Follow-up Audit of the Department of Correction Local Area Network

SUMMARY OF FINDINGS AND CONCLUSIONS

This is a follow-up audit to determine whether the Department of Correction (DOC) implemented the seven recommendations made in a previous audit, Audit of the Department of Correction Local Area Network (Audit No.7A98-140, issued June 15, 1998). The earlier audit focused on DOC’s Local Area Network (DOCNET) and evaluated the adequacy of DOC’s policies and procedures regarding its hardware and software inventory controls, capital project funds recording system, anti-virus measures, and access security controls. The prior audit reported deficiencies in DOC’s inventory control system, recording procedures of the Fixed Asset Inventory Report, virus protection, and access security control system. In our current audit, we discuss the recommendations we made in the previous report, as well as the implementation status of those recommendations. An additional objective was to evaluate DOC compliance with Department of Investigation (DOI) system security standards, which require agencies that plan to provide agency-wide Internet access to submit an Internet Security Architecture Plan. We also discuss new findings and recommendations based on our current review.

Of the seven recommendations contained in the previous report, four have been implemented and three have not been implemented. The evaluation of DOC’s compliance with DOI security system standards disclosed that DOC submitted a Security Architecture Proposal to DOI and received approval from DOI. DOC is in the process of developing related forms and documentation. The details of the earlier recommendations and their current implementation status follow. We recommended that:

1. "DOC’s Manager of PC Support and its Manager of LAN Support purchase an automated inventory control system. The information to be contained in this system should include, but not be limited to, equipment type, manufacturer, model number, serial number, location, asset tag number, and purchase order information."
2. "DOC’s Executive Director of MIS [DOC’s Management Information Systems group] produce written inventory control procedures for using the new inventory control system to monitor the status of equipment from the time it is received from the vendor until the time it is salvaged."
3. "DOC’s Purchasing Manager follow the proper procedures to ensure that new equipment is added and maintained on the IFMS [Integrated Financial Management System] Fixed Assets System. He should also ensure that retired/obsolete equipment is removed from the IFMS Fixed Assets System."
4. "DOC’s Manager of PC Support and its Manager of LAN Support purchase and install a software package that allows them to track the different software applications on the workstations that are connected to the network."
5. "DOC’s Manager of PC Support and its Manager of LAN Support use the information from the application tracking software, once it has been installed, to ensure that all software applications are properly licensed."
6. "DOC’s Manager of PC Support and its Manager of LAN Support purchase and install anti-virus software that offers a combination of server and client protection. We informed the above managers of one anti-virus software package that detects viruses on MS DOS products that run on servers with the Open VMS operating system, such as DOCNET."
7. "DOC’s Data Center Manager and its Systems Programming Manager review all the accounts with special privileges, that they determine the number of accounts that can be removed, and that they remove these accounts."

We now recommend that DOC should:

1. Record new computer equipment on the Financial Management System (FMS), and remove retired or obsolete equipment from FMS.
2. Review all accounts with special privileges to the Open VMS Operating System to determine the number of accounts that can be removed, and remove these accounts.
3. Create a written policy that prevents the illegal copying or pirating of its software and software documentation and that prevents the installation of illegal software on the network.
4. Review its software inventory and delete all illegal software.
5. Review and update its inventory policies and procedures.

We conducted this follow-up audit in accordance with generally accepted government auditing standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.

The matters covered in this report were discussed with officials from DOC during and at the conclusion of this audit. A preliminary draft report was sent to DOC officials and discussed at an exit conference held on May 29, 2002. On May 30, 2002 we submitted a draft report to DOC officials with a request for comments. We received a written response from DOC on June 13, 2002. DOC agreed to implement four of the five recommendations made in this report. With regard to the remaining recommendation, DOC’s response indicated that it reviewed user accounts that had special privileges and that removal was not possible because "to remove any privileges from these accounts would render the systems non-functional." The full text of the DOC comments is included as an addendum to this report.