Performance audit Department of Economic Security Information Security 2005 Report No. 05-04 |
Previous | 1 of 5 | Next |
|
This page
All
Subset |
Performance Audit
Department of
Economic Security–
Information Security
Performance Audit Division
Debra K. Davenport
Auditor General
JULY • 2005
REPORT NO. 05 – 04
A REPORT
TO THE
ARIZONA LEGISLATURE
The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators
and five representatives. Her mission is to provide independent and impartial information and specific recommendations to
improve the operations of state and local government entities. To this end, she provides financial audits and accounting services
to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of
school districts, state agencies, and the programs they administer.
The Joint Legislative Audit Committee
Senator Robert Blendu, Chair Representative Laura Knaperek, Vice Chair
Senator Carolyn Allen Representative Tom Boone
Senator Gabrielle Giffords Representative Ted Downing
Senator John Huppenthal Representative Pete Rios
Senator Harry Mitchell Representative Steve Yarbrough
Senator Ken Bennett (ex-officio) Representative Jim Weiers (ex-officio)
Audit Staff
Melanie Chesney, Director
Shan Hays, Manager and Contact Person
Monique Cordova, Team Leader
Aaron Cook
Pam Eck
Copies of the Auditor General’s reports are free.
You may request them by contacting us at:
Office of the Auditor General
2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333
Additionally, many of our reports can be found in electronic format at:
www.auditorgen.state.az.us
2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051
DEBRA K. DAVENPORT, CPA
AUDITOR GENERAL
STATE OF ARIZONA
OFFICE OF THE
AUDITOR GENERAL
WILLIAM THOMSON
DEPUTY AUDITOR GENERAL
July 12, 2005
Members of the Arizona Legislature
The Honorable Janet Napolitano, Governor
Mr. David Berns, Director
Department of Economic Security
Transmitted herewith is a report of the Auditor General, A Performance Audit of the Department of
Economic Security—Information Security. This report is in response to a November 20, 2002,
resolution of the Joint Legislative Audit Committee. The performance audit was conducted as
part of the sunset review process prescribed in Arizona Revised Statutes §41-2951 et seq. I am
also transmitting with this report a copy of the Report Highlights for this audit to provide a quick
summary for your convenience.
As outlined in its response, the Department of Economic Security agrees with all of the findings
and plans to implement all of the recommendations.
My staff and I will be pleased to discuss or clarify items in the report.
This report will be released to the public on July 13, 2005.
Sincerely,
Debbie Davenport
Auditor General
Enclosure
Services:
The Division of Technology Services (DTS) provides technical and systems services for the devel-opment,
maintenance, enhancement, and operation of the Department’s automated business
systems. The Division’s responsibilities also include technical support for network and user
information technology (IT) equipment and software; infor-mation
security management; disaster recovery; customer
support for IT and telecommunications equipment; IT help
desk support for end users and field technical staff; and IT
planning support for the Department.
DTS is part of the Department’s central administration func-tion,
and does not carry out all IT-related activities within the
Department. For example, the Department has 22 separate
groups that support local area networks and computers with
72 network specialists, and 23 information security groups
with 67 security representatives.
Facilities:
DTS’ main administrative office and another facility are locat-ed
in two state-owned buildings in Phoenix. In addition, DTS
leases space in four other buildings in Phoenix, Tucson, and
Flagstaff for an annual lease cost of $603,257.
Equipment:
In addition to office furniture, DTS has specialized equipment
for which it has department-wide responsibility, such as the
Department’s mainframe computer. In addition, DTS reports
that it has approximately 280 servers, which are computers
that manage functions such as the Department’s electronic
mail system, its e-Government environment, and other critical
agency functions.
PROGRAM FACT SHEET
Arizona Department of Economic Security
Division of Technology Services
Systems and Programming
159 (31 vacancies)
Data Center
65 (14 vacancies)
Technical Support
51 (8 vacancies)
Customer Service
Support Center
49 (12 vacancies)
Support Services
22 (8 vacancies)
Assistant Director's Office
8 (3 vacancies)
Information Security
Administration
5 (0 vacancies)
Program revenue:
$32.4 million (fiscal year 2005 budgeted)
Program staffing:
359 FTE, including 76 vacancies (as of March 24, 2005)
Office of the Auditor General
31 30.4
32.4
0
5
10
15
20
25
30
35
FY 2003 FY 2004 FY 2005
Millions of Dollars
(actual) (actual) (budgeted)
Mission:
The mission of DTS is to deliver efficient, effective business technology services for the
Department‘s customers and employees, in partnership with the Department’s programs.
Program goals:
1. To increase protection for the Department’s information and individual privacy by
enhancing information technology security measures.
2. To improve public service by enhancing IT systems and expanding electronic access.
3. To increase operational efficiencies by implementing innovative IT solutions.
4. To improve service quality by providing expanded communication, skill development,
and career opportunities, and tools to optimize employee performance.
Adequacy of performance measures
DTS has developed 20 performance measures to support its 4 goals, including 9 output meas-ures,
9 outcome measures, 1 quality measure, and 1 efficiency measure. While these measures
generally were aligned with its 4 goals, auditors identified some areas where DTS could clarify
how it uses measures to provide information. Specifically, DTS should consider reporting a com-bination
of measures for all of its goals. For example, all 4 measures associated with DTS’ sec-ond
goal are identified as output measures. In addition, DTS has not identified any input meas-ures.
Source: Auditor General staff compilation of unaudited information obtained from the State of Arizona Master List of Government Programs; the
Division’s strategic plan; staffing information from the Division’s human resources manager; lease information from the Division of
Business and Finance; equipment inventory, and other information provided by the Department and the Division of Technology Services.
State of Arizona
The Office of the Auditor General has conducted a performance audit of the Arizona
Department of Economic Security’s information security pursuant to a November 20,
2002, resolution of the Joint Legislative Audit Committee. The audit was conducted
as part of the sunset review process prescribed in Arizona Revised Statutes (A.R.S.)
§41-2951 et seq and is the third in a series of six reports on the Department of
Economic Security (Department). This audit addresses four major aspects of the
Department’s controls over computer-based information:
Controls over access by employees and others who use the data
Protection of computers and local area networks (LANs) against virus attacks
and other intrusions or data losses
Procedures for making changes to computer programs
Contingency planning for restoring service in the event of a major system failure
The first report reviewed the Department’s welfare programs (Auditor General Report
No. 04-02) and the second its unemployment insurance program (Auditor General
Report No. 05-01). Subsequent reports will examine the Department’s service
integration initiative, the Division of Developmental Disabilities, and the Department’s
performance in light of the sunset factors contained in Arizona statutes.
The security of the Department’s information systems is important because of the
sensitive nature of its data. Department systems assist employees in important tasks
such as tracking child welfare cases, monitoring information on developmentally
disabled clients in state care, determining clients’ eligibility to receive welfare
benefits, and processing claimants’ applications for unemployment insurance.
Nearly 14,100 user accounts access various parts of department systems. About
11,730 accounts are for internal department use. In addition, more than 2,350 users,
including local, state, tribal, federal, and private agencies, access the Department’s
systems. The Department reports that it has more than 80 different information
systems, and manages a substantial amount of money through its systems. For
instance, in fiscal year 2004, the Department used its systems to process $175
million in Temporary Assistance for Needy Families (TANF) cash benefits, and
approximately $395 million in unemployment claims.
Office of the Auditor General
SUMMARY
page i
Controls over data security need improvement (see
pages 9 through 15)
The Department needs to establish better access controls over its information
systems and strengthen central oversight of data security. Access controls and other
aspects of the security environment need to be strengthened throughout the
Department. For example, auditors found that access rights were not periodically
reviewed, old/unused accounts were not deleted in a timely fashion, and the use of
special privileges that allowed individuals to create and delete user accounts was not
adequately restricted.
The Department has not provided sufficient central oversight of the security
environment. Unlike some state agencies, the Department has not established
minimum qualifications and duties for personnel involved in security administration
and it has provided neither a manual nor adequate training to ensure that security
personnel understand their functions. In addition, new department employees do not
always take a mandatory computer security training course, and the Department
lacks the legal authority, from either an executive order or statute, to request
background checks for personnel in sensitive information technology positions. The
Department has begun to address some entity-wide security concerns through its
Information Security Administration, located in the Division of Technology Services
(DTS). For example, in March 2005, it adopted new policies governing account
management. This administration also recently began conducting security
compliance reviews within the Department, but needs to develop a regular schedule
for such reviews and better document its processes.
Information in local area networks and computers not
adequately protected (see pages 17 through 22)
The Department needs to improve management of its local area networks (LANs)
and computers to better ensure system security and operability. Good management
of LANs and computers provides protection against virus attacks, hacker intrusion,
and possible loss of data. However, the Department does not provide sufficient
protection in three areas:
Security patches—Every operating system has vulnerabilites that hackers can
potentially exploit to attack a system. Security patches are designed to correct
for identified security weaknesses, and need to be installed on computers in
order to protect them from attacks. However, in general, the Department does
not install these patches in a timely manner and exposes its information systems
to an increased risk of inoperability or compromise.
State of Arizona
page ii
Virus protection software—Since 2002, the Department has annually purchased
a product that, when installed, allows it to centrally ensure that all computers
have updated virus protection. However, not all divisions have installed this
software on all their machines.
Software downloaded from the Internet—The Department’s acceptable use
policy regarding downloading software from the Internet prohibits employees
from downloading any software not specifically authorized by their local IT unit.
However, auditors found instances of computers with inappropriate software
downloaded from the Internet. Such software potentially installs malicious
programs onto department computers that could slow or lock up a computer or
make it easier for hackers to attack its systems.
In order to resolve these problems, the Department needs to deploy as planned a
software package that will allow it to centrally manage security updates, set a time
frame by which all divisions should install its entity-wide virus protection software,
ensure its employees and local LAN support units understand its acceptable use
policy, and monitor to ensure its divisions and employees comply with its policy.
Department could improve its management of computer
program changes (see pages 23 through 25)
The Department could better manage its process for making changes to computer
programs. Effective controls over the change process help ensure that computer
program modifications are implemented only if they are properly requested,
designed, tested, and approved. Failure to adequately control the program change
process could lead to programs with errors or program changes that are inadequate
and require additional resources to implement. For instance, in an audit released in
January 2005, auditors identified computer errors in the Department’s
Unemployment Insurance Program that potentially have subjected Arizona
employers to fines and assessments by reporting inaccurate information to the U.S.
Internal Revenue Service. Due to an apparent lapse in adequate testing,
programmers were unable to fix this problem during the course of the previous audit.
The Department should standardize the program change process throughout its
programming teams. Auditors found that the program change process varied
considerably among the 20 programming teams. The lack of a uniform, standardized
process increases the risk of inappropriate or inadequate changes being introduced
into a system. In addition, programming teams were unable to provide testing
documentation. DTS is making efforts to address both of these weaknesses. DTS is
developing a documented program change management policy and plans to apply
this policy to all programming teams. In addition, DTS acquired an automated testing
tool that will allow it conduct well-documented and extensive testing of program
changes, which it plans to implement in July 2005.
