Follow-up Audit Report on Department of Juvenile Justice Data Centers
AUDIT REPORT IN BRIEF
This follow-up audit determined whether the New York City Department of Juvenile Justice (DJJ) implemented recommendations made in a previous audit of the agency’s data centers. In this report, we discuss in detail the seven recommendations from the prior audit, as well as the implementation status of each recommendation.
In Fiscal Year 2002, the Comptroller’s Office conducted an audit to evaluate the adequacy of the data centers’ disaster recovery plans, program-change control procedures, data security procedures, physical security procedures, and operational procedures to protect DJJ computer assets and information. The audit also determined whether the agency complied with the Comptroller’s Internal Control and Accountability Directive 18, "Guidelines for the Management, Protection and Control of Agency Information and Information Processing Systems."
Of the seven recommendations in the prior audit, DJJ has implemented five and partially implemented one; one recommendation is no longer applicable. In addition, this audit identified weaknesses in access controls over DJJ’s network.
To address the unresolved issue from the prior audit, DJJ should:
- Include in its policies and procedures a list of individuals responsible for network program changes, disaster recovery, and security issues.
To address the new issue identified during this audit, DJJ should:
- Develop written policies and procedures for removing multiple user IDs, inactive IDs, and IDs of individuals no longer working for the agency.
- Require that its personnel department notify MIS of those employees leaving the agency so that their user IDs can be removed from the system.