Follow-Up Audit Report on The Department of Employment Local Area Network/Wide Area Network

SUMMARY OF FINDINGS AND CONCLUSIONS

This follow-up audit determined whether the New York City Department of Employment (DOE) implemented recommendations made in a previous audit entitled, Audit Report of the Department of Employment Local Area Network/ Wide Area Network (Audit No.7A97-124, issued June 20, 1997). The earlier audit evaluated the effectiveness of management’s control over DOE’s local area network (LAN) and wide area network (WAN) in the areas of physical security, logical security, department operations, and disaster recovery/contingency planning. In our current audit, we discuss the recommendations we made earlier, as well as the implementation status of those recommendations. We also discuss new findings and recommendations based on our current review.

In our previous audit we made 19 recommendations to DOE, all of which been implemented. The details of these recommendations and their implementation status follow. DOE should:

1. "Submit a ’new need’ request to OMB to hire two or three more persons to document and resolve current and future change requests."
2. "Design a problem reporting form with an identical format to the Problem Ticket Screen on the HEAT [Help-desk Expert Automation Tool] system. This form could be mailed or faxed to the Help Desk and entered into the HEAT system, thereby ensuring that all problems are captured on the HEAT system."
3. "Modify the HEAT system so that analysts can review problem tickets on-line, and if they determine that a change request should be generated, they can bring up a new screen that captures the Problem Ticket Number and Problem Ticket Date from the system. This would then allow the analyst to enter information on the scope and description of the changes, programming resources required, and the name of the authorizing manager."
4. "Provide the Help Desk with formal procedures to regularly update users as to the status of their change requests."
5. "Ensure that all servers are equipped with console locks so that LAN administrators and operators can lock the servers whenever they leave the server room."
6. "Password-protect the console for each server. This can easily be achieved by either using the Supervisory password or assigning a password through the Novell Monitor utility so that only authorized personnel can have access to these servers."
7. "In the short term, add a timeout function to workstations in the Windows environment by utilizing the screen saver option under the desktop of the control panel icon with the password-protected option turned on. In the long term, DOE could standardize workstation security by purchasing a software package, such as Intermission or LockIt."
8. "Secure the backup router and test router (when it is found) in either the server room or in a locked hardware storage room."
9. "Develop a security request form to be completed by employees whenever they request an addition, modification, or deletion to their access privileges."
10. "Create formal security procedures for recording and tracking changes in access privileges for the LAN, ACMS [Automated Case Management System], or any other software applications."
11. "Implement DoITT’s suggestion for developing a business recovery plan by purchasing a readily available off-the-shelf product; e.g., AIM/SAVE 2000 by Advanced Information Management. IMOA [Information Management and Operational Analysis] can use the software in gathering and organizing the required data. This software provides all the steps to assist IMOA in implementing a disaster recovery plan."
12. "Identify anti-virus software for the network and ensure that it is installed and operational on all the servers. It is also important to routinely update the virus detection patterns so that the network is shielded from newly developed viruses."
13. "Finalize the installation of the Norton Anti-Virus software throughout the network so that there will be a uniform anti-virus software protection that is operational on all the workstations."
14. "Change the parameters of the Netshield software to scan incoming data for viruses."
15. "Inform contractors of the contaminating effects of a virus in a network environment. IMOA management should also provide guidelines and recommendations for installing anti-virus software packages, and, if possible, insert a clause into their contracts requiring that contractors install anti-virus software."
16. "Establish some form of documentation or logs for the following: daily LAN shift reports for operational purposes, system maintenance log for managerial purposes, backup logs (a checklist of file servers), and server and router configuration and settings for references purposes."
17. "Update the Network Operations Manual for Department of Employment Automated Information System Version 1.3."
18. "Determine the quantity of ’Year 2000’ non-compliant equipment at DOE and contractor sites and evaluate whether a software patch can be applied to correct the internal system date routine or, if not, how and when the workstations will be replaced, before year 2000."
19. "Monitor software usage by using the software package, Norton Administrator, to centralize many of the network administrative functions. It should also make an effort to clean up the software, which is no longer under license or maintenance contract, but is still installed on the workstations."

DOE does not test and update its disaster recovery plan annually, as required by Comptroller’s Directive #18, § 10.4, which states that "Periodic reviews and updates are necessary to insure that the business continuation plan remains current. A comprehensive test should be conducted annually." According to DOE’s Director of Network Systems, the disaster recovery plan was last tested in November 1999. Annual testing of the plan is essential to ensure it is current and relevant so that it will function as intended in an emergency.

In addition, DOE’s disaster recovery plan does not identify an alternate processing site where DOE could resume critical data processing operations in the event of a disaster at the Data Center. Such a site is recommended by Directive 18. Moreover, the plan does not indicate under what circumstances the agency would declare a disaster. Directive 18 states that one of the "primary elements" of a disaster recovery plan is "a pre-arranged agreement" describing the circumstances under which a disaster is to be declared.

DOE has not has not regularly updated its inventory of workstations, network hardware and software, and other system components. § 10.5 of Directive 18 states that "special attention must be devoted to the accurate inventorying of workstation and PC technical specifications, configurations, network software and hardware, network operating hardware and software, and application software." Finally, DOE has not updated its Network Operations Manual since June 1998 to take into account changes in its operations. Directive 18 § 9.7 states that agency information processing functions are to be "reviewed and updated periodically."

We recommend that DOE ensure that its disaster recovery plan conforms to the requirements of Directive 18. Specifically DOE should:

• Update and conduct comprehensive tests of the plan annually.
• Arrange for an alternate processing site.
• Indicate and formalize under what circumstances the agency would declare a disaster.
• Update its inventory of workstations, network hardware and software and other system components as needed.
• DOE should also periodically update its Network Operations Manual to take into account changes in its operations.

The matters covered in this report were discussed with officials from DOE during and at the conclusion of this audit. A preliminary draft report was sent to DOE officials and discussed at an exit conference held on March 12, 2002. On March 13, 2002, we submitted a draft report to DOE officials with a request for comments. We received a written response from DOE on April 5, 2002. DOE agreed with the audit’s findings and recommendations. The full text of the DOE response is included as an addendum to this report.