Audit Report on the New York City Department of Citywide Administrative Services’ Access Controls over Its Computer Systems
June 27, 2017 | SI17-085A
This audit was conducted to determine whether the New York City Department of Citywide Administrative Services (DCAS) has adequate system security and access controls in place to protect information in its computer environment.
DCAS performs a wide range of administrative functions for other New York City government agencies. Among other things, DCAS supports City agencies’ personnel needs; designs and administers civil service exams; manages City-owned buildings; procures goods and services; and manages City vehicles. In Fiscal Year 2016, it had 2,179 employees.
To meet its varying responsibilities, DCAS maintains a computer network that is used by DCAS employees, consultants and interns for email and to access department files. It also maintains specialized applications that are used by the public, DCAS network users (employees, interns and consultants), and personnel in external City agencies. Several applications maintained by DCAS contain confidential and private information. To ensure the requisite level of security, it is essential that DCAS maintain adequate access controls, such as user-authorization, identification, authentication, access‑approval and login credentials. DCAS is responsible for ensuring that it has policies and procedures in place to protect information in the agency’s computerized environment.
Audit Findings and Conclusions
The audit found that DCAS has established adequate controls for application access, data protection, and sufficient data classification guidelines to protect information in the agency’s computerized environment. However, we found weaknesses in DCAS’ access and security controls. Specifically, user access had not been disabled for inactive users and former City employees, which could increase security risks. In addition, DCAS’ list of agency liaisons—designated officials in other City agencies responsible for authenticating those agencies’ users and their roles in relation to one of DCAS’ mission-critical, multi-agency application—had not been adequately monitored and updated. Further, DCAS did not implement and enforce the City Department of Information Technology and Telecommunications’ (DoITT’s) password expiration and complexity rules that are intended to allow only authorized users to gain access to City IT systems.
Finally, DCAS lacks a formal agency-wide business continuity plan and a disaster recovery plan for its applications. Currently, DCAS is unable to provide business continuity for its mission-critical application, Direct Order Online. DCAS anticipates resolving that issue by migrating the application from the DCAS data center to DoITT by April 2018. DCAS is vulnerable to the loss of mission-critical information in the case of a catastrophic event or emergency until the issue is resolved.
To address these issues, we make 10 recommendations to DCAS:
- Ensure all former and inactive employees’ accounts are immediately disabled and that periodic reviews are conducted to identify and deactivate the accounts of former employees.
- Develop a process that regularly reviews user activity, identifies inactive users, and disables inactive accounts promptly.
- Maintain an up-to-date external user list to properly monitor its network user accounts.
- Reassess its current list of Direct Order Online users to ensure that each user is currently authorized and needs access.
- Immediately communicate with each City agency that uses the Direct Order Online application to update their liaison information.
- Develop a procedure to ensure that the identities of Direct Order Online liaisons are promptly updated by the City agencies when changes occur.
- Develop a password policy and procedure for its applications that complies with DoITT standards to prevent the risk of unauthorized access.
- Periodically perform vulnerability scans for its applications to reduce potential threats.
- Assign a manager who will be responsible for scheduling scans and ensuring that vulnerability tickets are reviewed, remediated, and closed.
- Develop a formal business continuity plan and consider developing a disaster recovery plan for the mission-critical applications that are within DCAS data center pending their anticipated migration to DoITT.
DCAS agreed with nine of the audit recommendations and partially agreed with one recommendation to reassess the current list of Direct Order On-Line user access.