Audit Report on the New York City Administration for Children’s Services’ Security Controls over Its Personally Identifiable Information at the Division of Preventive Services

EXECUTIVE SUMMARY

This audit was conducted to determine whether the New York City Administration for Children’s Services’ (ACS) Division of Preventive Services (DPS) properly secures personal information from unauthorized access and has adequate security controls over personally identifiable information (PII) that is being collected and stored.

ACS is responsible for protecting the safety and promoting the well-being of New York City’s children and strengthening their families by providing child welfare, child care and early education services. DPS is the unit of ACS that oversees the delivery and monitoring of preventive services for children and families in their communities through contracted service providers. Among its services are in-home family counseling, support groups for parents and youth and homemaking services.

To accomplish its varying tasks, DPS uses several specialized computer applications. The agency’s critical applications may contain PII that is private, sensitive and/or confidential, including names, addresses, social security numbers and medical information. ACS is responsible for ensuring that security controls are in place to protect PII that is collected and stored.

Audit Findings and Conclusions

The audit found that ACS has established policies, procedures and guidelines for access control, data protection and data classification to protect the PII that is collected and stored by DPS. However, we found several weaknesses in the agency’s access controls, including inactive network user accounts that were not disabled and passwords for certain remote user accounts that never expired. In addition, ACS did not comply with the New York City Department of Information Technology and Telecommunications’ (DoITT’s) Password Policy with respect to two critical applications, did not properly monitor external service providers’ access to its critical applications and did not properly limit users’ access privileges in its Preventive Organization Management Information System (PROMIS) application.

Further, we found security control weaknesses in ACS’ computer environment, including an inadequate encryption policy for stored data and the agency’s use of outdated operating systems that the manufacturer no longer supports. ACS provided no evidence that it had addressed reported software vulnerabilities and suspicious activities that required immediate action to prevent potential security breaches, and the agency did not have a formal agency-wide disaster recovery plan for critical applications hosted at ACS’ data center. Finally, our field visits to sites operated by external service providers found insufficient physical security over the PII that the providers collected, stored and disposed of.

Audit Recommendations

To address the issues raised by this audit, we make 17 recommendations to ACS, including the following:

• Ensure that all inactive network user accounts are immediately disabled and periodically review user account activity to ensure that only active users and providers have access.
• Develop and implement strong remote-user access policies and procedures, including but not limited to a password-expiration policy that complies with DoITT’s standards, to ensure that only authorized users have access to ACS’ network.
• Immediately review and reassess all Family Assessment Form System (FAF) and PROMIS user accounts to ensure that each user is currently authorized and needs access.
• Develop a password policy and procedure that requires PROMIS default passwords be changed periodically and comply with DoITT’s Password Policy.
• Ensure that all private, sensitive and confidential information stored in the database and backup tapes is encrypted.
• Assess all hardware and software in use by the agency and ensure that the versions are up to date.
• Review all users’ access to agency information systems and ensure that users are given access to only those features necessary to perform their job duties.
• Develop a formal agency-wide disaster recovery plan for critical applications that are hosted in the ACS data center.
• Properly store client records in locked secure locations with access limited to only authorized personnel.

Agency Response

In its response, ACS agreed with the audit’s 17 recommendations. The full text of ACS’ response is included as an addendum to this report.