Office of the Auditor General
page iii
Department has made progress in disaster recovery (see
pages 27 through 31)
Although the Department has not completed a disaster recovery plan for its
computer systems, it has begun to take steps to implement this goal and to join in a
state-wide agency planning effort. Disaster recovery planning allows critical services
to continue in the event of damage to an entity’s computer systems. In 2002, the
Department purchased a computer software planning system for disaster recovery,
but due to staff vacancies made little progress in completing the required
information.
Beginning in calendar year 2004, the agency has increased its disaster recovery
efforts. For example, it began regular off-site remote backups of data and hired a
disaster recovery manager. Further, along with other state agencies, it obtained one-year
funding in fiscal year 2005 for emergency computer facility (“hot site”) services
and purchased hardware to allow for faster backups of its data. The Legislature
approved additional funding for fiscal year 2006, although it reduced the
Department’s appropriation from the previous fiscal year.1 The Department also has
begun plans to redirect its computer network to the hot site in the event of an
emergency, and has started daily backups of critical system data. Finally, in addition
to its own efforts, the Department is meeting with other state agencies to discuss
planning for state-wide disaster recovery solutions. However, the Department needs
to finish documenting its disaster recovery plan.
1 JLBC’s recommendation stated that the reduced appropriation for fiscal year 2006, which was made from the Risk
Management Fund, could generate federal matching fund monies. However, because the Fund includes federal monies,
the Department is working with the State Comptroller’s Office to determine whether and how this can be done while
complying with restrictions on federal monies.
State of Arizona
page iv
Office of the Auditor General
TABLE OF CONTENTS
continued
9
9
10
12
15
17
17
19
21
22
23
23
24
25
Introduction & Background
Finding 1: Controls over data security need
improvement
Access controls should protect data
Weaknesses exist in protecting data
Department has not provided sufficient central oversight
Recommendations
Finding 2: Information in local area networks
and computers not adequately protected
LAN/computer support important to system security and
operability
Computers and networks not adequately protected
Department has not provided sufficient central oversight
Recommendations
Finding 3: Department could improve its management
of computer program changes
Effective change process important to system functionality
Current change process lacks consistency
Recommendations
page v
State of Arizona
TABLE OF CONTENTS
Finding 4: Department has made progress in
disaster recovery
Disaster recovery planning minimizes service disruption
Department has improved disaster recovery planning
Comprehensive solutions require state-wide planning
Recommendations
Agency Response
Tables:
1 Schedules of Revenues and Expenditures
Years Ended June 30, 2003, 2004, and 2005
(Unaudited)
2 Examples of Common Information Technology Controls
3 Deficient Access Controls in the Department
as of November 2004
4 Status of Disaster Recovery Planning Activities
as of February 2005
Figure:
1 Example of a Simple Local Area Network Connected
To the Internet
27
27
28
29
31
4
6
11
30
18
concluded
page vi
The Office of the Auditor General has conducted a performance audit of the Arizona
Department of Economic Security’s information security pursuant to a November 20,
2002, resolution of the Joint Legislative Audit Committee. This audit addresses four
major aspects of the Department’s controls over computer-based information:
Controls over access by employees and others who use the data
Protection of computers and local area networks (LANs) against virus attacks
and other intrusions or data losses
Procedures for making changes to computer programs
Contingency planning for restoring service in the event of a major system failure
The audit was conducted as part of the sunset review process prescribed in Arizona
Revised Statutes (A.R.S.) §41-2951 et seq and is the third in a series of six reports on
the Department of Economic Security (Department). The first report reviewed the
Department’s welfare programs (Auditor General Report No. 04-02) and the second
its unemployment insurance program (Auditor General Report No. 05-01).
Subsequent reports will examine the Department’s service integration initiative, the
Division of Developmental Disabilities, and the Department’s performance in light of
the sunset factors contained in Arizona statutes.
Sensitive client and benefits data increases importance of
security
Because the Department uses its information systems to maintain sensitive client
data and process benefits, the security of these systems is critical. The Department
reports that it has more than 80 different information systems, and estimates that it
serves more than one million children, adults, and families each month, and it uses
its computers to perform a range of functions involving client data. For example,
computer systems assist the Department in tracking child welfare cases, monitoring
Office of the Auditor General
INTRODUCTION
& BACKGROUND
page 1
provider information and bill payments information for people with developmental
disabilities, and determining eligibility for potential Temporary Assistance for Needy
Families (TANF) clients. The Department’s systems also assist in processing client
benefits, such as TANF cash benefits and unemployment insurance. In fiscal year
2004, the Department used its systems to process $175 million for TANF cash
benefits and approximately $395 million in unemployment claims.
Thousands of employees of various agencies use the Department’s systems. In all,
there are nearly 14,100 user accounts giving access to the system. Approximately
11,730 accounts are for internal department use. In addition, more than 2,350 users,
including local, state, tribal, federal, and private agencies, access the Department’s
systems. For example, other government agencies and private providers access the
Department’s systems to determine eligibility for programs such as employment
assistance or housing and to coordinate service delivery for people with
developmental disabilities.
Information technology management
The Department manages its information technology (IT) systems through a
combination of centralized and decentralized management approaches. DTS
manages some aspects of the Department’s systems centrally, while other divisions
manage other aspects for their own systems.
IT Functions—Division of Technology Services (DTS): DTS staff manage several
department-wide information technology functions. For example, DTS operates
and maintains the Department’s mainframe computer and network, and its staff
perform programming changes required for the Department’s systems. DTS
also has responsibility for disaster recovery planning for the Department’s
mainframe and central server farm in the event of damage or destruction to its
Data Center. Additionally, DTS is responsible for developing policies and
procedures for the entire agency and for ensuring that the Department complies
with state-wide policies established by the State of Arizona’s Government
Information Technology Agency (GITA), as well as any federal requirements.
IT Functions—Other Divisions: Other divisions also employ their own IT staff to
manage several important information technology functions. For example, the
divisions are responsible for user account management, including approving or
terminating a user’s access to the division’s computer system and assigning
access rights within a system. The divisions also perform their own local area
network (LAN) and desktop support duties. Specifically, they are responsible for
installing, configuring, upgrading, and maintaining their servers, workstations,
and computer peripherals.
State of Arizona
page 2
Budget and staffing
The Department’s budget and staffing for information technology functions are also
divided between DTS and other divisions:
Division of Technology Services—As of March 24, 2005, DTS had 359
authorized FTE positions with 76 vacancies. DTS is organized into the following
units:
Assistant Director’s Office (8 authorized positions, 3 vacancies)—The
Assistant Director is the chief information officer of the Department and
conducts agency-wide information technology planning activities, such as
disaster recovery planning.
Data Center Services (65 authorized positions, 14 vacancies)—Manages
all Data Center operations, functions, and procedures. The Department
reports that the Data Center processes, on average, more than 2.5 million
online business transactions each day.
Technical Support (51 authorized positions, 8 vacancies)—Manages the
Department’s mainframe operating and database systems, its centrally
located server hardware and software, and other information technology
networks.
Systems and Programming (159 authorized positions, 31 vacancies)—
Designs, develops, and maintains the Department’s primary IT systems.
DTS assigns programming personnel to specific programming teams that
assist specific divisions.
Support Services (22 authorized positions, 8 vacancies)—Provides
services such as budget and fiscal management and agency-wide
information technology planning activities.
Information Security Administration (5 authorized positions, 0 vacancies)—
Initiates and maintains measures to protect the Department’s computer
hardware, software, and associated data against improper use,
modification, or loss.
Customer Service Support Center (49 authorized positions, 12
vacancies)—Responds to help desk calls, repairs PCs, and is responsible
for the installation and maintenance of mainframe and other system
hardware and software.
Office of the Auditor General
page 3
As shown in Table 1, estimated fiscal year 2005 revenues for DTS are approximately
$32.4 million, including special line items for lease purchasing of nearly $7 million and
for disaster recovery of approximately $750,000. Estimated fiscal year 2005 General
Fund monies for DTS total approximately $6.4 million. The majority of DTS’ operating
expenditures are for personnel-related expenses.
Other Divisions—Although staff outside of DTS also perform IT-related functions,
auditors were unable to obtain a reliable estimate for the number of staff
assigned to IT duties across the other divisions because the Department does
not use standardized position requirements for staff who perform duties such as
State of Arizona
page 4
Table 1: Schedule of Revenues and Expenditures1
Years Ended June 30, 2003, 2004, and 2005
(Unaudited)
2003 2004 2005
(Actual) (Actual) (Budgeted)
Revenues:
State General Fund appropriations $8,107,903 $7,273,112 $8,116,569
Government grants and contracts:
Federal Centers for Medicare and Medical Services Research,
Demonstrations, and Evaluations 6,037,169 6,025,094 6,368,799
Federal Child Support Enforcement 3,730,251 2,949,418 3,522,562
Federal Unemployment Insurance 2,981,122 2,826,739 3,065,696
Federal Temporary Assistance for Needy Families 1,712,780 1,481,211 1,685,150
Federal Food Stamps Cluster 1,329,074 1,720,849 1,612,514
Federal Social Services Block Grant 1,045,811 1,221,375 1,198,039
Other 4,382,019 4,450,802 4,664,101
Child support incentives 2 1,631,989 2,263,371 2,060,222
Miscellaneous 76,640 182,357 137,332
Total revenues $31,034,758 $30,394,328 $32,430,984
Expenditures:
Personal services and employee-related $16,932,868 $16,914,266 $17,805,643
Professional and outside services 555,981 443,928 1,285,204
Travel 34,372 36,415 93,041
Other 4,067,953 3,904,281 4,777,876
Equipment 9,443,584 9,095,438 8,469,220
Total expenditures $31,034,758 $30,394,328 $32,430,984
1 Although amounts for 2003 and 2004 are actual revenues and expenditures as of April 20, 2005, the Department anticipates further
administrative adjustments for those years.
2 Amount that is recovered by the Division of Child Support Enforcement from families who received Temporary Assistance for Needy
Families. These monies are considered incentives and, therefore, are not considered federal monies.
Source: Auditor General staff analysis of Arizona Department of Economic Security-provided financial information for the years ended
June 30, 2003 and 2004, from its Financial Management Control System as of April 20, 2005, and budgeted information for the
year ended June 30, 2005.
user account management. However, according to DTS, as of March 2005,
there were 23 separate security groups across the divisions, with 67 security
representatives. In addition, as of February 2005, according to DTS, there were
22 separate groups that support local area networks and computers across the
divisions that employ a total of at least 72 network specialists.
Standards for information security
This audit reviewed information security controls in four areas: access controls, local
area network (LAN) and desktop computer management, program change controls,
and disaster recovery management. GITA develops standards for information
security controls for state agencies. At the national level, the National Institute of
Standards and Technology develops standards, and the U.S. Government
Accountability Office provides auditing guidelines for information security. Table 2
(see page 6) lists some of the more important controls necessary for effective
information security.
Audit scope and methodology
This audit focused on the security of the Department’s information systems and the
adequacy of its information security controls. It includes four findings and associated
recommendations.
The Department should improve its oversight of access controls, including (1)
gaining authority to and then performing background checks on personnel
according to the sensitivity of their position, (2) ensuring that employees receive
the mandatory new hire computer security training course, (3) developing a job
description of security representatives with minimum qualifications and
description of duties, and (4) continuing to perform compliance reviews to
ensure that security policies are followed.
