Audit Report on the New York City Department of Parks and Recreation’s Access Controls over Its Computer Systems
EXECUTIVE SUMMARY
This audit was conducted to determine whether the New York City (City) Department of Parks and Recreation (DPR) had adequate system security and access controls in place to protect information in its computerized environment. DPR is responsible for the maintenance of a 30,000-acre municipal park system, which includes most of the City’s parks and playgrounds. It also manages forests and trees (both in the parks and on the street), and provides recreational and educational opportunities for New Yorkers of all ages.
To accomplish its varying tasks and conduct its operations, DPR maintains a computer network used by its employees and consultants to access agency emails and files. DPR also maintains several mission-critical computer applications that are accessible to its network users. Many of those mission-critical applications contain sensitive and private information, which includes names, birthdates, addresses, and other information that is intended for agency use only. DPR is responsible for ensuring that it has policies and procedures in place to protect the information in the agency’s computerized environment.
Audit Findings and Conclusions
The audit found that DPR has established policies, procedures and guidelines for access control, data protection, and security controls to protect information in the agency’s computerized environment. However, we found access-control weaknesses, including a failure to disable the accounts of former City employees and inactive users, which could increase security risks. In addition, DPR did not always implement and enforce applicable City password-expiration and complexity rules for its mission-critical applications. Those rules are intended to allow only authorized users to gain access to City systems.
Further, we found security weaknesses in DPR’s computer environment. Specifically, DPR did not perform the required intrusion-detection and vulnerability scans to identify security weaknesses and threats to the servers located in its data center. In addition, DPR did not have a formal disaster recovery plan for mission-critical applications hosted there. Finally, we noted that the RecWare application DPR uses to manage recreation center memberships and reservations is outdated and no longer supported by the manufacturer. Officials stated that DPR is in the process of replacing RecWare and estimated that the process would take an additional 18 months.
Audit Recommendations
To address the issues raised by this audit, we make 13 recommendations to DPR, including the following:
- Ensure that all user accounts assigned to former employees and employees on long-term leave are promptly disabled.
- Reassess all current users to ensure that they are given access to only those applications necessary to perform their job duties.
- Review and modify current system controls and procedures as needed to ensure that any relevant change in a user’s employment status results in prompt deactivation of the user’s accounts and periodically conduct reviews to identify and deactivate inactive and unnecessary user accounts.
- Ensure that the passwords that provide users with access to DPR applications meet the complexity standards prescribed by the City Department of Information Technology and Telecommunications (DoITT).
- Ensure that the system that replaces RecWare complies with DoITT’s citywide IT security policies, including DoITT’s Password Policy, to prevent unauthorized access.
- Actively monitor its operating systems and applications to detect and prevent intrusions, periodically perform vulnerability scans, and ensure that any vulnerabilities discovered are reviewed and remediated to reduce the risks of potential threats.
- Develop a formal disaster recovery plan for DPR applications that are hosted in the DPR data center and conduct tests to ensure its operational ability in the event of a disaster, emergency, or system failure.
- Promptly resolve the synchronization issue in its tree service application know as FoRMS to ensure that all data is accurate, complete, and consistent.
Agency Response
In its response, DPR stated that with regard to the audit findings concerning access and security weaknesses, it is “implementing corrective measures to ensure enhanced controls moving forward.” DPR generally agreed with the audit’s 13 recommendations.