Audit Report on the Security Accreditation Process at the Department of Information Technology and Telecommunications

The Department of Information Technology and Telecommunications (DoITT) is the City’s Information Technology (IT) utility, ensuring the sustained, efficient delivery of IT infrastructure, telecommunications and IT services. It transforms the way the City interacts with its residents, businesses, visitors, and employees by leveraging technology to improve services and increase transparency, accountability, and accessibility across all agencies. DoITT supports the technical and administrative functions of the City’s 311 Customer Service Center, which provides the public with information and services for more than 300 agencies and organizations; it maintains the City’s official Web-site, NYC.gov, and it manages the City’s television and radio stations. DoITT is home to the Citywide Geographic Information Systems Unit, which develops and hosts a digital base map used to support City operations. In June 2004, Mayor Bloomberg focused his administration’s efforts on using business strategies and relevant technology to make government more accessible, responsive, and accountable to its citizens. DoITT was directed to work closely with City agencies to manage and assist in this initiative. 1

DoITT issued its Security Accreditation Process (SAP) in July 2007, which indicates that all City-wide applications must be built in a secure fashion and is a key control in ensuring the integrity of the City’s data processing systems and the security, reliability, and validity of the data contained therein. SAP outlines key steps to be followed and critical tests to be performed during the development of new City-wide systems or major changes made to any existing City-wide systems. If followed, SAP will help to ensure that the data contained in the systems is secure and protected and that the systems are working in a secure environment.

Audit Findings and Conclusions

DoITT has a policy in place for its SAP. DoITT coordinates with agencies during the SAP to ensure that all city agencies are in compliance with IT security policies. DoITT’s standards and framework provide reasonable assurance that City resources are adequately safeguarded. However, DoITT lacks the necessary enforcement powers to prevent an agency from deploying a new application without submitting it to the SAP.

DoITT follows the SAP to ensure that City applications are adequately safeguarded. However, we found process weaknesses for two sampled applications accredited with exceptions. In these instances, DoITT did not have all the necessary documentation required for the SAP. DoITT informed us that they accredited these two applications through its in-house certifications; but DoITT has not provided us with the formal procedure for the in-house certifications process. Additionally, DoITT indicated that when an application is accredited with exceptions, they do not have the resources to ensure the exceptions are followed up and corrected. Finally, DoITT can only decline accreditation, but it lacks the authority to enforce City agencies from deploying unaccredited applications into production.

Audit Recommendations

To address these issues, we make eight recommendations that DoITT should:

• Perform a Citywide risk assessment of applications that have not participated in the Security Accreditation Process.

• Contact those agencies whose systems pose the most critical risk and request that they submit applications for the Security Accreditation Process.

• Request assistance from the Mayor’s Office of Operations in directing agencies to participate in the Security Accreditation Process.

• Ensure that all documentation relating to the security accreditation requests for all applications be submitted and maintained.

• Develop a formal Security Accreditation Process for in-house certifications.

• Ensure that security issues found in applications with exceptions are followed up and corrected by the agencies.

• With the assistance of the Mayor’s Office of Operations, require that agencies participating in the SAP follow all Citywide security standards and security policies to ensure that applications are operating in a secure environment.

• Enhance its Security Accreditation Process procedures to ensure all agencies deploy an application only after it has been accredited by DoITT.