The Department should improve its oversight of LAN/desktop computer support
duties, including (1) completing efforts to deploy software for controlling the
implementation of security updates, (2) ensuring employees understand its
acceptable use policy regarding software downloaded from the Internet, and
monitoring compliance with its policy, (3) establishing a time frame by which all
divisions and administrations must install centrally controlled virus protection
software, and (4) establishing minimum training requirements for LAN staff that
ensure staff have and maintain adequate skill levels.
Office of the Auditor General
page 5
The Department should ensure that computer program changes are better
controlled by continuing with its efforts to develop and implement policies to
help standardize the process, and to implement an automated testing tool to
improve documentation of program changes that it has acquired.
The Department should complete its disaster recovery plan for information
technology systems and add new initiatives it has recently undertaken for
disaster recovery.
Auditors used several methods to review the issues addressed in this audit. Audit
methods included interviews with department management and staff and review of
relevant statutes, rules, policies, and procedures. Auditors also reviewed information
State of Arizona
page 6
Table 2: Examples of Common Information Security Controls
Area Examples
Access controls and security-related
personnel policies
• Policies and procedures for managing user accounts
• User access limited to the minimum set of resources required for user’s role
• Background checks of users
• Security awareness training for users
LAN and desktop computer
management
• Policies and procedures restricting the use of software downloaded from the
Internet to protect against spyware, adware, and other forms of malicious
software
• Access to Internet and shared platforms restricted to authorized employees and
contractors
• Regular installation of security patch updates
• Regular installation of virus protection updates
• Barriers or firewalls to prevent unauthorized access and protect sensitive
internal information
Program change controls • Adequate controls for computer program changes so that all changes are
appropriately requested, designed, tested, approved, and implemented
• Testing of changes
• Documentation of program changes showing supervisory approval, when and
how changes are made, and testing information
Disaster recovery • Regular data backup and remote storage
• Plan for restoring services and recovering systems and data
• Periodic testing of restoration and recovery procedures
Source: Auditor General staff compilation of information from GITA security standards and the U.S. Government Accountability
Office Federal Information System Controls Audit Manual (1999).
technology security standards as defined by GITA and by federal sources such as
the U.S. Government Accountability Office.
In addition, to obtain background information for this audit, auditors reviewed
unaudited department reports and records, such as the State Fiscal Year 2004 DES
annual report, a list of the Department’s mainframe security system’s user account
information, FTE data for DTS, and descriptive information about DTS organization
and functions.
Additionally, auditors used the following specific methods in reviewing each area:
To evaluate the Department’s access control practices, auditors analyzed
mainframe user accounts to identify old and unused accounts or accounts
whose passwords were not set to expire at regular intervals. To evaluate the
Department’s compliance with standards regarding computer security training
for new employees, auditors reviewed the training transcripts of 50 randomly
selected department employees. To gain a better understanding of what security
representatives should do, auditors obtained information from two other state
agencies regarding the job descriptions and salary classifications of
comparable staff.1
To evaluate whether local area networks and computers are adequately
protected, auditors met with LAN managers from 4 LAN support groups and
analyzed reports on 39 computers provided by those 4 groups.2 In addition,
auditors conducted visits to offices supported by 3 different LAN support groups
and reviewed a total of 20 computers in those visits.3 During these field office
visits auditors evaluated whether security patches had been installed, inspected
desktop computers for the presence of software downloaded from the Internet
that could introduce viruses or spyware into the network, and also reviewed for
the presence and status of virus protection software.
To review the program change process auditors randomly selected ten program
changes for the month of October 2004 from four of the larger department
systems.4 Auditors subsequently met with the team leaders for each of the
1 Auditors received information from the Departments of Transportation and Administration, two other large state agencies
that handle user account management duties.
2 Auditors met with and received reports from LAN managers in the Division of Developmental Disabilities; the Division of
Children, Youth and Families; the Division of Employee Services and Support; and the Division of Employment and
Rehabilitation Services—Employment Administration.
3 Auditors conducted visits to field offices supported by LAN staff from the Division of Developmental Disabilities; the
Division of Children, Youth and Families; and the Division of Employment and Rehabilitation Services—Employment
Administration.
4 Major systems corresponded to the Division of Benefits and Medical Eligibility—Family Assistance Administration; the
Division of Child Support Enforcement; the Division of Children, Youth and Families; and the Division of Employment and
Rehabilitation Services—Employment Administration.
Office of the Auditor General
page 7
teams responsible for those systems to review program change documentation,
how the process is performed in their team, and to review testing practices.
To assess the status of the Department’s disaster recovery plan, auditors
reviewed the computer software disaster recovery planning program the
Department purchased and a staff outline showing steps completed in the
planning process. Auditors also reviewed logs of backup tapes for agency data
and results of tests to reduce backup time. Additionally, auditors reviewed a tri-agency
Project Investment Justification (PIJ) that the Arizona Information
Technology Committee approved for disaster recovery planning as well as
vendor contracts for the provision of temporary emergency computer services
and storage of the Department’s backup tapes.
The audit was conducted in accordance with government auditing standards.
The Auditor General and staff express appreciation to the director of the Department
of Economic Security, the director of the Division of Technology Services, and their
staff for their cooperation and assistance throughout the audit.
State of Arizona
page 8
Controls over data security need improvement
The Department needs to establish better access controls over its information
systems and strengthen central oversight of data security. Access controls and other
aspects of the security environment should be strengthened throughout the
Department to prevent subjecting confidential
information to potential loss or disclosure. Although the
Department has recently begun to strengthen central
oversight, its monitoring and supervision of data security
functions still needs improvement. Account
management practices within individual divisions are
generally poor. For instance, department units vary
greatly in the qualifications they have established for
employees responsible for data security, and newly
hired employees are not necessarily receiving the
mandatory computer security training the Department
has established.
Access controls should protect data
Access controls should be designed to protect
computer systems and data from unauthorized
modification, loss, or disclosure. For example, access
controls should ensure that security privileges, such as
the ability to create, update, or delete user accounts and
reset passwords, are limited only to those people who
need this function to perform their job duties. Weak
access controls increase the risk of fraud or identity theft,
or the loss of data integrity. As noted in the text box, the
Department has experienced internal security incidents
in the past.
Office of the Auditor General
FINDING 1
page 9
Data Security Incidents
Identity theft—In 2001, an employee of a contractor
that administered public assistance programs
admitted to Phoenix Police and the Department’s
Office of Special Investigations that she printed out
the personal information of welfare recipients from a
department system, and then sold that information.
Social engineering—During 2001-2002, a
department employee used a social engineering
technique to access the account of a coworker who
was on leave and used that account to fraudulently
issue herself more than $50,000 in welfare benefits.
Social engineering is any technique that manipulates
individuals to disclose or alter passwords, allowing
others to gain unauthorized access.
Fraud—Because the Department cannot legally
perform background checks on people with access to
its systems, it unknowingly hired an individual with a
criminal record for fraud who lied on her application.
This woman subsequently committed fraud against
the Department in excess of $100,000. This incident
occurred between 1992 and 1994, but the
Department still does not have authority to perform
background checks on eligibility interviewers like this
former employee.
Each division within the Department manages its own access controls. They hire their
own security representative(s) to create user accounts, assign individuals’ access to
data and resources, and manage user accounts. While every division has at least
one security group, some divisions have multiple security groups designated to
assist specific business units. According to DTS, as of March 2005 there were 23
separate security groups, with 67 security representatives. DTS has recently begun
to address department-wide security issues through its Information Security
Administration. Within the past year the Information Security Administration has
begun to perform compliance reviews and general assessments of information
security throughout the Department.
Weaknesses exist in protecting data
The Department’s current security environment and access controls should be
strengthened. Auditors found that the Department does not effectively manage its
user accounts. While it is beginning to address some of the deficiencies, the
Department needs to take additional steps to improve.
Controls to restrict access and protect data need improvement—As
shown in Table 3 (see page 11), the Department lacks several controls to help ensure
that data is adequately restricted and protected. Auditors found that these
weaknesses are common throughout the Department and indicate that the
Department is not in compliance with GITA state-wide standards. These weaknesses
increase the risk that employees have too much access or authority to sensitive data
and that unauthorized access could occur through old and unused accounts.
Because auditors were primarily assessing system controls, they did not attempt to
identify actual cases in which a breach of security occurred. However, auditors did
observe situations that illustrate the potential for such occurrences. Table 3 (see page
11) explains the controls required in state and national standards and describes the
situations that auditors found regarding them.
Department is taking action, but needs to do more—During the course
of the audit the Department began to address some of the issues identified in Table
3 (see page 11). For example, DTS has begun to address the high number of user
accounts with security administration privileges by removing these privileges from
some accounts.
State of Arizona
page 10
Office of the Auditor General
page 11
Table 3: Deficient Access Controls in the Department
as of November 2004
Necessary Controls
Conditions Found Potential Threat
Reviewing access rights:
Access rights should be
reviewed periodically to ensure
that access to resources is
granted only to those who need
them to perform their jobs.
• In general, security representatives do not
review access rights on a regular basis to
ensure users’ access to data and authority to
create, modify, or delete records is
appropriate.
Failure to ensure appropriate access
rights could permit employees to
improperly access confidential or
other sensitive data without a need to
do so.
Assigning special privileges:
Security and account privileges,
which provide the authority to
perform special functions, such
as creating, updating, and
deleting user accounts, should
be defined and properly
restricted.
• The Department has not defined who should
have security administration privileges, nor
documented why they need such privileges.
Individuals range from a grade 8 clerical pool
staff to division management.
• More than 80 individuals had security
administration privileges, more than the
number of individuals managing user
accounts at two large state agencies: the
Departments of Transportation and
Administration. Many of these people do not
use or need this privilege and many are not
members of their unit’s security group.
• Some security accounts belong to individuals
who either left their division or transferred to a
job that does not need such special privileges.
Failure to appropriately restrict
security administration privileges
increases the risk that unauthorized
accounts may be created and data
improperly accessed. In addition,
individuals may not be properly
trained or qualified for special
privileged access.
Updating passwords: Users
should have to change their
passwords regularly. According
to department policy, passwords
should be changed at least once
every 30 days.
• More than 200 accounts assigned to
individuals do not require users to change
their passwords at regular intervals. For
instance, one employee has not changed his
password in nearly 2 years.
Not changing passwords on a regular
basis increases the risk of passwords
being discovered and used by
unauthorized users.
Removing unused user
accounts: Unused accounts
should be removed from the
system as appropriate regularly.
According to department policy,
unused accounts should be
deleted after 90 days of disuse.
• More than 2,000 user accounts have not been
accessed for 90 days or more (nearly 900
belong to specific individuals, while the rest
are training or system accounts), and more
than 1,300 of those accounts have not been
accessed in over a year.
• More than 1,100 user accounts have never
been used (more than 950 belong to specific
individuals).
The presence of old and unused
accounts increases the risk that
people who should no longer have
access may continue to access
systems, or that other people, such as
hackers, may discover and use the
accounts to access systems. This is
an especially serious risk in the
Department because its mainframe
security software does not
automatically lock out a user after 90
days of disuse.
Source: Auditor General staff analysis of the Department’s 14,082 mainframe user accounts as of November 29, 2004; follow-up interviews
with security group personnel located in divisions and programs throughout the Department; review of department policies; and
guidelines from the U.S. Government Accountability Office’s Federal Information System Controls Audit Manual (1999).
