Audit Report on the User Access Controls at the Department of Finance

AUDIT REPORT IN BRIEF

We performed an audit of the user access controls at the Department of Finance (Department). The Department of Information Technology and Telecommunications (DoITT) manages the Department’s system software and hardware and provides software-based controls that help the Department control access to computer systems and to specific data or functions within the systems. The mainframe security program used by DoITT to protect resources such as databases and application programs is Resource Access Control Facility (RACF). For the network environment, such as the Internet and the wide area network, DoITT maintains a secure portal that allows the Department to send and receive information from the Internet and other communications links, such as Citynet. The Department is responsible for assigning RACF user profiles and application controls to specific applications in the both the mainframe and network environments.

The Department has adequate controls to protect both its mainframe and network environments. The Department and DoITT have a number of procedures to control data, files, and applications. However, there were several security matters that should be addressed. Specifically, for the mainframe environment, the Department’s information protection policies and procedures are not consolidated in one formal document, and some of the Department’s policies were last updated as far back as 1989. Further, there are no formal procedures in place for identifying and eliminating user IDs for inactive users and individuals who leave City service. Also, the Department does not perform timely reviews and updates of employee system privileges.

At the network level, the Department has no formal information protection policies and procedures for the network environment, and the system does not encrypt credit card information received from the public. Moreover, the Department has no agency virus response plan, and network applications do not automatically suspend inactive user accounts.

To address these issues, we recommend that the Department:

• Update its information protection policies and procedures, in accordance with Comptroller’s Directive 18. The Department should ensure that these policies and procedures include the network environment.
• Develop procedures for identifying and eliminating user IDs for inactive users and individuals who leave City service. Immediately review the current list of users and make the appropriate adjustments
• Perform timely reviews and updates of employee system privileges.
• Ensure that all credit card information on the system is encrypted.
• Immediately develop and implement a formal virus response plan, in accordance with Comptroller’s Directive 18.
• Modify the network security software to automatically suspend user accounts if they are not used for a specified period of time.