Audit Report on the Security Controls at the New York City Department of Sanitation over Its Computer Systems

Executive Summary

We audited the New York City Department of Sanitation’s (DSNY’s) security and access controls over its computer systems to determine whether DSNY had adequate critical system security and access controls in place to protect the information in its computerized environment.

DSNY is the world’s largest sanitation department, collecting more than 10,500 tons of residential and institutional garbage and 1,760 tons of recyclables every day.  DSNY also clears litter, snow, and ice from some 6,500 miles of streets, removes debris from vacant lots, and clears abandoned vehicles from City streets.  The Department has a workforce of nearly 10,000 employees and utilizes approximately 6,000 vehicles to fulfill its critical mission.

As part of its operations, DSNY uses 136 computer applications, and has identified 10 of them as critical.  This audit examined those 10 critical applications and 10 other randomly selected non-critical applications.^[1] DSNY describes critical applications as “applications that are core to the operation of a business, and need to be operating properly whenever the business is operating.  Failure or disruption of a critical system will result in serious impact or failure of the business operations.” 

Audit Findings and Conclusions

The audit found that DSNY has implemented controls for application access and data protection, and has implemented security controls to protect its computerized environment.  However, we found weaknesses in certain access and security controls.  Specifically, with regard to access controls, DSNY did not deactivate or disable the application user accounts of 583 former or on-leave employees.  The audit also found weaknesses in application security controls including: use of generic login IDs; use of passwords that do not expire after 90 days; use of passwords that do not comply with password length and complexity rules; use of an application that does not lock out after consecutive failed logons; and the use of an insecure network protocol in web-based applications.

Further, we found that the hand-held devices use unsupported hardware and software, and store unencrypted information in a removable memory card.  In addition, we found that one critical application stores scanned documents without protection.  Further, we found that the agency has not conducted vulnerability scans on three critical applications, and the network vulnerability scans it has run produce reports that are unreliable.  Lastly, we note that DSNY has fully implemented only two out of seven recommendations from a security assessment it obtained from a third party vendor in 2016.

During the audit and the exit conference on February 8, 2019, DSNY officials informed us of certain steps they are taking to address the issues identified in the audit, which are described in this report. 

Audit Recommendations

To address the above mentioned issues, we make the following 12 recommendations to DSNY:

• Immediately disable former and inactive employees’ user accounts in all of its applications and implement procedures to ensure that going forward frequent periodic reviews are conducted to promptly identify and disable the application user accounts of former and inactive employees.
• Remove all generic logins from its application and replace them with unique user logins, each of which identifies and is issued only to an individual employee or other authorized user.
• Update the three applications to comply with DoITT’s 90-day password expiration requirement.
• Comply with DoITT’s Password Policy to ensure that passwords that provide access to its applications meet the prescribed standards for length (minimum-number-of characters) and complexity.
• In accordance with DoITT standards, ensure that user accounts are locked and remain locked for a minimum of 15 minutes after five sequential invalid login attempts.
• Complete the roll-out of the new hand-held devices and decommission old ones, as planned, to address the security risks posed by the use of outdated and unsupported hardware and software from the old hand-held devices in use as of the date of this report.
• Ensure that data encryption and security features are enabled in all new hand-held devices to protect the data they store and transmit.
• Ensure all web-based applications utilize the secure HyperText Transfer Protocol Secure (HTTPS).
• Ensure all scanned documents are protected with encryption.
• Periodically conduct necessary vulnerability scans of critical applications, address any vulnerabilities found, and conduct a follow up scan to confirm vulnerability remediation, as directed in DoITT’s Vulnerability Management Policy.
• Test all vulnerability scanning tools to assess the reliability of the scanning results, and correlate the results from vulnerability scanning tools with the output of other security tools, as recommended by the National Institute for Standards and Technology (NIST).
• Ensure that the third-party vendor recommendations made in the 2016 security assessment report are implemented

Agency Response

In its response, DSNY generally agreed with 7 of the 12 recommendations and partially agreed with 2 recommendations.  At the same time, DSNY took issue with some findings in this report.  However, DSNY stated, “The audit report identified weakness that need to be addressed to protect the information in DSNY’s computerized environment.  We will continue working to improve our system security and access controls and to incorporate your recommendations where practical.”

The full text of DSNY’s response, redacted only to exclude the names of specific systems due to the sensitivity of the information contained in this report, is included as an addendum to the report.

[1] The critical and non-critical application names and descriptions were not included in the final version of this report due to the sensitivity of the information and the potential risk associated with the release of such information.