Audit Report on the Development and Implementation of the NYCServ-Taxi Application Administered by the Office of Administrative Trials and Hearings

EXECUTIVE SUMMARY

We audited the NYCServ-Taxi application administered by the Office of Administrative Trials and Hearings (OATH) to determine whether the application meets the overall goals as stated in the system specifications, has adequate functions to ensure the information process is reliable, and is secure from unauthorized access.

OATH is an administrative tribunal created by the City of New York (City) to independently adjudicate the disposition of certain City-issued civil violations and administrative claims.  Its mission is to provide fair and unbiased administrative trials and hearings to New York City residents, businesses and City agencies.  The OATH Hearings Division consists of the Environmental Control Board Tribunal (ECB), the OATH Taxi & Limousine Tribunal (TLT) and the OATH Health Tribunal.  The OATH Taxi & Limousine Tribunal holds hearings on summonses issued by the New York City Taxi & Limousine Commission (TLC), the City’s Police Department (NYPD) and the Port Authority of New York and New Jersey for alleged violations of TLC and other City rules.

In 2013, the OATH implemented a new $1.5 million electronic file and case management application called NYCServ-Taxi.  Although the application is fully operational, further periodic enhancements are planned including an electronic interface with Taxi & Limousine Commission’s computer environment¹.  Currently, adjudicated and reviewed results are manually entered into TLC systems by OATH’s data entry personnel.

Audit Findings and Conclusion

Our audit found that the overall goals of the NYCServ-Taxi application as stated in the system specifications have generally been met.  In addition, the audit found that the application has adequate functions and controls to ensure that the information processed is reliable.  Further, the audit found that the application, which is Intranet-based (that is, accessible through a web browser, but used primarily on the internal network of an organization), has restricted internal access, and has been generally secured from unauthorized external access.

However, the audit also found that the NYCServ-Taxi application has internal security weaknesses that require additional system modifications and controls to remediate risks.  Specifically, the audit found the following areas of security weaknesses in NYCServ-Taxi application: Microsoft Windows password complexity has not been enabled; web server security updates are not current; there are application access control vulnerabilities, and Personally Identifiable Information (PII) is exposed.

Audit Recommendations

The audit made the following 10 recommendations:

• Coordinate with the Department of Information Technology and Telecommunication (DoITT) to enable password complexity in the Microsoft Window environment for protection of the computer system, and hosted applications.
• Test the updates to ensure their compatibility with the NYCServ-Taxi application, and apply the necessary security updates to the Web server in order to strengthen its security posture.
• Implement an enterprise patch management solution (i.e. Symantec, McAfee, Trend Microsystems) to ensure that the latest security patches and updates are applied.
• Take necessary steps to test future web server upgrades and then plan ahead to make necessary upgrades.
• Remediate the NYCServ-Taxi application to prevent unauthorized internal access by URL manipulation.
• Restrict access to NYCServ-Taxi webpages with administrator level functions designed for management to authorized users only.
• Ensure against similar deficiencies (web pages vulnerable to URL manipulation) in future application development projects by incorporating necessary steps into their Quality Assurance and Testing program.
• Comply with the DoITT Data Classification Policy to help guide its employees to alleviate the risk of collecting and storing PII into the NYCServ-Taxi application.
• Review the NYCServ-Taxi application data for PII and remove, block, or shield the information from unauthorized disclosure.
• Employ proper encryption methods to protect PII that is stored on the hard drives of computer systems or other network storage devices.

Agency Response

In its response, OATH generally agreed with the first three of four areas of audit findings and recommendations.  OATH stated that it has taken appropriate action to alleviate and remediate the reported risks regarding internal security weaknesses.  With regard to the findings and recommendations relating to Personally Identifiable Information (PII) exposure, OATH stated that it does not consider data collected by the NYCServ-Taxi application to be private data.  In addition, OATH stated that, to the degree it retains scanned images that require heightened security, it has adequate procedures in place to ensure these images are secure.