Follow up Audit Report on the Department of Environmental Protection Data Center
AUDIT REPORT IN BRIEF
This follow-up audit determined whether the New York City Department of Environmental Protection (DEP) implemented the 14 recommendations made in a previous audit of its data center. In this report, we discuss the 14 recommendations from the prior audit in detail, as well as the current status of each recommendation.
In Fiscal Year 2002, our office conducted an audit of DEP’s physical security procedures, system security procedures, disaster recovery plans, and operational procedures for protecting its computer equipment inventory and information. The audit also determined whether DEP complied with Comptroller’s Internal Control and Accountability Directive 18, Guidelines for the Management, Protection and Control of Agency Information and Information Processing Systems; the Department of Investigation’s (DOI) Standards for Inventory Control and Management; DOI’sInformation Security Directive 4.4; and applicable Federal Information Processing Standards (FIPS).
The previous audit found a number of weaknesses, including that the data center was not monitored 24 hours a day, and that a fire extinguishing system had not been installed. In addition, that audit noted that log-on access of 81 inactive or former employees had not been disabled, and that DEP had no procedures to document and review network-security access violations. Moreover, DEP did not follow proper inventory procedures to ensure that all its computer equipment was accounted for, and it had no formal disaster recovery plan for its critical systems.
DEP implemented nine and did not implement five of the 14 recommendations made in the previous audit. In this follow-up audit, we found that DEP made some improvements in its data center physical and system security—a swipe-card system has been installed to restrict access to the data center and a surveillance camera has been installed to monitor the data center 24 hours a day, seven days a week; the data center’s Uninterruptable Power Supply (UPS) is being tested periodically; and the agency has terminated log-in access for inactive users and improved its system access controls. However, the center still lacks a fire extinguishing system, there are generic log-on accounts that still need to be eliminated, and a formal procedure has not been created that requires that the access-violation report be reviewed. In addition, DEP has not developed a formal disaster recovery plan to ensure business continuity, and its computer equipment inventory records are not kept up-to-date.
To address the issues that still exist, we recommend that DEP:
- Install a fire extinguishing system in the data center.
- Reevaluate current generic log-on accounts and eliminate any that are unnecessary.
- Establish formal procedures to document and report network access violations, and review and follow up on all reported access violations.
- Complete and formally approve a disaster recovery plan (for the network and software). Once the plan is completed and approved, DEP should periodically test it and document the results to ensure that the plan functions as intended and is adequate to quickly resume computer operations without material loss of data.
- Maintain a complete and accurate list of all computer equipment and perform an annual inventory to ensure that all equipment items on hand are included on the inventory records.