In order to comply with standards regarding data security, DTS should continue to
develop new guidelines and improve practices in the following control areas:
Reviewing access rights—Security group personnel should conduct periodic
reviews of access rights to ensure these rights are appropriately defined, and
DTS should monitor security groups for compliance.
Special account privileges—DTS should define who needs security
administration privileges and what kind of authority is needed. The Department
should then use its mainframe security software to restrict the authority of
accounts with appropriate security administration privileges. For example, if the
user needs to reset passwords only, he or she should not be allowed security
privileges. DTS needs to collaborate with the divisions to define and restrict
security administration privileges to the minimum level required for employees
to perform their duties. In March 2005, DTS completed a review of accounts with
security privileges. As a result, it deleted some accounts and reduced privileges
for some others.
Passwords and user account management—In March 2005, the Department
adopted a new policy governing account management. This policy requires the
production of a monthly report that shows all users who have not accessed the
Department’s mainframe in 30 days, and another report showing users who
have not accessed it in 90 days. In addition, in April 2005, DTS updated its
access control policy to set forth clear guidelines related to deleting old and
unused accounts. DTS should monitor compliance with these new and updated
policies to ensure that old and unused accounts are properly deleted and
account passwords are changed at least every 30 days.
Department has not provided sufficient central oversight
The existence of general security concerns, such as poor user account
management, appears to be related to a lack of central oversight of the separate
security groups, security representatives, and the activities they perform, as well as a
historically weak internal security structure. The Department can improve central
oversight by adding an IT audit function, better defining its internal security structure
and security representative job requirements, ensuring new employees receive
mandatory computer security training, and obtaining legal authority to conduct
background checks of employees in sensitive positions.
Lack of central review for security compliance—Historically, the
Department has not provided central oversight of security functions. However, DTS
established an Information Security Administration in September 2003, and has
State of Arizona
page 12
Access rights—privileges
that define the extent to
which an individual can
access computer systems
and use or modify the
programs and data.
recently begun to perform some compliance reviews and general assessments of
information security throughout the Department. The Information Security
Administration should continue to conduct compliance reviews and assessments,
develop a schedule of regular reviews, and establish policies and procedures or a
manual to document its practices. In addition, the Information Security Administration
should develop a follow-up process to ensure divisions appropriately comply with
recommendations.
While DTS’ activities will help improve central oversight, the Department needs to
augment this review. The Department does have an internal auditing group, but it
currently does not audit IT issues. In addition, the Department has never undergone
an external independent third-party review of its information security. An internal IT
audit function is important because it helps the Department obtain effective and
efficient security controls. In addition, other state agencies, such as the Departments
of Transportation and Administration, have contracted with external experts to
perform security assessments to review the adequacy of their IT structures. Although
such security assessments may cost several hundred thousands of dollars, they
provide independent assurance that certain state and federally mandated standards
are met. According to DTS management, if and when the Department decides to
acquire an external review, it will then identify an appropriate funding source. The
Department should establish an internal IT audit function. In addition, the Department
should consider contracting for an independent security assessment.
Department has not defined security representative position—The
Department has not created a job position, description, or minimum qualifications for
security representatives. Instead, each security group decides who to hire and to
some extent their job responsibilities. As a result, auditors found that one division has
security representatives with backgrounds in information technology. These security
representatives are paid substantially better than those in other security groups,
which use support and clerical staff to perform the same functions. By comparison,
the Departments of Transportation and Administration have job descriptions,
minimum qualifications, and pay grades for their employees who manage user
accounts. These employees are paid salaries greater than the Department’s security
representatives noted above. Some essential tasks of such positions include user
account management, monitoring user access, and investigating security violations.
The Department developed a draft job description in June 2005, which contains the
minimum qualifications for a security representative. The Department should adopt
this job description to ensure that only individuals who meet these qualifications are
authorized to conduct security representative duties.
Security representative job resources and training inadequate—In
addition to lacking a job description and minimum qualifications for security
representatives, the Department does not have a manual explaining what security
representatives should do, and does not provide them regular training. The
Office of the Auditor General
page 13
Department should develop a manual regarding the duties of a security
representative that can be used as a reference resource and ensure that adequate
training is provided so that they understand their jobs and duties. Currently, the
Department considers only employees who handle mainframe access rights to be
security representatives. However, in some divisions other personnel handle system
application access rights and therefore could also be considered security
representatives. The Department needs to identify these people who perform similar
duties, include them as security representatives, and ensure they meet certain
minimum qualifications and receive appropriate training.
Not all newly hired employees receive computer security training—
GITA standards require that all state employees receive computer security training
prior to being allowed computer access, and the Department has a similar policy.
The Department’s training informs employees of its security practices. For instance,
the training manual tells employees that they should never divulge their passwords
to anyone. However, in a random sample of 50 employee training records maintained
in a central training database, only 21 (42 percent) department employees had taken
this mandatory course. According to the Department’s training management, the
Department has failed to create tracking and follow-up mechanisms to ensure that
all new hires receive this mandatory training. The Department should ensure that all
employees receive this mandatory training and monitor for compliance.
Department lacks legal authority to conduct background checks on
key personnel—Background checks are an important tool in making sure that
untrustworthy individuals who might commit identity theft or fraud, or otherwise
compromise data integrity, are not hired or placed in positions of trust. According to
Arizona Revised Statutes, noncriminal justice agencies must receive either statutory
authority or an executive order granting them the ability to conduct background
checks for the purpose of hiring particular employees. However, the Department
does not have this authority, other than for some employees who work with juveniles
or children. Another state agency, the Department of Administration, has statutory
authority to request criminal background information on IT personnel.
The Department should determine which positions involve the security and access of
sensitive information and therefore merit a background check. The Department
should then request the authority, through statute or an executive order, and ensure
background checks are conducted on those individuals. In addition, periodic
background checks should be conducted on long-term employees in accordance
with the sensitivity of their position.
State of Arizona
page 14
Criminal background
checks are not
conducted on IT
personnel.
Recommendations
1. In order to address user account weaknesses, DTS should:
a. Create guidelines requiring periodic reviews of access rights to ensure that users
have only the access that they need to perform their jobs.
b. Define who needs security administration privileges, and what kind of authority they
need, so that these privileges can be restricted to the minimum levels required for
employees to perform their duties.
c. DTS should monitor compliance with new and updated policies addressing
account management and access control to ensure that old and unused accounts
are properly deleted and account passwords are changed at least every 30 days.
2. The Information Security Administration should continue to conduct compliance
reviews and assessments, develop a schedule of regular reviews, and establish
policies and procedures to document its practices including a follow-up process
to ensure divisions comply with recommendations.
3. In order to increase compliance with security requirements, the Department
should:
a. Establish an internal IT audit function.
b. Consider contracting for an independent security assessment.
4. In order to ensure that security representatives know their duties and are
capable of doing them, DTS should work with security groups to:
a. Adopt a job description with minimum qualifications for security representatives
and ensure that only individuals who meet these qualifications are authorized to
conduct these duties.
b. Develop a manual regarding the duties of a security representative as a reference
source.
c. Ensure that security representatives understand their job duties and receive
periodic training.
d. Identify other individuals who perform duties similar to security representatives;
specifically, those who perform system application (non-mainframe) access right
duties, and ensure that they understand their job duties and receive periodic
training.
5. The Department should ensure that new employees receive the mandatory
computer security training.
6. The Department should determine which positions involve the security and
access of sensitive information and therefore merit a background check. It
should then request the authority, either through statute or an executive order, to
conduct background checks and ensure background checks are conducted on
those individuals. The Department should also conduct periodic background
checks on long-term employees in accordance with the sensitivity of their
position.
Office of the Auditor General
page 15
State of Arizona
page 16
Office of the Auditor General
page 17
Information in local area networks and computers
not adequately protected
The Department needs to improve management of its local area networks (LANs)
and computers to better ensure system security and operability. Good management
of LANs and computers provides protection against virus attacks, unauthorized
intrusion, and possible loss of data. However, the Department does not adequately
ensure that virus protection updates and security patches, which fix known security
vulnerabilites from outside threats, are up-to-date, and that employees do not
download unsafe software from the Internet. While the Department is taking some
steps to improve security, it could do more.
LAN/computer support important to system security and
operability
Local area networks connect computers within a limited geographic area so that they
can share information, share computer peripherals such as printers, and access
systems and data that support their job functions. (See Figure 1, page 18, for an
illustration of a LAN.) Separate LANs can be connected to form larger networks, as
is the case within the Department. The Department uses larger networks to connect
computers throughout the State to each other and to central data repositories. For
example, the Division of Children, Youth and Families’ employees use their network
connection to use shared devices in field offices, such as printers, and to access the
Internet, e-mail, the Division’s computer systems, and any other department
computer systems that a given employee is authorized to use.
FINDING 2
State of Arizona
page 18
The Department manages LAN/computer security in a decentralized manner. Each
division operates one or more local LAN support units by hiring its own network
support specialists who install, configure, upgrade, and
maintain the local area networks, servers, and computers.
According to DTS, there are 22 separate local LAN support
units, with 72 network specialists in those groups. DTS,
through its own LAN manager, conducts monthly meetings
for LAN support staff during which entity-wide issues may
be discussed.
Securing local area networks and computers is important
so that viruses or security weaknesses in one computer
cannot negatively impact other computers in the network,
and to prevent unauthorized access into systems and
data. For example, in August 2003 the Department, along
with other entities that failed to implement a specific
security patch update, was infected by the Nachi virus (see
text box). This virus quickly spread throughout the
Example of Nachi Virus Infection at the
Department
Discovery date—August 18, 2003
Method of infection—Spreads by exploiting a vulnerability in
Microsoft Windows. Irrespective of virus protection, if the
machine is not patched, it is susceptible to attack.
Resolution—Apply Microsoft security update MS03-026 and
then disinfect the system with a virus removal program.
Intentions of the virus—Spreads by exploiting a hole in
Microsoft Windows. It instructs a computer to download and
execute the virus from the infected host.
Source: McAfee, Inc. Web site, reviewed March 29, 2005.
Internet
Firewall
Server
Router
Figure 1: Example of a Simple Local Area Network Connected To the Internet
Source: Auditor General staff.
User Group 1
User Group 2
User Group 3
Printer
Switch
Switch
Switch
User Group 1
Office of the Auditor General
page 19
Department and increased network traffic by about eight times its normal rate,
bringing down or limiting system operability for about 2 days throughout the
Department. The Department’s virus protection software detected about 134,000
infections by the Nachi virus during one week. This attack was propagated due to
inadequate computer security patches.
Computers and networks not adequately protected
The Department needs to improve management of its LANs and computers to better
protect them against possible virus attacks, hackers, and possible loss of data.
Auditors found that local LAN support units do not consistently perform key security
functions such as installing security patches to protect computers from outside
threats, installing virus protection software, and prohibiting the download and
installation of Internet software that can contain harmful programs.
Security patches not installed—Timely installation of security patch updates is
vital in order to maintain the operational availability, confidentiality, and integrity of
information technology systems, but the Department is not ensuring that these
patches are deployed in a timely manner. Every operating system has vulnerabilites
that hackers can potentially exploit to attack a
system. For example, hackers have discovered
vulnerabilites in the Microsoft Windows operating
system. As a result, Microsoft regularly issues
critical security updates that are designed to patch
the security hole that had been identified. For
instance, one February 2005 security update is
necessary in order to help ensure that a computer
environment is not vulnerable to an outside attack
(see text box). If this update is not installed on the
machine, the computer environment may be
exposed to an unnecessary amount of risk.
