Audit Report on the Department of Environmental Protection Data Center

EXECUTIVE SUMMARY

The New York City Department of Environmental Protection (DEP) supplies 1.35 billion gallons of drinking water to more than seven million City residents and to one million water users in four upstate counties. DEP daily treats an average of 1.27 billion gallons of wastewater at 23 wastewater treatment facilities. It finances the maintenance, growth, and rehabilitation of the water and sewer systems through revenue from water and sewer fees paid by consumers. Finally, DEP enforces provisions of the City Administrative Code that regulate air, noise, hazardous materials, and asbestos abatement.

The DEP central data center, located at DEP headquarters, supports the main local area network (LAN). The central data center also connects to smaller bureau data centers within the agency, such as those for the Bureaus of Wastewater Treatment, Environmental Engineering, and Water and Sewer Operations. Users can connect to LAN applications that include the Automated Complaint System and the Facilities Information Tracking system.

The DEP Management Information System division (MIS) is responsible for developing, maintaining, and supporting application software and for operating the data center.

Our audit objectives were:

• To review the adequacy of the central data center’s physical and system security.
• To determine whether computer operations and contingency plans are adequate and have been tested in compliance with Comptroller’s Directive #18 (Directive 18), the City Department of Investigation’s (DOI) Standards for Inventory Control and Management, and the Federal Information Processing Standards (FIPS).

Audit fieldwork began in July 2001 and ended on January 2, 2002. To achieve our objectives we:

• Interviewed DEP personnel;
• Conducted a walk-through of the central data center;
• Reviewed and analyzed data security controls;
• Reviewed DEP’s Computing and Networking Policy and Procedures;
• Evaluated DEP’s network disaster recovery controls;
• Reviewed DEP’s Internet Security Architecture Plan;
• Tested DEP compliance with FIPS;
• Tested DEP compliance with Directive 18; and
• Tested DEP compliance with the DOI Standards for Inventory Control and Management.

This audit was conducted in accordance with generally accepted government auditing standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.

The DEP central data center is not in compliance with certain requirements of Directive 18, FIPS, and DOI inventory control policies. Specifically, the data center is not monitored 24 hours a day, and a fire extinguishing system has not been installed. In addition, the log-on access of 81 inactive or former employees has not been disabled, and DEP has no procedures to document, review, and follow up on network-security access violations. Moreover, proper inventory procedures have not been established to ensure that all computer equipment is accounted for, and DEP has not installed filtering software to reduce the risk of users’ accessing inappropriate web sites.

The report contains 14 recommendations, the most critical of which are listed below. DEP management should:

• Test the data center’s UPS equipment regularly.
• Identify and terminate inactive user accounts.
• Require that all server passwords be changed every 42 days.
• Eliminate unnecessary generic accounts.
• Complete and formally approve a disaster recovery plan (for the network and software). Once the plan is completed and approved, DEP should periodically test it and document the results to ensure that the plan functions as intended and is adequate to quickly resume computer operations without material loss of data.
• Install a security filtering system or firewall on all PCs with Internet access.

The matters covered in this report were discussed with officials from the DEP during and at the conclusion of this audit. A preliminary draft report was sent to DEP officials and discussed at an exit conference held on April 11, 2002. On April 23, 2002, we submitted a draft report to DEP officials with a request for comments. We received a written response DEP on May 7, 2002. DEP generally agreed with the audit’s finding and recommendations and has started implementing some of the recommendations.