Follow-up Audit Report on Data Processing Controls and Procedures of the Administration for Children’s Services

June 9, 2003 | 7F03-114

Table of Contents

    SUMMARY OF NEW FINDINGS AND RECOMMENDATIONS

    This follow-up audit determined whether the New York City Administration for Children’s Services (ACS) implemented recommendations made in a previous audit entitled, Audit of the City of New York’s Administration for Children’s Services Data Processing Controls and Procedures (Audit # 7A00-151, issued January 9, 2001). The earlier audit determined the adequacy of the Data Center’s disaster recovery plans, program change control procedures, data security procedures, physical security procedures, and operational procedures for protecting ACS computer assets and information; the agency’s compliance with the Comptroller’s Internal Control and Accountability Directive #18, "Guidelines for the Management, Protection and Control of Agency Information and Information Processing Systems."In this current audit, we discuss the recommendations we made earlier, as well as the implementation status of those recommendations. We also discuss new findings and recommendations based on our current review.

    In the previous audit, we made 18 recommendations to ACS, of which six have been implemented, three have been partially implemented, and nine have not been implemented. The details of these recommendations and their implementation follow.

    1. "ACS MIS [Office of Management Information Services] should develop and implement a disaster recovery plan that is in full compliance with Comptroller’s Directive #18. This would include maintaining an off-site location for storing backup data."
    2. "ACS MIS should update the plan on an as-needed basis, as required by Comptroller’s Directive #18."
    3. "ACS MIS should conduct a comprehensive test of the plan on an annual basis, as required by Comptroller’s Directive #18."
    4. "ACS MIS should create a formalized change control program that fully meets the standards of Comptroller’s Directive #18 and the GAO Federal Information Systems Controls Audit Manual."
    5. "ACS MIS should develop security procedures that ensure that non-ACS Cisco Secure users who resign, or are terminated, from their agency have their privileges immediately revoked when such changes in employment occur."
    6. "Data security staff should set proper security features for remote dial-in users (i.e., activate the Callback function, restrict time of access, etc.)."
    7. "ACS MIS should issue network security control reports. Those reports should be generated by the systems security staff on a regular basis and should include such security violations as unsuccessful attempts to remotely access ACS computer networks, the passwords used in those attempts, and the times of access and times of attempts to access the ACS networks."
    8. "ACS MIS should review all the ACS Enterprise network accounts with special privileges, determine the number of accounts that can be removed, and remove those accounts."
    9. "ACS MIS should establish fire safety and fire control procedures. All staff members should be trained in following such procedures."
    10. "ACS MIS should install smoke detectors in the Data Center, both on the ceiling and under all raised floors, and should train the staff in locating and maintaining them."
    11. "ACS MIS should install a system that will determine when a smoke detector is activated, and notify appropriate emergency personnel."
    12. "ACS MIS should periodically test all fire extinguishing equipment and smoke detectors in the Data Center for readiness in case of fire."
    13. "ACS should secure the Data Center room against environmental risks. A possible solution, short of relocating the Data Center to a new and safer location, would be to wall in the windows of the Data Center room."
    14. "ACS MIS should use formal property pass procedures to keep track of, and ensure that, the removal of ACS MIS property (equipment, tapes, and supplies) is properly authorized, tracked, and accounted for."
    15. "ACS should conduct annual inventory reconciliation procedures for all computer equipment it uses."
    16. "ACS should establish an individual property identification tag for each unit of computer equipment it owns."
    17. "ACS should identify and maintain an inventory of the automated systems and software products that support each business function, including the numbers and types of software licenses in use."
    18. "ACS should conduct annual inventory reconciliation procedures for all software licenses it uses."

    To address the issues that still exist, we now recommend that ACS should:

    1. Implement the disaster recovery plan and update the plan on an as-needed basis. Once the plan is implemented, conduct a comprehensive test of the plan and schedule annual tests, as required by Comptroller’s Directive #18.
    2. Require that MIS personnel record all system changes in a log. The log should indicate what feature was modified and the reason for the modification.
    3. Activate the callback function contained in the Cisco software.
    4. Install smoke detectors in the Data Center, both on the ceiling and under all raised floors, and train Data Center staff in locating and maintaining them.
    5. Ensure that the Data Center is equipped with an operating fire suppression system, in accordance with Directive 18.
    6. Conduct an annual inventory reconciliation of all computer equipment.
    7. Affix identification tags to all of its computer equipment.
    8. Maintain an inventory list of computer applications and software indicating the number of licenses held for each software item.
    9. Conduct an annual inventory reconciliation of all of its software licenses.

      10. ACS does not ensure that users periodically change their Cisco and Microsoft Windows NT passwords and that the accounts of terminated employees are deactivated. ACS also allows users unlimited login attempts from remote sites. In addition, ACS does not monitor the activities ofits 17Domain Administrators who have access to the most critical network functions and data. Finally, although ACS generates monthly reports of successful and failed remote logins, it has not developed procedures for reviewing these reports.

      To address these new issues, we recommend that ACS should:

      1. Ensure that passwords are changed at predetermined intervals.
      2. Establish and implement formal procedures for deactivating system access of terminated employees.
      3. Disconnect remote access of users after a specified number of failed login attempts.
      4. Monitor the activities of users with Domain Administrator access in accordance with Directive 18.
      5. Develop and implement procedures for reviewing, investigating, and reporting failed remote logins, in accordance with Directive 18.

      The matters covered in this report were discussed with ACS officials during and at the conclusion of this audit. A preliminary draft report was sent to ACS officials and discussed at an exit conference held on April 29, 2003. On April 30, 2003, we submitted a draft report to ACS officials with a request for comments. We received a written response from ACS on May 19, 2003.

      In its response, ACS agreed to implement 13 of the report’s 14 recommendations. ACS did not agree to implement our recommendation to activate the call back function contained in the Cisco software. In that regard, ACS stated that "the call back function has not been implemented since staff must travel to multiple locations and this function will not work due to its static nature."

    $319.5 billion
    Feb
    2026