Audit Report on the Information System Controls of the Domain Awareness System Administered by the New York City Police Department
Executive Summary
The audit was conducted to determine whether the New York City Police Department (NYPD) complies with its Public Security Privacy Guidelines and whether it has adequate information system security controls over its Domain Awareness System (DAS).
The NYPD enhances the quality of life in New York City (City) by working in partnership with the community and in accordance with constitutional rights to enforce the laws, preserve the peace, reduce fear and provide a safe environment for all residents and visitors to the City. Its Counter Terrorism Bureau works to guard against terrorism threats and includes the Lower Manhattan Security Initiative, a networked surveillance project designed to detect threats and perform preventive surveillance.
In 2007, the NYPD entered into a contract to develop DAS. Currently, DAS incorporates thousands of video cameras (including cameras installed by the NYPD and some belonging to other public and private entities) and hundreds of license plate readers. DAS also provides radiation and chemical alert support for environmental threats. This includes radiation detectors and chemical sensors. In addition, the NYPD has mobile cameras that provide supplemental coverage of short term special events, such as parades and marathons in the City.
NYPD established its Public Security Privacy Guidelines (Guidelines) to protect individual privacy in DAS and safeguard DAS data. The Guidelines also note that DAS cannot be used to target or monitor persons based on racial or religious profiling. The Guidelines further establish policies and procedures to limit DAS use and to provide for limited access to and proper disposition of stored data.
Audit Findings and Conclusions
Our audit found that the NYPD was in compliance with its Guidelines and in general had adequate security controls over its information system. Specifically, the NYPD had adequate procedures to ensure that DAS users were properly authorized, that they received the necessary privacy training before accessing the systems, that videos were not available online beyond the required parameters, and that secondary use requests were required and reviewed to ensure that the NYPD had proper approval oversight for data usage. Further, as part of its DAS oversight, the NYPD conducted weekly meetings with its consultants, who provide system enhancements, program management quality assurance and maintenance support services for DAS, and with project administrators to provide system status updates and to coordinate system enhancements, such as software upgrades and installing additional cameras. In addition, the NYPD followed its Guidelines with regard to DAS video retention policies and procedures and the videos were not available online beyond the required parameters. Additionally, NYPD had effective policies and procedures to protect the privacy of information in DAS.
We did, however, find certain user access control weaknesses. Specifically, we found that there were individuals with access rights to DAS who had not used the system for over three months and some inactive users who had not accessed the system for more than one year. Finally, we found that there were individuals who were no longer NYPD employees whose DAS access had not been deactivated in the system. Furthermore, we reviewed DAS weekly usage for the three month period ending March 19, 2015, and noted that a consistent percentage of users did not access the system.
In addition, the NYPD has Integrity Control Officers who are responsible for monitoring DAS user activities. However, during the scope of the audit, we found that the Integrity Control Officers did not receive a standard set of criteria to use when reviewing DAS user activities and that the Integrity Control Officers had other responsibilities outside of the DAS system.
Finally, we found some of the video cameras owned and operated by public and private entities that provide video feed to the NYPD had been offline over two years. We also found that there were NYPD and non-NYPD video cameras offline each month. This is of concern because if offline or broken video cameras do not get reconnected, repaired or replaced as appropriate on a timely basis, DAS will not achieve its planned range of coverage.
Audit Recommendations
The NYPD should:
- Periodically review the status of inactive user accounts and maintain an up-to-date user list.
- Immediately disable the DAS access rights for all former employees.
- Establish a standardized criteria for the Integrity Control Officers to use in reviewing DAS user activities.
- Create a centralized oversight unit with staff only responsible for providing oversight of the DAS users to prevent misuse and misconduct.
- Consider potential ways to encourage public and private stakeholders to expedite the offline cameras’ replacement or repair process.
Agency Response
The NYPD generally agreed with the report’s findings and recommendations. However, the NYPD took exception with the audit finding that “[n]eglecting to deactivate User IDs for former users increases the vulnerability of DAS information.” The NYPD in its response stated that the credentials for NYPD’s computer network (known as “Finest”) “are unique user names and passwords issued to each member of the service or employee. Only after an employee’s Finest credentials are validated, can an authorized user access DAS. At the conclusion of an employee’s service, his or her Finest credentials are immediately invalidated. Consequently, a former employee would not even be able to access the Department network, let alone access DAS.”
The full text of NYPD’s response is included as an addendum to the report.