|
|
SUMMARY
The Office of the Auditor General has conducted a performance
audit of the Arizona Department of Economic Security’s information security
pursuant to a November 20, 2002, resolution of the Joint Legislative Audit
Committee. The audit was conducted as part of the sunset review process
prescribed in Arizona Revised Statutes (A.R.S.) §41-2951 et seq and is the third
in a series of six reports on the Department of Economic Security (Department).
This audit addresses four major aspects of the Department’s controls over
computer-based information:
The first report reviewed the Department’s welfare programs (Auditor General
Report No. 04-02) and the second its unemployment insurance program (Auditor
General Report No. 05-01). Subsequent reports will examine the Department’s
service integration initiative, the Division of Developmental Disabilities, and
the Department’s performance in light of the sunset factors contained in Arizona
statutes.
The security of the Department’s information systems is
important because of the sensitive nature of its data. Department systems assist
employees in important tasks such as tracking child welfare cases, monitoring
information on developmentally disabled clients in state care, determining
clients’ eligibility to receive welfare benefits, and processing claimants’
applications for unemployment insurance. Nearly 14,100 user accounts access
various parts of department systems. About 11,730 accounts are for internal
department use. In addition, more than 2,350 users, including local, state,
tribal, federal, and private agencies, access the Department’s systems. The
Department reports that it has more than 80 different information systems, and
manages a substantial amount of money through its systems. For instance, in
fiscal year 2004, the Department used its systems to process $175 million in
Temporary Assistance for Needy Families (TANF) cash benefits, and approximately
$395 million in unemployment claims.
Controls over data security need improvement
(see pages 9 through 15)
The Department needs to establish better access controls over
its information systems and strengthen central oversight of data security.
Access controls and other aspects of the security environment need to be
strengthened throughout the Department. For example, auditors found that access
rights were not periodically reviewed, old/unused accounts were not deleted in a
timely fashion, and the use of special privileges that allowed individuals to
create and delete user accounts was not adequately restricted.
The Department has not provided sufficient central oversight
of the security environment. Unlike some state agencies, the Department has not
established minimum qualifications and duties for personnel involved in security
administration and it has provided neither a manual nor adequate training to
ensure that security personnel understand their functions. In addition, new
department employees do not always take a mandatory computer security training
course, and the Department lacks the legal authority, from either an executive
order or statute, to request background checks for personnel in sensitive
information technology positions. The Department has begun to address some
entity-wide security concerns through its Information Security Administration,
located in the Division of Technology Services (DTS). For example, in March
2005, it adopted new policies governing account management. This administration
also recently began conducting security compliance reviews within the
Department, but needs to develop a regular schedule for such reviews and better
document its processes.
Information in local area networks and computers not
adequately protected
(see pages 17 through 22)
The Department needs to improve management of its local area
networks (LANs) and computers to better ensure system security and operability.
Good management of LANs and computers provides protection against virus attacks,
hacker intrusion, and possible loss of data. However, the Department does not
provide sufficient protection in three areas:
-
Security patches—Every operating system has
vulnerabilites that hackers can potentially exploit to attack a system.
Security patches are designed to correct for identified security weaknesses,
and need to be installed on computers in order to protect them from attacks.
However, in general, the Department does not install these patches in a
timely manner and exposes its information systems to an increased risk of
inoperability or compromise.
-
Virus protection software—Since 2002, the
Department has annually purchased a product that, when installed, allows it
to centrally ensure that all computers have updated virus protection.
However, not all divisions have installed this software on all their
machines.
-
Software downloaded from the Internet—The
Department’s acceptable use policy regarding downloading software from the
Internet prohibits employees from downloading any software not specifically
authorized by their local IT unit. However, auditors found instances of
computers with inappropriate software downloaded from the Internet. Such
software potentially installs malicious programs onto department computers
that could slow or lock up a computer or make it easier for hackers to
attack its systems.
In order to resolve these problems, the Department needs to
deploy as planned a software package that will allow it to centrally manage
security updates, set a time frame by which all divisions should install its
entity-wide virus protection software, ensure its employees and local LAN
support units understand its acceptable use policy, and monitor to ensure its
divisions and employees comply with its policy.
Department could improve its management of computer
program changes
(see pages 23 through 25)
The Department could better manage its process for making
changes to computer programs. Effective controls over the change process help
ensure that computer program modifications are implemented only if they are
properly requested, designed, tested, and approved. Failure to adequately
control the program change process could lead to programs with errors or program
changes that are inadequate and require additional resources to implement. For
instance, in an audit released in January 2005, auditors identified computer
errors in the Department’s Unemployment Insurance Program that potentially have
subjected Arizona employers to fines and assessments by reporting inaccurate
information to the U.S. Internal Revenue Service. Due to an apparent lapse in
adequate testing, programmers were unable to fix this problem during the course
of the previous audit.
The Department should standardize the program change process
throughout its programming teams. Auditors found that the program change process
varied considerably among the 20 programming teams. The lack of a uniform,
standardized process increases the risk of inappropriate or inadequate changes
being introduced into a system. In addition, programming teams were unable to
provide testing documentation. DTS is making efforts to address both of these
weaknesses. DTS is developing a documented program change management policy and
plans to apply this policy to all programming teams. In addition, DTS acquired
an automated testing tool that will allow it conduct well-documented and
extensive testing of program changes, which it plans to implement in July 2005.
Department has made progress in disaster recovery
(see pages 27 through 31)
Although the Department has not completed a disaster recovery
plan for its computer systems, it has begun to take steps to implement this goal
and to join in a state-wide agency planning effort. Disaster recovery planning
allows critical services to continue in the event of damage to an entity’s
computer systems. In 2002, the Department purchased a computer software planning
system for disaster recovery, but due to staff vacancies made little progress in
completing the required information.
Beginning in calendar year 2004, the agency has increased its
disaster recovery efforts. For example, it began regular off-site remote backups
of data and hired a disaster recovery manager. Further, along with other state
agencies, it obtained one-year funding in fiscal year 2005 for emergency
computer facility (“hot site”) services and purchased hardware to allow for
faster backups of its data. The Legislature approved additional funding for
fiscal year 2006, although it reduced the Department’s appropriation from the
previous fiscal year.1 The Department also has begun plans to
redirect its computer network to the hot site in the event of an emergency, and
has started daily backups of critical system data. Finally, in addition to its
own efforts, the Department is meeting with other state agencies to discuss
planning for state-wide disaster recovery solutions. However, the Department
needs to finish documenting its disaster recovery plan.
1
JLBC’s recommendation stated that the reduced appropriation for fiscal year
2006, which was made from the Risk Management Fund, could generate federal
matching fund monies. However, because the Fund includes federal monies, the
Department is working with the State Comptroller’s Office to determine whether
and how this can be done while complying with restrictions on federal monies.
Read full report in Acrobat PDF format |
|
