Follow-up Report on the New York City Fire Department’s Arson Information Management System Data Center

June 7, 2002 | 7F02-161

EXECUTIVE SUMMARY

This follow-up audit was conducted to evaluate the New York City Fire Department’s (FDNY) progress in implementing the 22 recommendations made in an earlier audit, Audit Report of the Internal Controls for the New York City Fire Department’s Arson Information Management System Data Center (Audit No. 7A95-140, issued January 4, 1996). The earlier audit evaluated the effectiveness of management’s control over FDNY’s Arson Information Management System (AIMS) data center in the areas of data and physical security, program change control, computer operations, and backup/contingency planning. In 1997, the Bureau of Fire Information Microcomputer System (BFIS) data center replaced the AIMS data center. In this follow-up audit, we discuss the recommendations made in the previous audit for the AIMS data center and how these recommendations have been addressed in the BFIS data center.

Our previous audit made 22 recommendations to FDNY. Of the 22 recommendations 15 were implemented, two were partially implemented, three were not implemented, and two are no longer applicable. The details of these recommendations and their implementation status follow. FDNY should:

  1. "Establish security policies in accordance with Comptroller’s Directive #18, the New York City Department of Investigation’s System Security Standards for Electronic Data Processing, and New York City’s Data Processing Standards, which should address all administrative controls for monitoring the data center’s security, its data integrity, its identification process efficiency, its recording of system access and changes."
  2. "Immediately identify all employees sharing passwords, and then comply with DOI’s standard #210 by issuing programmer passwords on an individual basis."

  3. "Re-evaluate all existing user IDs, thereby eliminating unnecessary IDs (especially those assigned to individuals no longer employed by the FDNY) and/or excessive levels of system access for the given IDs."

  1. "Comply with Comptroller’s Directive #18, requiring the changing of passwords regularly."

  2. "Reassess the data center’s physical security in conjunction with the building’s owner, DGS."

  3. "Require the data center’s staff to keep the entrance door to the data center locked at all times."

  4. "Continue to require all visitors to sign a register if they do not work there."

  5. "Provide guard service or an alarm system within the data center to prevent access by unauthorized persons. The greatest security is needed from 12:30 P.M to 7:30 A.M. when the center is unstaffed."

  6. "Install a video camera to monitor the external doors."

  7. "Seal the mail slot on the computer room’s external doors."

  8. "Remove all reference to the center’s name on the front door nameplate."

  9. "Comply with DOI’s Standard #511 by installing smoke/heat detectors immediately to ensure the safety of its assets and staff."

  10. "Continue to comply with DOI’s Standard #604 through consistent monitoring and maintenance of the AIMS fire extinguishers."

  11. "Comply with DOI Standard #504 regarding emergency lighting within the data center."

  12. "Develop, approve, and implement a Disaster Recovery/Contingency Plan in accordance with Comptroller’s Directive #18 and Department of Investigation Security Standards. This plan should include procedures for handling system emergencies that may occur during the hours that the facility is unstaffed."

  13. "Test such a Disaster Recovery/Contingency Plan to ensure that it will provide smooth, rapid, and effective restoration of the data center’s functions in the event of a disaster. We further recommend that any test of such a Disaster Recovery/Contingency Plan not be announced so that the staff learn how to function in a real emergency."

  14. "Comply with New York City Data Processing Standard #20.02 by removing all unnecessary equipment and articles from the computer room, cleaning under the raised floor, keeping the computer room tiles in place, and storing computer paper outside the computer room."

  15. "Speed up the time table for the conversion or upgrading of the AIMS to protect it from system failure and to prevent loss of service to those depending on its data."

  16. "Adopt data center policies and procedures formally separating the programming and system functions. If the size of the data center’s staff precludes this separation then AIMS management should establish compensating controls which will detect/prevent unauthorized changes to the AIMS operating system."

  1. "Comply with the New York City Data Processing Standard #20."

  1. "Develop, approve, and implement policies, which ensure that all appropriate information is stored in the tape library, and that access is limited to prevent the loss or destruction of information."

  2. "Comply with New York City Data Processing Standard #20.14 by appointing a tape librarian who will be responsible for putting into practice the above policies and for conducting periodic physical inventories of the tape library."

To address the issues that still exist, we now recommend that BFI management should:

  1. Identify and terminate inactive user accounts.
  2. Install a smoke detector in the computer room.
  3. Test the disaster recovery plan to ensure that it will provide a smooth, rapid, and effective restoration of the data center’s functions. These tests should not be announced so that the staff learn how to function in a real emergency.
  4. Remove unused equipment and tape cartridges from the computer room.
  5. Develop and implement compensating controls to ensure that only authorized changes are made to the system.

We conducted this follow-up audit in accordance with generally accepted government auditing standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.

The matters covered in this report were discussed with officials from FDNY during and at the conclusion of this audit. A preliminary draft report was sent to FDNY officials to be discussed at an exit conference. FDNY officials stated that they agreed with the report findings and recommendations and that there was no need to hold an exit conference. On May 7, 2002, we submitted a draft report to FDNY officials with a request for comments. We received FDNY’s written response on May 22, 2002. FDNY said that it already implemented three of the five recommendations and plans to implement the other two recommendations.

$280.46 billion
Apr
2025