Automated computer tools exist that allow
organizations to centrally control and install
security updates on all computers connected to a
given network. However, auditors reviewed the
practices in four different local LAN support units and found that only one of the four
uses an automated tool to ensure that updates are installed on all computers. Staff
in the other three local LAN support units stated that they perform security updates
only when they either physically go to the computer or remotely access it, installing
updates one computer at a time. Auditors reviewed 57 department computers and
found 55 computers missing one or more critical updates. Seven were missing more
Poor protection of
computers resulted in
limited network
operability for 2 days.
Example of a Windows Security Update
Release Date—February 8, 2005.
Recommendation—Customers should apply the update
immediately.
Vulnerability details—An attacker could exploit a
vulnerability that could potentially allow remote code
execution. An attacker who successfully exploited this
vulnerability could take complete control of an affected
system.
Source: Microsoft Security Bulletin MS05-012.
State of Arizona
page 20
than 20 updates, and some of the missing updates have been available since 2003.
For example, one update issued in October 2003 patches a vulnerability that could
allow an attacker to remotely control a computer if that computer user accesses a
Web site or views e-mail from someone with malicious intent. Microsoft recommends
that this patch be installed immediately.
In April 2005, the Department identified an automated tool that will allow it to centrally
control security updates for all Department computers. DTS reports it procured the
tool in June 2005, and plans to implement it in January 2006. According to
department officials, this will help ensure that the Department can respond to risks in
the computer environment in a more timely and effective manner. The Department
should implement the tool as planned. In addition, it should periodically monitor to
ensure that updates are installed on all computers.
Virus protection coverage recently improved—Antivirus software helps
protect a computer from virus attacks by detecting and removing computer viruses,
which in turn helps protect the network from attacks because the computer would
then not infect other computers in the network. The Department has recently
increased participation in a centrally controlled virus protection software, but this
software is still not used uniformly. Since 2002, the Department has purchased an
annual license for an entity-wide version of virus protection that can be installed on
every machine in the Department and allows the Department to centrally control and
monitor to ensure that the most recent virus protection updates are received by every
computer. However, not every division is using this software to protect all of their
computers.1 The Department is in the process of moving all of its computers to this
centrally controlled process, and internal reports indicate the number of computers
receiving daily virus updates has increased from nearly 4,600 in November 2004 to
nearly 5,700 in February 2005. According to internal reports, about 2,000 computers
still remain outside the Department’s centrally controlled virus protection software.
The Department should create a time frame by which all divisions and
administrations must use this centrally administered virus protection software, ensure
that all computers have the virus protection software installed, and then monitor to
ensure that all computers regularly receive current updates.
Downloaded software poses risk—Downloading and installing software from
the Internet can potentially expose a computer environment to malicious code, and
currently not enough is being done to minimize this risk. When an employee installs
a free program from the Internet, he or she may also unknowingly be installing
adware, spyware, or other forms of malware (see text box on page 21). This software
can potentially allow outside users to discover passwords, slow or lock up a system,
and install other forms of malware. The Department has an acceptable use policy
which states that employees are prohibited from downloading and installing any
Seven computers were
missing more than 20
critical security updates.
1 Staff in four local LAN support units said all their computers have at least a local version of virus protection installed. One
of these units provided a report indicating that all of its more than 600 personal computers have virus protection software
installed and are receiving weekly updates; however, ensuring that the entire network is protected would require checking
thousands of additional computers.
software program not specifically authorized by local
IT management. However, when auditors conducted
field office visits of three divisions, they found the
presence of nonbusiness-related software
downloaded from the Internet on 6 of 20 computers
reviewed. For example, auditors found a Web search
tool that is known to also install adware that logs the
computer’s Internet activity, changes the Internet
browser, and displays advertisements. The
Department should ensure that its employees and
local LAN support units understand its current
acceptable use policy, and monitor its divisions and
employees for compliance. For example, local LAN
support units could conduct random reviews of
computers to determine if nonbusiness-related software had been installed.
Department has not provided sufficient central oversight
Similar to its lack of central oversight of groups of security representatives, the
Department historically has not provided sufficient central oversight over the security
of its LANs and computers, and therefore some of the weaknesses and
recommendations identified in Finding 1—Access Controls (see pages 9 through 15)
apply to LAN oversight and compliance as well. Specifically, the Department has not
provided oversight to ensure that local IT staff comply with relevant standards. The
Information Security Administration is now beginning to review certain LAN security
issues throughout the Department, and, as recommended in Finding 1, should
continue to conduct compliance reviews and assessments, develop a schedule of
regular reviews, and document its practices. If, as recommended in Finding 1, the
Department establishes an internal IT audit function and possibly contracts for an
independent security assessment, it should include the security of LANs and
computers as part of those reviews.
While DTS is currently attempting to address the lack of central oversight by
establishing centralized control of key LAN security tasks, more needs to be done to
ensure employees have the necessary skills for their jobs. Current projects in the
Department will bring all networks into a single administrative structure, centralize
security patch management, and centralize virus protection. However, the
Department has not established standards for minimum training requirements for
network support personnel. Training for these employees is important because they
work in a constantly changing environment. The Department should review the
training practices of the local LAN support units and establish regular training
requirements that will help ensure that LAN support staff have and maintain adequate
skill levels.
Office of the Auditor General
page 21
Spyware—any software that covertly gathers user
information, such as passwords, through the user’s
Internet connection; typically bundled as a hidden
component in freeware or shareware programs that are
downloaded from the Internet.
Adware—a form of spyware that collects information
about the user in order to display advertisements in the
Web browser.
Malware—software designed to disrupt or harm a system,
such as a virus.
Recommendations
1. To ensure that all computers have up-to-date security patches installed, the
Department should:
a. Deploy as planned an automated tool that will allow it to centrally control and
manage security updates.
b. Periodically monitor to ensure that all computers have critical security updates
installed.
2. To better ensure computers are protected from viruses, the Department should:
a. Develop a time frame by which all divisions must install the entity-wide virus
protection software the Department has already purchased.
b. Ensure that all computers have the virus protection installed.
c. Monitor to ensure that all department computers regularly receive current updates.
3. To better ensure computers are protected from spyware and other forms of
malware, the Department should:
a. Ensure that employees and local LAN support units understand the Department’s
acceptable use policy.
b. Monitor to ensure that its divisions and employees comply with the policy.
4. The Department should review the training practices of the local LAN support
units and establish training requirements sufficient to ensure that LAN staff have
and maintain adequate skill levels.
State of Arizona
page 22
Office of the Auditor General
page 23
Department could improve its management of
computer program changes
The Department could better manage its process for making changes to computer
programs. Effective controls over this process help ensure that only authorized
modifications are made to computer programs. DTS has more than 20 project teams
working on department systems. Their processes are inconsistent across
programming teams and their testing of programming changes is not always
adequate to ensure that program modifications are fully functional and correct.
However, the Department is making efforts to address these issues.
Effective change process important to system
functionality
Department systems frequently require changes to their computer programs. State
or federal mandates, such as the federal Health Insurance Portability and
Accountability Act (HIPAA), require changes in department systems. In addition,
divisions that use the systems may identify errors or recommend changes for
improvement. During the first half of fiscal year 2005, the Department implemented
991 change requests to its mainframe systems, according to a
department report.
Effective management of the program change process is
important to ensure that programmers do not introduce
malicious or inappropriate changes to a system, and to
safeguard systems against ineffective or faulty program
changes. Inadequate program change management can lead
to programming errors and inefficiencies. For example, in a
previous audit, auditors found significant computer errors that
potentially subjected Arizona employers to penalties and
assessments by providing inaccurate information to the U.S.
Internal Revenue Service. During that audit the Department
FINDING 3
Program Change Example
Requesting Unit—Division of Benefits and
Medical Eligibility
Reason for Request—The Department’s
electronic benefits transfer (EBT) program
changed vendors.
Request—Allows for changes that are
necessary to convert EBT to the new vendor.
attempted to correct the errors, but auditors found that the program continued to
produce inaccurate information, indicating that testing of this program change was
inadequate. For greater detail on this programming error, see the Department of
Economic Security, Division of Employment and Rehabilitation Services—
Unemployment Insurance Program, Auditor General Report No. 05-01, pages 21-24.
Current change process lacks consistency
The current process for making changes varies greatly among programming teams.
The program change process should be adequately controlled so that all changes
are appropriately requested, designed, tested, approved, and implemented. The
Department’s Quality Assurance group, which moves program changes to
production, does not move any change to production without documentation
showing that the change is appropriately approved by the end user and the
programmer’s supervisor. However, the lack of consistency between teams
increases the risk of having inadequate controls over some program changes. DTS
is making efforts to improve its program change process.
Program change process can be improved—DTS can improve two
aspects of program change management:
Program change process not standardized across programming teams—The
DTS programming group employs more than 120 programmers assigned to
over 20 programming teams that each work on separate systems or parts of
systems. Different teams use different procedures to manage the program
change process. Specifically, teams use different procedures and forms to
receive user requests for program changes, track progress, and note approval
for program changes. Some teams had no written documentation illustrating
their procedures or overall methodology. The lack of a uniform, standardized
process increases the risk of having inappropriate or inadequate changes
introduced into a system and having inadequate documentation necessary for
performing program maintenance.
Testing of program changes is not always adequate—An essential step in
developing a program change is adequate testing so that the change will be
fully functional and work correctly once it is moved to production. However,
according to division officials, programmers typically conduct only limited
testing of program changes before allowing the end user to conduct testing.
Further, DTS has not established standards for what is acceptable testing of
program changes. Often, DTS could not provide auditors with documentation of
test plans and test results.
State of Arizona
page 24
DTS making efforts to address weaknesses—DTS is making efforts to
address both of these weaknesses. Specifically:
Standardizing the program change process—DTS is developing a written
system development methodology and program change management policy.
The new methodology and policy are being created to govern a new
programming area within the Department, but DTS anticipates using these
policies and procedures to standardize, to the extent possible, this same
methodology across all teams. According to DTS management, these policies
will not be finalized until some time after June 30, 2005. DTS should ensure that
this methodology is applied to all project teams.
Improving the adequacy of testing—In April 2005, the Department acquired an
automated testing tool that will allow it to conduct well-documented, thorough
testing of program changes. According to DTS management, this tool should be
implemented by July 2005. DTS should ensure that the testers receive adequate
training to use the new tool and ensure that it is used as frequently as possible,
in accordance with the nature of the program change.
Recommendations
1. DTS should standardize its program change process throughout programming
teams by completing its current efforts to develop a documented system
development methodology and program change policy and then applying the
new practices to all project teams, to the extent possible.
2. DTS should improve its testing of program changes by:
a. Continuing its efforts to implement an automated testing tool.
b. Ensuring that testers receive adequate training to use the new tool.
c. Using the tool as frequently as possible, in accordance with the nature of the
program change.
