Audit Report On The Department Of Citywide Administrative Services’ Development And Implementation Of The Archibus System

June 27, 2019 | SI19-059A

Table of Contents

    Executive Summary

    We audited the New York City Department of Citywide Administrative Services’ (DCAS’) development and implementation of the Archibus system to determine whether the system meets its overall goals, and whether it has adequate functions to ensure that the information process is reliable and secure from unauthorized access.

    DCAS is responsible for, among other things, procuring goods and services for City agencies and managing City-owned office buildings.  DCAS’ Facilities Management Division is responsible for facilities operations and management, including the provision of maintenance and construction services for the tenants in 55 DCAS-managed buildings.

    To accomplish its work, the Facilities Management Division utilized multiple computer systems to process, monitor, and track work order requests.  DCAS entered into a contract with Computerized Facility Integration, LLC (CFI) to implement a new commercial off-the-shelf (COTS) system, Archibus, to improve and centralize the business operations, including work requests, of the Facilities Management Division.[1]  Archibus was implemented in February 2017.

    Audit Findings and Conclusions

    Our audit determined that although Archibus was generally meeting its overall business goals as stated in the specifications, it had not been fully utilized by the business units for which it was intended.  Further, DCAS did not adequately consider and plan for certain business and security requirements, which contributed to the more than three-year delay in the project’s development and deployment and its increased cost.  In addition, we found the system failed to perform input verification to ensure that the dates entered into the records it maintains corresponded to a valid time frame.

    We also found that while DCAS has established policies and procedures to prevent unauthorized access, the system nevertheless has access control weaknesses, in that: external institution users were not required to change their passwords; DCAS did not periodically review all Archibus user account activities; and DCAS did not update the list of other agencies’ tenant liaisons, who are responsible for validating the identities of their agencies’ users and for notifying DCAS when to create or disable their accounts.  Further, our audit found that DCAS did not promptly address the risks identified in the vulnerability scans and did not have a disaster recovery plan for Archibus in the event of an emergency.

    Finally, we conducted a User Satisfaction Survey and only 34 percent of respondents indicated that the Archibus is very easy to use, while 30 percent of respondents reported that the data in the system is always accurate.

    Audit Recommendations

    To address the issues, we made 14 recommendations to DCAS, including the following:

    • Ensure that the remaining Archibus modules are completed and meet the new projected timeline by November 2019.
    • Ensure that all future system developments and enhancements are properly planned to include all business and system requirements.
    • Develop a date verification rule to ensure that only valid dates can be entered into the system’s date fields.
    • Comply with the Department of Information Technology and Telecommunications’ (DoITT’s) Password Policy to ensure that each user’s initial password is changed immediately upon the first login and that the password is required to change every 90 days.
    • Enforce the policy that requires inactive user account recertification to be performed every 90 days.
    • Ensure that all inactive user accounts are immediately disabled.
    • Periodically perform vulnerability scans and promptly remediate the risks identified in accordance with DoITT’s Application Security Policy.
    • Develop a formal Disaster Recovery Plan for Archibus to ensure the operational ability in the event of a disaster, emergency, or system failure.

    Agency Response

    In its response, DCAS agreed with eight recommendations, partially agreed with one recommendation, and disagreed with the remaining five recommendations.  In addition, DCAS disagreed with certain of our findings related to the system development and implementation issues including those concerning project delay, module usage, and data fields.  After carefully reviewing DCAS’ response, we find no basis to change any of the report’s findings.  The full text of DCAS’ response is included as an addendum to the report.

    [1] Commercial off-the-shelf (COTS) refers to software or hardware products that are ready-made and available for sale to the general public.

    $242 billion
    Aug
    2022