Audit Report on the New York City Police Department’s Mainframe Data Center

EXECUTIVE SUMMARY

The New York City Police Department’s (NYPD) mission is to protect lives, safeguard the property of City residents and visitors, and maintain civil order. NYPD responds to emergencies, disasters, and crime reports; apprehends criminals; processes fire and medical emergency calls; maintains order at public events and demonstrations; enforces car traffic and parking rules; and performs community services in areas of public school safety, general public safety, crime prevention, family disputes, domestic violence, quality of life, and social service agency referrals.

NYPD uses three mainframe computers: A single-processor mainframe computer system supporting the mission-critical Special Police Radio Inquiry Network (SPRINT) computer-assisted dispatching system for response to the public’s emergency "911" calls; and a dual-processor mainframe computer system for processing more than 50 other (i.e., non-SPRINT) mission and administrative support applications. NYPD’s Management Information System Division (MISD) is responsible for the data center operations, as well as for developing, implementing, and periodically testing the data center’s disaster recovery plans.

Our audit objectives were to: review the adequacy of the data center’s physical security and computer system security, and determine whether computer operations and contingency plans are adequate and have been tested in compliance with applicable federal and City guidelines.

Audit fieldwork began in March 2002 and ended in April 2002. To meet our objectives, we: interviewed agency personnel; toured the data center and examined its physical security; reviewed and analyzed the data center’s data security controls; reviewed and analyzed the data center’s operating policies; reviewed and evaluated NYPD’s Disaster Recovery Plan for SPRINT; reviewed and evaluated NYPD’s procurement documentation for a Disaster Recovery Plan covering the non-SPRINT computer operations; and reviewed and tested NYPD compliance with certain federal and City guidelines.

NYPD has adequate physical security controls, computer system controls, and operational and general controls in place to ensure that the data center is adequately safeguarded. Physical security at the data center is above standard. Data backup is performed and computer operating statistics are regularly reviewed for problems. In addition, detailed system downtime reports are maintained, which allows management to correct systemic problems.

However NYPD does not have formal test procedures for its SPRINT system’s Disaster Recovery Plan, and it has not fully implemented a Disaster Recovery Plan for its non-SPRINT computer operations. We made two recommendations, that NYPD officials should:

• Establish formal testing procedures as part of SPRINT’s Disaster Recovery Plan. Specifically, NYPD should:

• Determine the proper test frequency and establish a test schedule;
• Develop test objectives and establish individual participant assignments;
• Document the test results, including notations of any changes to hardware and software configurations; and
• Implement a formal test result review process to address any open issues.

• Attempt to expedite the approval process of the contracting for the non-SPRINT disaster recovery services by ensuring that all necessary items for approval are in place. In this regard, NYPD should contact each approval agency to emphasize the importance of this backup system and to determine what information that agency still needs to receive before it approves the contracting.

The matters covered in this report were discussed with officials from NYPD during and at the conclusion of this audit. A preliminary draft was sent to NYPD officials and discussed at an exit conference held on May 7, 2002. On May 8, 2002, we submitted a draft report to NYPD officials with a request for comments. We received a written response from NYPD on May 28, 2002. NYPD agreed with the audit’s findings and recommendations.