Office of the Auditor General
page 25
State of Arizona
page 26
Office of the Auditor General
page 27
Department has made progress in disaster
recovery
The Department has made progress in improving its disaster recovery planning—its
procedures for what to do in the event of a major hardware or software failure—
although it needs to complete its efforts to put effective procedures in place. Disaster
recovery planning allows critical services to continue even when major computer
systems are damaged or destroyed. Since 2004, the Department has taken a
number of actions to put a disaster recovery plan in place, although it still needs to
complete and test the plan and move forward with plans to back up critical systems
daily. However, its current plans address only those actions needed if disruptions last
for a short period. A comprehensive solution will require state-wide disaster recovery
planning and identification of future funding sources.
Disaster recovery planning
minimizes service disruption
Disaster recovery planning allows critical
services to continue in the event of damage to
an agency’s computer systems. Without such
planning, an agency can lose the ability to
provide services to the public for an extended
period of time. In the Department’s case, loss
of its computer systems would disrupt
services to an estimated over 1 million people
and affect claims and benefits payments such
as unemployment insurance or TANF cash
assistance (see text box). Therefore, it is very
important for the Department to have an up-to-
date contingency plan so it can resume
services as quickly as possible should a
major computer hardware or software failure
occur.
FINDING 4
The Department reports that it serves over 1 million children,
adults, and families per month. Damage to the Department’s
computer systems can lead to the disruption of critical services,
such as:
Unemployment insurance payments: an average of over
$32.9 million per month in fiscal year 2004
Federal TANF cash benefits: an average of over $14.6
million per month in fiscal year 2004
Ability to track client information for programs such as Child
Protective Services and foster care
Timely payments to agencies providing services to Arizona
children, families, the disabled, and the elderly
Source: Auditor General staff analysis of the Department of Economic Security Annual Report for
SFY 2004; and list of mainframe application systems provided by the Department.
Comprehensive government and industry standards exist for disaster recovery plans.
For example, GITA’s standards include developing procedures and tasks for staff to
assist in system recovery and arranging with vendors to provide computer services.
In general, a comprehensive disaster recovery plan should include the following
components:
A risk analysis identifying critical transactions for department programs;
A designated alternative computer facility or “hot site”;
Development of test plans to determine the effectiveness of disaster recovery
procedures with periodic testing of these plans;
Employees organized into disaster recovery teams along with tasks assigned to
those teams;
A list of procedures for processing critical transactions, including forms and
other documents to use; and
Scheduling frequent regular backups of agency information and storing that
information at remote sites throughout the year.
Department has improved disaster recovery planning
The Department has made progress in disaster recovery planning after experiencing
some delays due primarily to lack of staff. Although the Department has made
progress since hiring disaster recovery staff, it still needs to complete and update
some plan components, conduct testing, and move forward with plans to conduct
critical backups on a daily basis.
Disaster planning started slowly but has made progress—The
Department did not effectively address disaster recovery planning for several years.
In 2002, the Department purchased a computer software planning system for
disaster recovery that has also been used by other state agencies, such as the
Department of Administration and the Department of Public Safety, and in 2003 the
Department developed a nearly 40-page outline that shows steps for completing the
plan. However, according to department officials, turnover in the disaster recovery
planning position resulted in only partial progress in entering information into the
planning software.
More progress came in calendar year 2004 when the Department hired a disaster
recovery manager, obtained funding for disaster recovery initiatives, began regular
off-site storage of the data it backs up, and obtained access to emergency hot site
State of Arizona
page 28
The Department reports
that lack of a disaster
recovery manager
slowed down initial
progress that started in
2002.
services. Additionally, according to department officials, it has established a
timetable for completing the information in its software planning system. Table 4 (see
page 30) shows the status of the Department’s disaster recovery planning activities
as of February 2005. As the table shows, the Department has taken action in each of
the four major planning areas—mainframe recovery, network recovery, server farm
recovery, and facility recovery.
Department should complete and test its plan—The Department needs to
update its planning software to include information on the more recent planning
activities undertaken, including the emergency hot site services, new network
strategy, and regular data backups. It should also follow through with its timetable to
complete the plan so that it includes all of the items shown in Table 4 (see page 30).
For example, it should add information to its mainframe and network plans on
recovery teams’ tasks and assignments and vendor assets and supplies. The
Department adopted a maintenance plan in May 2005, which sets forth a schedule
for updating individual plan components. In addition, the Department needs to
determine which mainframe applications are most critical, develop a prioritized list for
the sequence of recovering these applications, and add this information to its
recovery planning software. The Department should also update its recovery
planning software to include information about its plan to have a vendor provide
backup resources for its server farm. The Department developed a final test plan
prior to its scheduled testing dates at the emergency hot site in June 2005. The
Department should ensure that it adds testing plan information to its recovery
planning software as part of its ongoing plan maintenance.
Department should conduct daily backups of critical systems—In
addition to determining which mainframe systems are most critical and adding this
information to the plan, the Department should also begin daily backups of its most
critical applications. The Department has begun to take action in this area. For
example, the Department used some of its disaster recovery funding to purchase
new tape drives, allowing faster backups. The Department reports that it can now
back up its systems faster. The Department began daily backups of its most critical
mainframe systems starting in June 2005. In addition to adding this information to its
plan, the Department should continue to conduct these daily backups, and develop
policies related to these backups, and add this information to its planning software.
Comprehensive solutions require state-wide planning
According to department officials, current planning activities do not provide
comprehensive disaster recovery solutions. For example, the Department estimates
that it could take a minimum of 2 weeks to restore mainframe and network services
at the current temporary hot site. In the event of an emergency, hot site services are
contractually guaranteed by the vendor to be available to the Department for only 6
weeks. The funding and contract for the hot site was initially approved for fiscal year
Office of the Auditor General
page 29
The Department reports
that its new tape drives
allow faster backups of
mainframe systems.
State of Arizona
page 30
Table 4: Status of Disaster Recovery Planning Activities
as of February 2005
Plan Components
Purpose of Plan
Component
Actions Taken
Mainframe recovery Restore and recover
hardware and software
functions to operate the
Department’s mainframe
computer.
• Spring 2004—The Department began to back up mainframe
data on a regular basis and store it at a remote site.
• Spring 2004—GITA approved a tri-agency Project
Information Justification (PIJ) to allow the Department, the
Department of Administration, and the Department of Public
Safety to seek funding for disaster recovery initiatives. The
Department reports that it subsequently:
Obtained 1-year funding for a hot site and scheduled
test dates for recovery of mainframe functions at the
hot site;
Used part of this funding to purchase tape drives for
faster backups of mainframe computer data through the
year.
• The Department has partially completed its plan. Missing
items include:
Identification of the Department’s most critical
mainframe applications.
Tasks and assignments for 6 of its 15 restoration or
recovery teams.
Documentation of some vendors to supply equipment
and for vendor assets and supplies.
Network recovery Restore the network’s
capacity to provide
division and program
connections to the
Department’s mainframe
computer.
• Fiscal year 2005—the Department plans to implement a
process with a contractor to enable its computer network to
be redirected to the emergency hot site.
• The Department has partially completed its plan. Missing
items include:
Tasks and assignments for 8 of its 15 recovery or
restoration teams.
Documentation of some vendors to supply equipment
and for vendor assets and supplies.
Server farm recovery Restore operations for
programs run from a
group of department
servers at a department
data center.
• The Department reports that it is working with state
procurement staff to efficiently obtain vendors to supply
backup servers in the event of an emergency.
• The Department has partially completed the plan. Missing
items include:
Tasks and assignments for 6 of its 58 recovery or
restoration teams.
Assets, equipment, and supplies lists by vendor.
Telecommunication lines and equipment information.
Facility1 Provide for safe
evacuation and relocation
of staff, assessment of
damage, and the cost to
restore the facility.
• DTS’ main facility has an evacuation plan, which has been
tested.
1 Three areas of the Department coordinate facility recovery plans: facilities management in the Division of Budget and Finance,
risk management in the Division of Employee Services and Support, and building coordinators for each facility. Local office
coordinators, local office managers, or building coordinators are responsible for oversight of staff evacuation.
Source: Auditor General staff compilation of information from the Department’s Living Disaster Recovery Planning System software
program, budget reports, interviews with DTS staff, and vendor contracts.
Office of the Auditor General
page 31
1 JLBC’s recommendation stated that the reduced appropriation from the Risk Management Fund for fiscal year 2006
could generate federal matching fund monies and permit total funding of $742,300. However, because the Fund includes
federal monies, the Department is working with the State Comptroller’s Office to determine whether and how this can be
done while complying with restrictions on federal monies.
2005 only. That year, the Legislature approved $742,300 from the State’s Risk
Management Fund for the Department’s disaster recovery plan. The Legislature
approved additional funding from the same funding source in its fiscal year 2006
budget, although it reduced the amount to $271,500.1
State-wide planning may be required to support comprehensive disaster recovery
solutions for the Department and other state agencies that maintain critical data.
Department officials are currently participating in a state-wide planning group with
other agencies, such as the Department of Administration and the Department of
Public Safety, to work on long-term disaster recovery solutions. This state-wide
planning group, which includes the Governor’s Office, is discussing strategies such
as an information systems recovery services site to serve all state agencies. In
addition to state-wide planning, these long-term solutions also require the
identification of additional funding beyond that which supports temporary hot site
services.
Recommendations
1. The Department needs to update and complete its disaster recovery planning
software. Specifically, it needs to:
a. Update all components of the plan—mainframe, network, and server farm plans—
as needed to include new disaster recovery initiatives including the emergency hot
site, new network strategy, regular data backups, and testing procedures.
b. Add information to mainframe, network, and server farm plans so that they include
detailed tasks and assignments for all recovery teams identified in those plans.
c. Add information to its mainframe, network, and server farm plans so that they
include pertinent vendor information, such as vendor assets and supplies.
d. Add information to the mainframe plan to identify the most critical mainframe
applications, and the priorities and sequence of events necessary to restore these
applications.
e. Add information to its server farm plan to have a vendor provide backup resources
for its server farm.
2. The Department should ensure it adds testing plan information to its recovery
planning software as part of its ongoing plan maintenance.
3. The Department’s Division of Technology Services should develop policies for
critical system backups and add this information to its planning software.
Current planning
activities do not provide
a comprehensive
solution.
State of Arizona
page 32
Office of the Auditor General
AGENCY RESPONSE
State of Arizona
ARIZONA DEPARTMENT OF ECONOMIC SECURITY
1717 W. Jefferson • P.O. Box 6123 • Phoenix, AZ 85005
Janet Napolitano
Governor
David A. Berns
Director
Ms. Debbie Davenport
Auditor General
Office of the Auditor General
2910 North 44th Street, Suite 410
Phoenix, Arizona 85018
Dear Ms. Davenport:
Thank you for the opportunity to respond to the performance audit and sunset
review of information security in the Department of Economic Security. We
appreciate the professional approach the auditors took during the course of this
review. The purpose of this letter is to forward the Department’s written
responses to the preliminary draft report.
As you are aware, in 2003, the current DES leadership had identified information
security as a potentially vulnerable area and had implemented various
improvements. We welcomed the Auditor General’s review as a means to
enhance and refine those efforts.
The Department agrees with the findings in the report and has identified and
initiated work to implement most of the recommendations by January 2006. Five
(5) recommendations that require organizational development and training will be
implemented by July 2006. The remaining three (3) actions would require
appropriated funding or specific authorization to implement. The Department will
continue to review those three recommendations and determine the
appropriateness of seeking additional funding.
