of case-record information from its clients and governmental agencies.  Data is a critical asset of ACS, and it contains personal information pertaining to every case processed by the agency.  One of the types of data at risk of theft or misuse is Personally Identifiable Information (PII).  This information contains data that is confidential or sensitive in some way, because it includes individuals’ names, addresses, social security numbers, medical information, and other personal information.  Disclosure of this information to unauthorized individuals may result in criminal activities, such as identity theft or other inappropriate uses of the information.

Audit Findings and Conclusions

ACS has adequate controls over storage of personally identifiable information it has collected.  In addition, its Information and Internet Security Policy defines personnel responsibilities to protect personal information on its systems.  Further, ACS has guidelines (the William Bell Policy) requiring that personnel have proper authorization before destroying or removing documents under its stewardship.  Moreover, the ACS Division of Personnel (Personnel) places case records in a securely locked area, which includes file cabinets and storage rooms.  Finally, we observed that Personnel had shredding bins for the disposal of copies of original documents, as required in ACS guidelines.  Also, ACS follows DORIS (Department of Records and Information Services) retention and disposal standards.

However, ACS has an inadequate password policy for its local network and handheld Blackberry devices.  The lack of adequate policies and procedures for the local network poses a threat to the security of ACS personal information by unauthorized personnel or other inappropriate parties.  We found 15 instances in which the access of terminated employees was not removed or disabled in the ACS computer environment.  Also, throughout its information processing systems ACS has not met the requirements of DoITT’s (Department of Information Technology and Telecommunications) policies concerning personal information protection.  Specifically, ACS does not follow the DoITT Data Classification Policy requiring the classification of data into public, sensitive, private, and confidential categories.  In addition, ACS did not ensure that its disaster recovery team members were familiar with its disaster recovery plan and periodically review the necessary steps codified in the plan.

Audit Recommendations

To address these issues, we make 12 recommendations, including that ACS should:

• Immediately send out the data classification survey to all the remaining divisions in order to continue the implementation process of the DoITT Data Classification Policy.
• Complete the data classification process of classifying data collected by each division to ensure the confidentiality, integrity, and availability of ACS personal information.
• Revise its password policy and require passwords to contain at least eight characters.
• Ensure that the access of employees whose services are terminated is removed from the ACS system on a timely basis.
• Create a record-booking process to keep accurate track of dates employee access is removed from the system.
• Require ACS staff who use a Blackberry for work purposes to take the necessary security precautions to protect critical information and to prevent access by unauthorized individuals.