Audit Report on the Development and Implementation of the Department of Investigation Livescan Fingerprint System

AUDIT REPORT IN BRIEF

We performed an audit on the development and implementation of Livescan, an automated fingerprinting system, by the Department of Investigation (DOI). Livescan captures and transmits fingerprint images electronically. The system significantly reduces the turnaround time for fingerprint checks and eliminates the need to resubmit to the State fingerprints that have been rejected because of poor image quality.

Livescan meets DOI’s initial business and system requirements for capacity to transmit information to and receive information from the New York State Division of Criminal Justice Services (DCJS). According to our user survey, users of Livescan are generally satisfied with the system because it reduces turnaround time. Further, the system allows for future changes and periodic upgrades. In addition, DOI complied with the applicable New York City Procurement Policy Board (PPB) rules when procuring the system. However, although DOI stated that it had implemented all of the four system components included in the original contract, it could not demonstrate that the Cardscan subsystem is operational. Moreover, DOI did not follow a system-development life-cycle methodology, nor did it provide for an independent quality-assurance test of the system. Therefore, we could not determine whether Livescan would, as a finished product, meet the overall goals as stated in the system justification. Also, although DOI has included Livescan in its disaster recovery plan, the plan is not complete.

During fieldwork, we noted that: DOI does not ensure that passwords for the Livescan and the DCJS computer system (Secure Services) are periodically changed; the system firewall security is below DOI standards; security policies are not up-to-date; and DOI does not adequately monitor security violations. In addition, DOI lacks an adequate fire suppression system to protect Livescan. Finally, DOI did not ensure that it has access to the Livescan source code in the event that the vendor, Comnetix Computer Systems (Comnetix), goes out of business or is otherwise unavailable and programming changes are required.

To address these issues, we recommend that DOI:

• Ensure that the Cardscan subsystem is operational and that appropriate personnel are trained in its operation.
• Follow a formal systems-development methodology for all future systems-development projects and engage an independent quality assurance consultant or assign an employee to monitor and review development work, as well as any system enhancements to Livescan. In addition, DOI should develop formal acceptance-sign-off procedures to ensure that all system requirements are completed.
• Develop procedures to determine whether an event is sufficiently serious to invoke its disaster recovery plan. In addition, DOI should formalize agreements with the vendors to provide software supplies and equipment and with DoITT regarding the alternate processing site. Finally, DOI should periodically test the disaster recovery plan.
• Address the user concerns revealed in our survey. In that regard, DOI should consider including help menus and screens and formats that are easier to use and providing additional training to those users who reported that they had limited knowledge of the system.
• Ensure that its employees periodically change their passwords for Livescan and Secure Services.
• Upgrade its CISCO PIX firewall version to the standards set by its CISAFE (Citywide Information Security Architecture Formulation and Enforcement) unit.
• Establish formal procedures to document and report system-access violations, and review and follow up on all reported violations. In addition, DOI should ensure that maintenance of security documentation is accurate and complete.
• Install a fire-suppression system that would protect the equipment. In addition, DOI should document the fire prevention procedures in effect at its Chambers Street facility.
• Obtain the Livescan source code in case the vendor should become unavailable.