Follow-up Audit Report on the Internal Controls for the Department of Citywide Administrative Services Data Center

SUMMARY OF FINDINGS AND CONCLUSIONS

This follow-up audit determined whether the New York City Department of Citywide Administrative Services (DCAS) implemented the recommendations made in an earlier audit report, Audit Report of the Internal Controls for the New York City Department of General Services’s FAMIS Data Center (Audit #7A96-080, issued June 28, 1996). The earlier audit evaluated the adequacy of the data center’s physical security, computer operations, and backup/contingency plans. This follow-up audit discusses the recommendations made in the previous audit as well as the implementation status of those recommendations.

The previous audit made 21 recommendations to DCAS (formerly known as the Department of General Services), of which three have been implemented, four have been partially implemented, and 14 are no longer applicable. The details of these recommendations and their implementation status follow. DCAS should:

1. "Develop formal physical security guidelines/procedures concerning the data center. These guidelines should be reviewed and updated periodically."
2. "Improve the physical security of the data center by maintaining a list of staff members who are authorized to have access to the data center, requiring visitors to sign in at all times, and placing a guard outside the data center during evenings and weekends."
3. "Periodically inspect the data center to ensure its cleanliness and safety."
4. "Develop and formally document system administrator policies, procedures, and guidelines that include security procedures to monitor, report, and review system access security violations. In addition, job descriptions should be developed for the system administrator function."
5. "Establish formal written security policies and procedures in accordance with Comptroller’s Directive 18, the New York City Department of Investigation’s System Security Standards for Electronic Data Processing, and New York City’s Data Processing Standards. These policies and procedures should provide for the overall safety of the [DCAS] data center hardware and software."
6. "Comply with New York City’s Department of Investigation System Security Standard #210, which requires that passwords be changed regularly."
7. "Comply with the ‘Open VMS Vax Guide to System Security,’ which recommends that the security administrator provide tight volume protection through UIC based protection."
8. "Meet with the all City agencies using FAMIS to discuss ways to improve the system’s security, including:

• developing an algorithm that would hide the passwords from view when the security file is printed,
• developing procedures for removing users from the FAMIS,
• regularly changing passwords and using access control forms, and
• regularly reviewing, updating and monitoring their security file for reasonableness and accuracy."

Overall Status:

1. "Develop a formal disaster contingency plan. This plan should be reviewed by [DCAS] for content, and periodically tested. A copy of the plan should be kept on site as well as at an off-site location."
2. "Develop formal disaster recovery procedures in order to restore system operations. These procedures should be tested annually."
3. "Ensure that FAMIS’ supporting documentation is stored at an off-site location."
4. "Install and test an Uninterrupted Power System at the data center."
5. "Enter into a contract with a government agency or private firm to provide disaster recovery facilities, or establish its own back-up facility for data center operations at an off-site location."
6. "Purchase a locking cabinet to properly secure the tape in the on-site library."
7. "Contact Arcus Data Storage Incorporated and instruct this vendor to begin a regularly scheduled tape pickup."
8. "Provide better record keeping ability for the tape library function by purchasing and using an automated tape library management software package."
9. "Update its master inventory listing, and keep it up to date."
10. "Examine its maintenance contract with DEC [Digital Equipment Corporation] to determine whether preventive maintenance is performed on the DEC/VAX mainframe during visits. If DEC is not performing scheduled preventive maintenance, then [DCAS] should schedule preventive maintenance immediately."
11. "Require data center management to meet with the Senior Stationary Engineer from the Facilities Management and Construction unit to establish a regular preventive maintenance schedule for the large air conditioners."
12. "Maintain records of the air conditioning units’ downtime, including explanations."
13. "Retain copies of air conditioners’ maintenance logs evidencing work performed. [DCAS] should also periodically analyze and review air conditioning maintenance logs and records."

To address the issues from the previous audit that have not been resolved, we now recommend that DCAS:

1. Require that all system users periodically change their passwords.
2. Test the MCMS [Maintenance Control Management System] disaster recovery plan annually.

This audit was conducted in accordance with generally accepted government auditing Standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.

The matters covered in this report were discussed with officials from DCAS during and at the conclusion of this audit. A preliminary draft report was sent to DCAS and discussed at an exit conference held on May 30, 2002. On May 30, 2002, we submitted a draft report to DCAS with a request for comments. We received a written response on June 13, 2002. In response to the audit recommendations, DCAS stated that it will revisit the issue of requiring system users to periodically change their passwords and stated that MCMS will be part of DoITT’s annual Disaster Recovery Plan test.