Audit Report on the New York City Department of Design and Construction’s Access Controls over Its Computer Systems

December 20, 2019 | SI19-058A

Table of Contents

    Executive Summary

    This audit was conducted to determine whether the New York City Department of Design and Construction (DDC) had adequate security and access controls over its computer environment. DDC manages a design and construction portfolio of the City’s capital program valued at approximately $13.1 billion. As the City’s primary capital construction manager, DDC is responsible for overseeing the construction of many of the City’s civic facilities.

    In its business operations, DDC uses 43 computer applications, 19 of which the agency identified as critical applications, all of which were reviewed in this audit.  DDC’s critical applications may contain public, sensitive, private and confidential information, including contract, budget, and payment information. DDC is responsible for ensuring that it has policies and procedures in place to protect the information stored within the agency’s computerized environment.

    Audit Findings and Conclusions

    The audit found that DDC has established policies, procedures, and guidelines for security and access controls to protect information in its computerized environment. However, we found several weaknesses in certain security and access controls. Specifically, DDC maintains obsolete servers that have not been supported by the manufacturer since 2015. Also, the current DDC data center was constructed over 20 years ago and has been deemed “end-of-life.”  Accordingly, DDC plans to build a new data center and initially informed us that it expected the project to be completed by June 2022. As part of that project, the agency will also assess its current IT infrastructure and replace outdated software and hardware equipment. However, in August 2019, DDC officials informed us that the data center project is on hold and did not provide an estimated timeline to resume and complete the project. In the meantime, DDC’s continued use of obsolete hardware and software that are no longer supported by the manufacturers may compromise its data security and expose the agency to higher maintenance costs and other problems, such as system downtime and business disruption, in its IT-dependent operations.

    In addition, DDC did not conduct an IT risk assessment to identify security weaknesses and potential threats. The agency failed to promptly remediate vulnerabilities that were identified in the NYC DDC Vulnerability Remediation Reports as needed to mitigate the potential security risks. Furthermore, our audit found that user access had not consistently been disabled for inactive user accounts, and for former employees and on-leave employees, which could increase security risks of unauthorized access to the agency’s computerized environment. We further found that DDC did not maintain accurate user profile information, a lapse that may increase the risk that unauthorized users could gain access to the agency’s systems and applications. Finally, DDC failed to comply with Department of Information Technology and Telecommunications’ (DoITT’s) Password Policy for one of its critical applications.

    Audit Recommendation

    To address the above mentioned issues, we made 17 recommendations to DDC, including the following:

    • Promptly update and upgrade all outdated software and hardware that had been identified in its data center review.
    • Develop a plan to timely address the physical and environmental vulnerabilities at the data center until the relocation is completed.
    • Perform a periodic risk assessment of all IT assets to evaluate and address all risks associated with its computer environment.
    • Immediately address and resolve all vulnerabilities identified in the 2019 scan reports and obtain a follow-up vulnerability scan report to confirm that the vulnerabilities have been resolved.
    • Continue to update the Continuity of Operations Plan (COOP) and Disaster Recovery Plan to reflect changes in the agency business operations and computer environment.
    • Ensure that all inactive network user accounts are immediately disabled and periodically review user account activity to ensure that only active users and providers have access.
    • Immediately disable—in its network and critical applications—the user accounts of former employees and employees on long-term leave.
    • Review all user accounts to ensure the information associated with each user is accurate and current.

    Agency Response

    In its response, while DDC addressed each of the audit’s recommendations, it did not clearly state whether it agreed or disagreed with them. DDC stated, “In implementing a comprehensive information technology (‘IT’) strategy, DDC will upgrade legacy project management systems to modern standards and create collaborative tools to empower and link all individuals playing a role in a project.” DDC also stated, “DDC is committed to ensuring that there are adequate controls over computer systems and is pleased the auditors recognized that DDC has established policies, procedures and guidelines for security and access controls to protect information in its computerized environment. As it pertains to the findings concerning certain access and security weaknesses, DDC has been and continues to assess its current IT infrastructure as the agency builds out and upgrades its IT.”

    $242 billion
    Aug
    2022