Follow-up Audit Report on the Department of Health and Mental Hygiene Wide Area Network

AUDIT REPORT IN BRIEF

This is a follow-up audit to determine whether the Department of Health and Mental Hygiene (DOHMH) (formerly the Department of Health) implemented the eight recommendations made in a previous audit of its Wide Area Network (WAN). In this report, we discuss the eight recommendations from the prior audit in detail, as well as the implementation status of each recommendation.

In Fiscal Year 2001, our office conducted an audit to evaluate whether DOHMH was in compliance with the City standards applicable to regulating its WAN environment. The audit also determined whether DOHMH had adequate computer network maintenance and security controls, as well as adequate computer operations and contingency plans. The audit found a number of weaknesses existing in DOHMH’s WAN environment. Specifically, DOHMH: lacked policies and procedures regarding its computer operations, system access, and data security; did not install cameras and fire detection systems in some of its data centers to ensure their physical security; and did not have a complete disaster recovery plan for its computer environments.

We made eight recommendations in the previous audit, DOHMH has implemented five, partially implemented two, and did not implement one.

To address the unresolved issues from the prior audit, we recommend that DOHMH:

• Install a state-of-the-art fire detection and suppression system in each of its data centers.
• Include the names, addresses, and telephone numbers of all people who may be required in any backup or recovery scenario in its disaster recovery plan.
• Install additional video cameras in its Worth Street location, make the back-up site’s cameras operational, and ensure that the data centers are sufficiently lighted so that transmitted images may be seen.