Audit Report on the New York City Police Department Data Center

August 14, 2006 | 7A06-093

Table of Contents

    AUDIT REPORT IN BRIEF

    This office performed an audit on the New York City Police Department (NYPD) data center. The Management Information Systems Division (MISD) is responsible for the data center computer operations that provide information to the entire NYPD. The data center provides data-processing operations for the NYPD Local Area Networks (LAN) and mainframe computers. The data center also maintains and supports more than 35 computer applications. MISD is responsible for implementing and periodically testing the disaster-recovery plan of the data center.

    NYPD has adequate physical security controls that allow only authorized MISD staff members and other approved NYPD personnel access to the data center. MISD also monitors data-center activities 24 hours a day, 7 days a week, as required. NYPD has system security policies and procedures in place. In addition, it has a formalized disaster recovery plan, and this plan is periodically tested. NYPD has also hired an outside vendor to provide an alternate processing site and disaster-recovery services in the event of an operational disaster at or affecting the data center.

    However, there are four control weaknesses that should be addressed. Specifically, some inactive user accounts have not been disabled or deleted; the uninterruptible power supply (UPS) lasts only 12 minutes, which may not be a sufficient amount of time for the backup generators to be turned on in the event of a disaster; backup tapes, while stored off-site, are not properly secured in a restricted access area of the premises; and the Department of Investigation (DOI) has not reviewed or approved the NYPD Internet plan, as required.

    To address these issues, we recommend that NYPD:

    • Ensure that it is following its policy and procedure for reviewing and terminating inactive users and users who have left City service.
    • Adhere to DOI policies, directives, and standards, and contact DOI to review and approve its Internet security plan and ascertain that the controls in place are effective.
    • Establish and implement procedures to document the Internet activities, the traffic passing through the firewalls, and the penetration-test results.
    • Increase the time that the UPS units operate to provide additional time for manual activation of the backup generators in the event of an emergency.
    • Store backup tapes in a restricted and secure area.
    $242 billion
    Aug
    2022