Sincerely,
David A. Berns
Enclosure
DES Response - Information Security Performance Audit Draft Report
Page 1 of 9
FINDING 1 - Controls over data security insufficient
Recommendation
1. In order to address user account weaknesses, DTS should:
a. Create guidelines requiring periodic reviews of access rights to ensure that
users have only the access that they need to perform their jobs.
b. Define who needs security administration privileges, and what kind of authority
they need, so that these privileges can be restricted to the minimum levels
required for employees to perform their duties.
c. DTS should monitor compliance with new and updated policies addressing
account management and access control to ensure that old and unused
accounts are properly deleted and account passwords are changed at least
every 30 days.
DES Response
1. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
In November 2003, the Department recognized that its security controls required
improvement and began to strengthen the role of this function with a realignment of
the Information Security Administration (ISA) within the Division of Technology
Services (DTS). This move included the hiring of a new Administrator in July 2004,
who is responsible for ensuring that DES is in compliance with acceptable security
industry practices. The first step in this process has been to strengthen DTS’ central
oversight and establish uniform standards and practices. ISA has already
accomplished significant improvement toward this end through review and
strengthening of existing, and establishment of new, security policies and
procedures. Additional improvements, as recommended by the Auditor General, will
also be implemented.
a. Review of user access will be implemented as a part of ISA’s Compliance
Review Plan. By August 2005, ISA will complete the access control section of
the Compliance Review Plan and will commence quarterly random reviews of
user access at that time. These reviews will be done in coordination with the
Division/Program Security Representatives. Any inappropriate access
discovered will be addressed.
b. In March 2005, DTS completed a review of accounts with security privileges.
Unnecessary accounts were changed or deleted as a result of this review. A
draft policy, based on industry standards and the concept of “least privilege”, has
been completed and is currently under review. This policy specifies the
requirements for obtaining security privileges and what restrictions apply.
Adoption of this policy will occur in August 2005. The account management
DES Response - Information Security Performance Audit Draft Report
Page 2 of 9
section of the Compliance Review Plan, which incorporates review of security
privileges, will be completed, and ISA will commence quarterly random reviews
of security privileges in August 2005.
c. In March 2005, new policies governing account management and access control
were adopted. These policies established rules for reviewing user accounts,
including old/unused accounts, accounts with password intervals, and duplicate
accounts for an individual. In May 2005, ISA began enforcement of these new
policies through monthly reviews and appropriate follow-up actions with the
security administrators. By July 2005, ISA will begin publishing a periodic report
that describes the results of compliance monitoring and follow-up regarding old
and unused accounts.
Recommendation:
2. The Information Security Administration should continue to conduct compliance
reviews and assessments, develop a schedule of regular reviews, and establish
policies and procedures to document its practices including a follow-up process to
ensure divisions comply with recommendations.
DES Response:
2. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
The ISA will continue to conduct periodic compliance reviews to ensure divisions are
complying with security policies and procedures. In doing so, ISA will develop a
schedule of these reviews and establish policies and procedures on the review
process. The Compliance Review Plan, which will address the review schedule and
documentation requirements, as well as all security risks not mentioned above, will
be completed by October 2005.
Recommendation:
3. In order to increase compliance with security requirements, the Department should:
a. Establish an internal IT audit function.
b. Consider contracting for an independent security assessment.
DES Response:
3. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
a. In the past, DES had an IT audit function; however, due to budget constraints,
the function was eliminated in 1997. The Department is using savings achieved
through internal efficiencies to re-establish an IT audit position that will report to
the Office of Audit and Management Services. The position will be filled by early
2006.
DES Response - Information Security Performance Audit Draft Report
Page 3 of 9
b. As the Audit Report indicates, an external IT security assessment is estimated to
cost several hundred thousand dollars, based on the experiences of the
Department of Transportation and the Department of Administration. The
Department recognizes the value of such an assessment, but would require
additional funding appropriated for that purpose.
Recommendation:
4. In order to ensure that security representatives know their duties and are capable of
doing them, DTS should work with security groups to:
a. Adopt a job description with minimum qualifications for security representatives
and ensure that only individuals who meet these qualifications are authorized to
conduct these duties.
b. Develop a manual regarding the duties of a security representative as a
reference source.
c. Ensure that security representatives understand their job duties and receive
periodic training.
d. Identify other individuals who perform duties similar to security representatives,
specifically those who perform system application (non-mainframe) access right
duties, and ensure that they understand their job duties and receive periodic
training.
DES Response:
4. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
a. In June 2005, DTS completed a draft job description that includes minimum
qualifications and job duty descriptions for security representatives. These job
descriptions apply to all persons who perform these duties, regardless of what
job title they are in. Only staff who meet these qualifications will be given the
necessary clearance to perform the security analyst functions. The Department
will work with the Office of Personnel Management to adopt this job description
by December 2005 and to resolve any unexpected personnel issues that may
arise as a result of the implementation of these minimum qualifications.
b. By December 2005, DTS, in conjunction with the Department’s security
representatives, will develop and implement a manual that defines the duties of a
security representative .
c. Upon completion of the revised Data Security Analyst Manual, the Department’s
Office of Management Development (OMD) will work with DTS to develop and
deliver periodic mandatory training to the security representatives to ensure they
understand the security representative job duties and expectations. Training will
begin in 2006.
DES Response - Information Security Performance Audit Draft Report
Page 4 of 9
d. Staff who perform non-mainframe security duties will be included as the
Department implements the security representative roles and responsibilities.
They will also be included in the aforementioned security representative
trainings. These staff will also have clear job duty descriptions and expectations.
Recommendation:
5. The Department should ensure that new employees receive the mandatory
computer security training.
DES Response:
5. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
By October 2005, all current Department employees will have received the
mandatory computer security training. DES is partnering with Arizona Government
University to ensure that all training data is tracked. In addition, ISA and OMD are
developing a plan to ensure that all new employees receive appropriate mandatory
computer security training (DES Basic Security Awareness Training course). This
new employee training plan also will be implemented by October 2005.
Recommendation:
6. The Department should determine which positions involve the security and access of
sensitive information and therefore merit a background check. It should then
request the authority, either through statute or an executive order, to conduct
background checks and ensure background checks are conducted on those
individuals. The Department should also conduct periodic background checks on
long-term employees in accordance with the sensitivity of their position.
DES Response:
6. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
The Department will seek an Executive Order or legislation to require background
checks on all current and newly hired employees that are responsible for security
duties or have access to sensitive agency-maintained information.
FINDING 2 - Information in local area networks and computers not adequately
protected
Recommendation:
1. To ensure that all computers have up-to-date security patches installed, the
Department should:
DES Response - Information Security Performance Audit Draft Report
Page 5 of 9
a. Deploy as planned an automated tool that will allow it to centrally control and
manage security updates.
b. Periodically monitor to ensure that all computers have critical security updates
installed.
DES Response:
1. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
a. In April 2005, DTS identified an automated tool to centrally control and manage
security updates. DTS procured the automated tool in June 2005 and will
implement it by January 2006.
b. ISA will include periodic monitoring of the automated tool in the development of
its Compliance Review Plan, which will be completed by October 2005.
Recommendation:
2. To better ensure computers are protected from viruses, the Department should:
a. Develop a time frame by which all divisions must install the entity-wide virus
protection software the Department has already purchased.
b. Ensure that all computers have the virus protection installed.
c. Monitor to ensure that all department computers regularly receive current
updates.
DES Response:
2. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
a. The Department established December 2005, as the date for all Divisions to
have installed the entity-wide virus protection software.
b. DTS will review Division actions in early 2006 to ensure that all Divisions have
installed virus protection software.
c. ISA will include periodic monitoring of the existence and regular updating of virus
protection software on desktop equipment in the development of its Compliance
Review Plan, which will be completed by October 2005.
Recommendation:
3. To better ensure computers are protected from spyware and other forms of malware,
the Department should:
a. Ensure that employees and local LAN support units understand the Department’s
acceptable use policy.
b. Monitor to ensure that its divisions and employees comply with the policy
DES Response:
3. The finding of the Auditor General is agreed to and the audit recommendation will be
DES Response - Information Security Performance Audit Draft Report
Page 6 of 9
implemented.
a. The department requires all new employees to pass the Basic Security
Awareness Training course and also requires all employees (including LAN
support staff) to take a Security Awareness Refresher Course annually. Both
courses include information on the acceptable use policy, employees’
responsibilities under this policy, and the potential consequences for violations of
the policy, which include personnel actions up to and including termination. The
LAN support staff will receive not only the above training but also additional
training on the application of this policy as part of the minimum required training
for LAN support staff that will be established by March 2006. See the
Department’s response to Finding 2, Recommendation 4.
b. ISA will include periodic monitoring of user compliance with this policy in the
development of its Compliance Review Plan, which will be completed by October
2005.
Recommendation:
4. The Department should review the training practices of the local LAN support units
and establish training requirements sufficient to ensure that LAN staff have and
maintain adequate skill levels.
DES Response:
4. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
The Department will:
By early 2006, establish and fill an internal IT audit function within the DES Office
of Audit and Management Services. (See the Department’s response to Finding
1, recommendation 3.a.) This audit function will be charged with, among other
things, reviewing the training practices of local LAN support units and
recommending training requirements sufficient to ensure that LAN staff have and
maintain adequate skill levels.
By March 2006, establish minimum initial and ongoing training requirements for
all LAN support staff, based on input from the DES internal IT auditor, IT and
Information Security personnel, and staff of OMD.
By March 2006, require the re-established IT audit function to monitor for
adherence to the new Department IT Standard for LAN training requirements as
part of its IT audit work plan.
FINDING 3 – The Department could improve its management of computer
program changes
DES Response - Information Security Performance Audit Draft Report
Page 7 of 9
Recommendation:
1. DTS should standardize its program change process throughout programming
teams by completing its current efforts to develop a documented system
development methodology and program change policy and then applying the new
practices to all project teams, to the extent possible.
DES Response:
1. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
By December 2005, DTS will complete the development and implementation of the
system development methodology and will apply the new practices to all project
teams, to the extent appropriate.
Recommendation:
2. DTS should improve its testing of program changes by:
a. Continuing its efforts to implement an automated testing tool.
b. Ensuring that testers receive adequate training to use the new tool.
c. Using the tool as frequently as possible, in accordance with the nature of the
program change.
DES Response:
2. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
a. In May 2005, DTS acquired a suite of automated testing tools. This software will
be installed in July 2005 and will be used for testing new and modified programs
on mainframe, internet, and server-based platforms.
b. By July 2005, 25 Department staff will have attended a five-day, vendor-provided
training. The training will cover all aspects of the five different tools that are part
of the suite. The 25 trainees include many program staff as well as the entire
DTS Quality Assurance staff.
c. Beginning in July 2005, following completion of the vendor training, program staff
will begin use of the suite of tools to develop and execute test scripts to evaluate
program changes and to track results.
