PDF Audit Report on User Access Controls at the Department of Finance

[Pages:15]Audit Report on User Access Controls at the Department of Finance

7A03-133

June 26, 2003

THE CITY OF NEW YORK OFFICE OF THE COMPTROLLER

1 CENTRE STREET NEW YORK, N.Y. 10007-2341

------------WILLIAM C. THOMPSON, JR.

COMPTROLLER

To the Citizens of the City of New York

Ladies and Gentlemen:

In accordance with the Comptroller's responsibilities contained in Chapter 5, ? 93, of the New York City Charter, my office has performed an audit of the User Access Controls at the Department of Finance. The results of our audit, which are presented in this report, have been discussed with officials from the Department of Finance, and their comments have been considered in preparing this report.

Audits such as this provide a means of ensuring that the City has adequate controls in place to protect its records from unauthorized access.

I trust that this report contains information that is of interest to you. If you have any questions concerning this report, please contact my audit bureau at 212-669-3747 or e-mail us at audit@Comptroller..

Very truly yours,

William C. Thompson, Jr.

WCT/GR

Report: Filed:

7A03-133 June 26, 2003

Table of Contents

AUDIT REPORT IN BRIEF

1

INTRODUCTION

2

Background

2

Objective

3

Scope and Methodology

3

Discussion of Audit Results

4

FINDINGS AND RECOMMENDATIONS

5

Information Protection Policies and Procedures Not Complete

6

Lack of Procedures to Identify and Eliminate IDs of

Inactive Users and Users Who Leave City Service

6

Reviews of User Privileges

Not Performed in a Timely Manner

6

Credit Card Information Not Encrypted

7

Lack of Virus Response Plan

7

Network Access Weaknesses

7

Recommendations

7

ADDENDUM ? Department Response

Bureau of Financial Audit EDP Audit Division

Audit Report on User Access Controls at the Department of Finance

7A03-133

AUDIT REPORT IN BRIEF

We performed an audit of the user access controls at the Department of Finance (Department). The Department of Information Technology and Telecommunications (DoITT) manages the Department's system software and hardware and provides softwarebased controls that help the Department control access to computer systems and to specific data or functions within the systems. The mainframe security program used by DoITT to protect resources such as databases and application programs is Resource Access Control Facility (RACF). For the network environment, such as the Internet and the wide area network, DoITT maintains a secure portal that allows the Department to send and receive information from the Internet and other communications links, such as Citynet. The Department is responsible for assigning RACF user profiles and application controls to specific applications in the both the mainframe and network environments.

Audit Findings and Conclusions

The Department has adequate controls to protect both its mainframe and network environments. The Department and DoITT have a number of procedures to control data, files, and applications. However, there were several security matters that should be addressed. Specifically, for the mainframe environment, the Department's information protection policies and procedures are not consolidated in one formal document, and some of the Department's policies were last updated as far back as 1989. Further, there are no formal procedures in place for identifying and eliminating user IDs for inactive users and individuals who leave City service. Also, the Department does not perform timely reviews and updates of employee system privileges.

At the network level, the Department has no formal information protection policies and procedures for the network environment, and the system does not encrypt credit card information received from the public. Moreover, the Department has no agency virus response plan, and network applications do not automatically suspend inactive user accounts.

1

Office of New York City Comptroller William C. Thompson, Jr.

Audit Recommendations

To address these issues, we recommend that the Department:

? Update its information protection policies and procedures, in accordance with Comptroller's Directive 18. The Department should ensure that these policies and procedures include the network environment.

? Develop procedures for identifying and eliminating user IDs for inactive users and individuals who leave City service. Immediately review the current list of users and make the appropriate adjustments

? Perform timely reviews and updates of employee system privileges.

? Ensure that all credit card information on the system is encrypted.

? Immediately develop and implement a formal virus response plan, in accordance with Comptroller's Directive 18.

? Modify the network security software to automatically suspend user accounts if they are not used for a specified period of time.

INTRODUCTION

Background

The Department of Finance (Department) administers and enforces tax laws and collects taxes, judgments, and other charges levied by a number of City agencies and courts. The Department: educates the public about its rights and responsibilities with regard to taxes; processes parking summons; provides motorists with a forum to contest summonses through an adjudication hearing; and collects court-ordered private and public sector debt.

The Department of Information Technology and Telecommunications (DoITT) manages the Department's system software and hardware. Further, DoITT administers access controls to information stored in the Department's 16 mainframe applications as well as to two kiosk-based applications in the network environment that supports Department activities.

DoITT provides software-based controls containing a variety of programmed features that help the Department control access to computer systems and to specific data or functions within the systems. The mainframe security program used by DoITT to protect resources--such as databases, application programs, and the mainframe operating system-- is Resource Access Control Facility (RACF). For the network environment (Internet access, the local area network, and the wide area network), DoITT maintains a secure portal that allows the Department to send and receive information from the Internet and other

2

Office of New York City Comptroller William C. Thompson, Jr.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download