Follow-Up Audit Report On The Department Of Buildings Data Center

April 7, 2006 | 7F05-134

Table of Contents

    AUDIT REPORT IN BRIEF

    This follow-up audit determined whether the Department of Buildings (DOB) implemented the 13 recommendations made in a previous audit entitled Audit Report of the Department of Buildings Data Center (Audit No.7A02-062, issued April 2, 2002). In this report, we discuss the 13 recommendations from the prior audit in detail, as well as the implementation status of each recommendation.

    The earlier audit reviewed the adequacy of the Data Center’s physical and system security and also determined whether computer operations and contingency plans were adequate and tested in accordance with Comptroller’s Directive #18 (Directive #18) and the Federal Information Processing Standards (FIPS). That audit found a number of weaknesses including the following: the Data Center was not monitored on a 24-hour basis, smoke detectors and a fire extinguishing system had not been installed, and the Data Center was not adequately protected from a loss of power. Moreover, DOB had not installed an automated time-out feature on its network; it had not disabled the log-in access of inactive employees; and it had not established formal procedures for documenting, reviewing, and following up on network security violations. Finally, DOB did not have a complete, approved, and tested disaster recovery plan.

    Audit Findings and Conclusions

    Of 13 recommendations made in the previous audit, this audit disclosed that DOB implemented four, partially implemented four, and did not implement five recommendations. The issues that have not been addressed include: lack of surveillance cameras or a security alarm at the Data Center; lack of backup generator specifically for the Data Center; failure to deactivate user IDs of employees who are no longer working for the agency; lack of procedures developed with the Department of Information Technology & Telecommunications (DoITT) for documenting and reporting mainframe access violations and failed log-in attempts; and non-completion of the alternative-processing site.

    Audit Recommendations

    To address the issues that still exist, we make the following recommendations, some of which we made in our earlier report. DOB should:

    • Install surveillance cameras or a security alarm in the Data Center to monitor the facility on a 24-hour, 7-day-a-week basis.
    • Install a backup generator specifically for the Data Center.
    • Install an automatic time-out function on its network to lock workstations after a specified period of inactivity on the system.
    • Ensure that the IT Unit promptly deletes the accounts of terminated employees
    • Promptly delete inactive and disabled user IDs.
    • Establish formal procedures with DoITT to document and report mainframe access violations, and review and follow up on all reported access violations.
    • Establish formal procedures to document and report network access violations and review and follow up on all reported violations.
    • Periodically test the disaster recovery plan and document the test results to ensure that it functions as intended.
    • Complete the alternative-processing site at its Queens Borough office.
    $306.18 billion
    Mar
    2026