Follow-up Audit Report on the Department of Citywide Administrative Services Office of Management Information Systems Implementation of Agency-Wide Local Area Network

SUMMARY OF FINDINGS AND CONCLUSIONS

This follow-up audit determined whether the New York City Department of Citywide Administrative Services’ (DCAS) Office of Management Information Systems (OMIS) implemented the recommendations made in a previous audit entitled, Audit Report of the Department of General Services Office of Management Information Systems Implementation of Agency-Wide Local Area Network (Audit #7A96-124, issued April 29, 1996). The earlier audit evaluated the implementation phase of the agency-wide Local Area Network (LAN). In our current audit, we discuss the recommendations we made earlier, as well as the implementation status of those recommendations.

In our previous audit we made ten recommendations to DCAS (formerly known as the Department of General Services), of which six have been implemented, one has been partially implemented, two have not been implemented, and one recommendation is no longer applicable. The details of these recommendations and their implementation status follow. DCAS should:

• "Review and comply with all Citywide regulations describing the development of cost-benefit analysis for new projects, thereby eliminating the need to add or to re-design computer projects. While DGS/OMIS has almost completed the implementation of their LAN, collating any existing cost justification data would assist DGS in future LAN modifications."

• "Secure the LAN room and the enclosed compartment with the following:

• Alarms for smoke and fire.
• A reinforced door to the LAN room.
• A changeable combination lock with an intercom and buzz-in feature.
• An off-hour motion detection and door break-through intruder alarm preferably wired to the first floor lobby and guard’s desk.

In addition, we recommend that DGS/OMIS management comply with DOISSS #502, ‘Secured Areas’; DOISSS #515, ‘Recommendations for the Physical Protection of the Computer Personnel and Installations’; and DOISSS #516, ‘Smoke Detectors.’"

• "Develop a comprehensive program for funding, scheduling, and implementing training programs. This program should cover computer usage and safeguards by maximizing the value and improving security of this multi-million dollar LAN investment."
• "Implement a staffing contingency plan to alleviate possible funding limitations for existing per diem staff."
• "Explore cross-training possibilities for existing full-time technical personnel to off-set any potential future displacement of staff (full-time and per diem) in OMIS."
• "Evaluate continued deployment of per diem staff in context of DOISSS #051 and on a cost-versus-benefit basis as opposed to recruiting full-time staff."
• "Develop a plan for a more stable staffing arrangement to more fully meet the tasks of maintaining a multi-million dollar 1,400 user LAN."

• "The Comptroller recommends that OMIS establish formal documentation for the following:

• Maintenance records (unscheduled system downtime, debugging and periodic maintenance).
• LAN configuration (workstation and peripheral equipment connection diagrams with communications gateways detail)."

Overall Status:

• "Develop, approve, and implement a Disaster Recovery/Contingency Plan in accordance with Comptroller’s Directive #18 and the Department of Investigation’s System Security Standards. This plan should include procedures for handling system emergencies, which could occur when the facility is unstaffed."
• "Test such a Disaster Recovery/Contingency Plan to ensure that it will provide smooth, rapid, and effective restoration of the LAN sites’ functions in the event of a disaster. We further recommend that any test of such a Disaster Recovery/Contingency Plan not be announced so that the staff learn how to function during a real emergency."

To address the issues that still exist, we now recommend that DCAS management should:

• Establish formal documentation that records unanticipated downtime and downtime for system debugging and periodic maintenance.
• Develop, approve, and implement a Disaster Recovery Plan in accordance with Comptroller’s Directive 18.
• Test the Disaster Recovery Plan to ensure that it will provide smooth, rapid, and effective restoration of the LAN sites’ functions in the event of a disaster. Any test of such a Disaster Recovery Plan should not be announced so that the staff learn how to function during an actual emergency.

A new issue, Internet connectivity, was raised during the course of this audit. As part of the Department of Investigation (DOI) System Security Standards, agencies that plan to provide agency-wide Internet access must submit a proposal to DOI for approval. According to records we obtained from DOI, DCAS’s Internet Security Plan and Inventory has been approved.

This audit was conducted in accordance with generally accepted government auditing standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.

The matters covered in this report were discussed with officials from DCAS during and at the conclusion of this audit. A preliminary draft was sent to DCAS and discussed at an exit conference on May 30, 2002. We submitted a draft report to DCAS on May 30, 2002, with a request for comments. We received a written response on June 13, 2002. DCAS agreed with our recommendations to establish formal documentation for unanticipated downtime and for downtime for system debugging and periodic maintenance, and develop, approve and implement a Disaster Recovery Plan in accordance with Directive 18. DCAS partially agreed with our recommendation to test the Disaster Recovery Plan, stating that a substantial increase in server capacity would be required to test a full LAN restoration. Nevertheless, DCAS stated that it will test sever restorations to the extent of its ability.