Executive Summary

We audited the New York City Department of Transportation’s (DOT’s) access controls over its computer systems to determine whether DOT had adequate system security and access controls in place to protect the information in its computerized environment.

DOT manages one of the most complex urban transportation networks in the world.  It is responsible for the condition and operation of 6,300 miles of streets, highways, public plazas and 789 bridge structures.  It maintains over one million street signs, 12,700 signalized intersections, over 315,000 street lights, and over 200 million linear feet of markings.  In addition, it manages and maintains the City’s streets, sidewalks, curbside parking, bike lanes, bus lanes, and un-tolled bridges, as well as the Staten Island Ferry.

As part of its operations, DOT uses 88 computer applications.  The agency identified 15 of those applications as critical.  The 15 critical applications process private information in addition to public data.  The private information includes driver’s license numbers, personal medical data, the names and addresses of the employers of permit applicants, and other information restricted to agency use.  All of DOT’s applications and their data are regulated by the agency’s policies and the New York City Department of Information Technology and Telecommunications’ (DoITT’s) policies.

Audit Findings and Conclusions

Our audit found that DOT has established controls for application access and data protection, and has implemented security controls to protect its computerized environment.  However, we found weaknesses in certain of those access and security controls.  Specifically, DOT had not deactivated or disabled the user accounts of 113 former or on-leave employees, as required by DoITT’s policies, increasing the risk that unauthorized users could gain access to DOT’s applications and attempt to modify, delete, or steal data.  In addition, DOT did not implement and enforce DoITT’s password-expiration and complexity rules for three critical applications.  We also found that two DOT public web applications, Annual Overweight Load Permits (AOL) and Over-Dimensional Overweight Vehicle Permits (ODVP), used an unsecured network protocol—a method by which computers communicate with each other—that rendered the applications and the communications the protocol carries vulnerable to unauthorized intrusion and interception.

Further, as of September 14, 2017, DOT had not classified the data in the majority of its applications into public, sensitive, private or confidential categories as prescribed by DoITT policy.  Data classification is a critical step toward determining whether security controls are adequate for different sets of data.  DOT has also initiated but not completed a comprehensive risk assessment of its computer systems, which is necessary to identify and address system and data security requirements.   The audit also found that DOT had not promptly addressed reported vulnerabilities in several servers and that the agency was using a server configuration with an outdated, unsecured encryption protocol.

During the audit and the exit conference on December 6, 2017, DOT officials informed us of certain steps they are taking to address the issues identified in the audit, which are described in this report.

Audit Recommendations

 To address the above-mentioned issues, we made the following 10 recommendations to DOT:

  • Immediately disable former and inactive employees’ user accounts in all of its applications and thereafter conduct periodic reviews to identify and disable the application user accounts of former and inactive employees.
  • Ensure that DOT’s Human Resources Department promptly informs the Information Technology Administrators in charge of maintaining user accounts when an employee leaves the agency or goes on long-term leave.
  • Ensure all current and future applications follow DoITT’s security policies and allow for the deactivation of former or on-leave employees without loss of data the agency needs to retain.
  • Review the system controls and procedures in place and modify them if necessary to ensure that user accounts are promptly deactivated for people who are separated from DOT.
  • Ensure all applications follow DoITT’s Identity Management and Password Policies.
  • Ensure that the AOL and ODVP applications, and all web-based, public-accessed applications that handle private or confidential data utilize the secure Hypertext Transfer Protocol Secure (HTTPS) protocol.
  • Ensure that agency-wide data classification is completed and appropriate controls are implemented to safeguard the data based on its classification.
  • Implement the necessary controls to prevent, detect and block the theft of data via external devices connected to its computers such as USB storage drives and portable hard drives.
  • Address all detected vulnerabilities by applying the proper patches and configuration changes; a follow-up network vulnerability scan report should also be generated to confirm that mitigation of vulnerabilities has taken place.
  • Complete a risk assessment of its systems and data as described in National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework and in the Center for Internet Security’s (CIS’s) Critical Security Controls.

Agency Response

 In its response, DOT agreed with all 10 of our recommendations.  However, DOT took issue with one finding, stating that “[t]he report does not accurately present the correct number of employees who had unauthorized access to critical applications. The report cites 113 employees who had unauthorized access and the accurate figure is 52.”