Audit Report On The New York City Department Of Environmental Protection’s Access Controls Over Its Computer Systems At The Bureau Of Water And Sewer Operations
Executive Summary
This audit was conducted to determine whether the New York City (City) Department of Environmental Protection’s (DEP’s) Bureau of Water and Sewer Operations (BWSO) had adequate system security and access controls in place to protect the information in its computer environment. DEP’s BWSO provides the City with reliable, environmentally sustainable, and cost effective distribution of clean water, collection of wastewater, and management of storm water while assuring the integrity of the sewer infrastructure.
To accomplish its business operations, BWSO uses five mission-critical applications which may contain public, sensitive, private, and confidential information. DEP is responsible for ensuring that it has policies and procedures in place to protect its IT assets and the information stored within its computerized environment.
Audit Findings and Conclusions
The audit found that DEP has established policies, procedures, and guidelines for access controls and security controls to protect information in its computerized environment. However, we found weaknesses in certain of those access and security controls. Specifically, user access had not been disabled for inactive users and former City employees, which could increase security risks. Also, for two BWSO mission-critical applications, DEP did not implement and enforce the Department of Information Technology and Telecommunications’ (DoITT’s) password expiration and complexity rules, which are intended to allow only authorized users to gain access to City applications and systems.
In addition, DEP did not perform intrusion detection and vulnerability scans to identify security weaknesses and threats to the servers located in its data center. Furthermore, DEP did not develop and implement a formal agency-wide business continuity and disaster recovery plan to prevent the loss of critical information and operational ability in the event of a disaster or system failure. Finally, DEP maintained outdated servers that have not been supported by the manufacturer since 2015.
Audit Recommendations
To address the issues, we made 16 recommendations to DEP, including the following:
· Reassess its current user accounts to ensure that users are given access only to those applications which are authorized and necessary for them to perform their job duties.
· Immediately disable user accounts of former and inactive employees in all of its network and applications.
· Reassess and revise its current policy to ensure that users are positively authenticated and authorized to access its network and applications.
· Reassess all generic accounts in or connected to its computer environment and replace them with unique user accounts for which each individual user is identified and accountable.
· Enforce and update user accounts to include all essential fields required by DEP’s User Account Creation procedure.
· Enforce the 15 minutes inactivity logoff rules for all BWSO’s mission-critical applications.
· Periodically perform system intrusion and vulnerability scans to ensure that any vulnerabilities discovered are reviewed and remediated to reduce the risks of potential threats.
· Perform a periodic risk assessments of all mission-critical applications.
· Develop a formal business continuity plan and disaster recovery plan for all mission-critical applications.
· Enforce the DEP’s Internet Usage Policy to ensure that all unauthorized software downloads are denied.
Agency Response
In its response, DEP stated, “We have reviewed the Report and agree with many of the findings and recommendations.” DEP also stated that it “will work to implement any appropriate recommendations contained in the final report.” However, DEP did not specifically address certain recommendations by stating whether it agreed or disagreed with them, and the agency stated that it had concerns with several audit findings and associated recommendations, including those relating to the lack of vulnerability scans and the continued existence of active user accounts of former and on-long-term-leave employees involving the agency’s network and one or more applications. As stated in the report, DEP did not provide documentation to support its assertions concerning these findings and recommendations, and therefore we find no basis to change them. The full text of DEP’s response is included as an addendum to this report.