FINDING 4 - Department has made progress in disaster recovery planning
Recommendation:
1. The Department needs to update and complete its disaster recovery planning
software. Specifically, it needs to:
DES Response - Information Security Performance Audit Draft Report
Page 8 of 9
a. Update all components of the plan—mainframe, network, and server farm
plans—as needed to include new disaster recovery initiatives including the
emergency hot site, new network strategy: regular data backups, and testing
procedures.
b. Add information to mainframe, network, and server farm plans so that they
include detailed tasks and assignments for all recovery teams identified in those
plans.
c. Add information to its mainframe, network, and server farm plans so that they
include pertinent vendor information, such as vendor assets and supplies.
d. Add information to the mainframe plan to identify the most critical mainframe
applications, and the priorities and sequence of events necessary to restore
these applications.
e. Add information to its server farm plan to have a vendor provide backup
resources for its server farm.
DES Response:
1. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
a. As new disaster recovery initiatives are implemented by the Department, the
disaster recovery plans will be adjusted to include the updated recovery
information. For example, in June 2005 DTS initiated daily off-site back-up tape
storage, use of the IBM hot site for testing purposes, and the first phase of the
DES Disaster Recovery (DR) test plan. The DES DR Plan, including the
mainframe, network, and server farm components, will be updated to reflect
these changes by September 2005.
b. In May 2005, the Department implemented a maintenance plan, which is
designed to ensure that all recovery plan owners review and update the plans on
a regular basis. The Disaster Recovery Manager is responsible for monitoring
the compliance with the maintenance plan. By December 2005, all three DR
plans will have been updated with detailed tasks and assignments for the
recovery teams identified in those plans.
c. The maintenance plan adopted in May 2005 also requires that all vendor data be
reviewed by recovery plan owners per the maintenance plan review schedule. In
plans that have no vendor dependence for supplies or information, an annotation
of “Not Applicable” will be added by the appropriate plan owners at the next
scheduled review. By December 2005, all three DR plans will have been
updated with vendor information, such as vendor assets and supplies.
d. The Disaster Recovery Manager will work with other key staff throughout the
Department to identify the most critical applications and prioritize their recovery in
the event of a disaster. By January 2006, the resulting information will be added
to the mainframe recovery plan.
e. The Department’s disaster recovery appropriation was reduced for fiscal year
2006, which was established to address mainframe recovery services and faster
DES Response - Information Security Performance Audit Draft Report
Page 9 of 9
tape drives for performing backups. There were no appropriated funds
earmarked for server farm backup resources. As a result, the Department will be
requesting additional funds this summer in the fiscal year 2007 budget to fully
address the mainframe and server farm backup resources. In the meantime, the
Department will update its server farm plan to note that vendor-provided backup
resources will be needed.
Recommendation:
2. The Department should ensure it adds testing plan information to
its recovery planning software as part of its ongoing plan maintenance.
DES Response:
2. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
The Disaster Recovery Manager is responsible for ensuring that test plan
information is added to its recovery planning software as part of the Department’s
ongoing plan maintenance. The Department created its initial test protocol in May
2005 and executed that protocol in June 2005. The next test under the current
contract is scheduled for August 2005. The test plan will be updated within the
recovery planning software at that time.
Recommendation:
3. The Department’s Division of Technology Services should develop policies for
critical system backups and add this information to its planning software.
DES Response:
3. The finding of the Auditor General is agreed to and the audit recommendation will be
implemented.
In June 2005, the Division of Technology Services implemented a process to create
daily incremental backups of critical mainframe systems. Those tapes are created
and sent off site on a nightly basis. By October 2005, the documentation of that
process will be included in the Department’s disaster recovery planning software.
03-05 Department of Economic
Security—Child Protective
Services—Foster Care
Placement Stability and
Foster Parent Communication
03-06 Arizona Board of Appraisal
03-07 Arizona Board for Charter
Schools
03-08 Arizona Department of
Commerce
03-09 Department of Economic
Security—Division of
Children, Youth and Families
Child Protective Services—
Caseloads and Training
04-L1 Letter Report—Arizona Board
of Medical Examiners
04-L2 Letter Report—Gila County
Transportation Excise Tax
04-01 Arizona Tourism and
Sports Authority
04-02 Department of Economic
Security—Welfare Programs
04-03 Behavioral Health Services’
HB2003 Funding for Adults
with Serious Mental Illness
04-04 Department of Emergency and
Military Affairs and State
Emergency Council
04-05 Department of Environmental
Quality—Water Quality Division
04-06 Department of Environmental
Quality—Waste Programs
Division
04-07 Department of Environmental
Quality—Air Quality Division
04-08 Department of Environmental
Quality—Sunset Factors
04-09 Arizona Department of
Transportation, Motor Vehicle
Division— State Revenue
Collection Functions
04-10 Arizona Department of
Transportation, Motor Vehicle
Division—Information Security
and E-government Services
04-11 Arizona Department of
Transportation, Motor Vehicle
Division—Sunset Factors
04-12 Board of Examiners of Nursing
Care Institution Administrators
and Assisted Living Facility
Managers
05-L1 Letter Report—Department
of Health Services—
Ultrasound Reviews
05-01 Department of Economic
Security—Unemployment
Insurance
05-02 Department of Administration—
Financial Services Division
05-03 Government Information
Technology Agency (GITA) &
Information Technology
Authorization Committee (ITAC)
Performance Audit Division reports issued within the last 24 months
Future Performance Audit Division reports
Department of Economic Security—Service Integration
Department of Revenue—Business Reengineering/Integrated Tax System (BRITS)
Object Description
| Rating | |
| TITLE | Performance audit Department of Economic Security Information Security |
| CREATOR | Auditor General |
| SUBJECT | Arizona--Dept. of Economic Security--Auditing; Arizona--Dept. of Economic Security--Information technology; Electronic data processing departments--Security measures--Arizona |
| Browse Topic |
Government and politics |
| DESCRIPTION | This title contains one or more publications |
| Language | English |
| Contributor | Debra K. Davenport |
| Publisher | Auditor General |
| Material Collection | State Documents |
| Source Identifier | LG 6.2:R 36 |
| Location | o61127258 |
| REPOSITORY | Arizona State Library, Archives and Public Records--Law and Research Library |
Description
| TITLE | Performance audit Department of Economic Security Information Security 2005 Report No. 05-04 |
| DESCRIPTION | 56 pages (PDF version). File size: 735 KB |
| TYPE |
Text |
| RIGHTS MANAGEMENT | Copyright to this resource is held by the creating agency and is provided here for educational purposes only. It may not be downloaded, reproduced or distributed in any format without written permission of the creating agency. Any attempt to circumvent the access controls placed on this file is a violation of United States and international copyright laws, and is subject to criminal prosecution. |
| DATE ORIGINAL | 2005 |
| Time Period |
2000s (2000-2009) |
| ORIGINAL FORMAT | Born Digital |
| Source Identifier | LG 6.2:R 36 |
| Location | o61127258 |
| DIGITAL IDENTIFIER | 05-04.pdf |
| DIGITAL FORMAT | PDF (Portable Document Format) |
| REPOSITORY | Arizona State Library, Archives and Public Records--Law and Research Library. |
| File Size | 751895 Bytes |
| Full Text | Performance Audit Department of Economic Security– Information Security Performance Audit Division Debra K. Davenport Auditor General JULY • 2005 REPORT NO. 05 – 04 A REPORT TO THE ARIZONA LEGISLATURE The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the operations of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of school districts, state agencies, and the programs they administer. The Joint Legislative Audit Committee Senator Robert Blendu, Chair Representative Laura Knaperek, Vice Chair Senator Carolyn Allen Representative Tom Boone Senator Gabrielle Giffords Representative Ted Downing Senator John Huppenthal Representative Pete Rios Senator Harry Mitchell Representative Steve Yarbrough Senator Ken Bennett (ex-officio) Representative Jim Weiers (ex-officio) Audit Staff Melanie Chesney, Director Shan Hays, Manager and Contact Person Monique Cordova, Team Leader Aaron Cook Pam Eck Copies of the Auditor General’s reports are free. You may request them by contacting us at: Office of the Auditor General 2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333 Additionally, many of our reports can be found in electronic format at: www.auditorgen.state.az.us 2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051 DEBRA K. DAVENPORT, CPA AUDITOR GENERAL STATE OF ARIZONA OFFICE OF THE AUDITOR GENERAL WILLIAM THOMSON DEPUTY AUDITOR GENERAL July 12, 2005 Members of the Arizona Legislature The Honorable Janet Napolitano, Governor Mr. David Berns, Director Department of Economic Security Transmitted herewith is a report of the Auditor General, A Performance Audit of the Department of Economic Security—Information Security. This report is in response to a November 20, 2002, resolution of the Joint Legislative Audit Committee. The performance audit was conducted as part of the sunset review process prescribed in Arizona Revised Statutes §41-2951 et seq. I am also transmitting with this report a copy of the Report Highlights for this audit to provide a quick summary for your convenience. As outlined in its response, the Department of Economic Security agrees with all of the findings and plans to implement all of the recommendations. My staff and I will be pleased to discuss or clarify items in the report. This report will be released to the public on July 13, 2005. Sincerely, Debbie Davenport Auditor General Enclosure Services: The Division of Technology Services (DTS) provides technical and systems services for the devel-opment, maintenance, enhancement, and operation of the Department’s automated business systems. The Division’s responsibilities also include technical support for network and user information technology (IT) equipment and software; infor-mation security management; disaster recovery; customer support for IT and telecommunications equipment; IT help desk support for end users and field technical staff; and IT planning support for the Department. DTS is part of the Department’s central administration func-tion, and does not carry out all IT-related activities within the Department. For example, the Department has 22 separate groups that support local area networks and computers with 72 network specialists, and 23 information security groups with 67 security representatives. Facilities: DTS’ main administrative office and another facility are locat-ed in two state-owned buildings in Phoenix. In addition, DTS leases space in four other buildings in Phoenix, Tucson, and Flagstaff for an annual lease cost of $603,257. Equipment: In addition to office furniture, DTS has specialized equipment for which it has department-wide responsibility, such as the Department’s mainframe computer. In addition, DTS reports that it has approximately 280 servers, which are computers that manage functions such as the Department’s electronic mail system, its e-Government environment, and other critical agency functions. PROGRAM FACT SHEET Arizona Department of Economic Security Division of Technology Services Systems and Programming 159 (31 vacancies) Data Center 65 (14 vacancies) Technical Support 51 (8 vacancies) Customer Service Support Center 49 (12 vacancies) Support Services 22 (8 vacancies) Assistant Director's Office 8 (3 vacancies) Information Security Administration 5 (0 vacancies) Program revenue: $32.4 million (fiscal year 2005 budgeted) Program staffing: 359 FTE, including 76 vacancies (as of March 24, 2005) Office of the Auditor General 31 30.4 32.4 0 5 10 15 20 25 30 35 FY 2003 FY 2004 FY 2005 Millions of Dollars (actual) (actual) (budgeted) Mission: The mission of DTS is to deliver efficient, effective business technology services for the Department‘s customers and employees, in partnership with the Department’s programs. Program goals: 1. To increase protection for the Department’s information and individual privacy by enhancing information technology security measures. 2. To improve public service by enhancing IT systems and expanding electronic access. 3. To increase operational efficiencies by implementing innovative IT solutions. 4. To improve service quality by providing expanded communication, skill development, and career opportunities, and tools to optimize employee performance. Adequacy of performance measures DTS has developed 20 performance measures to support its 4 goals, including 9 output meas-ures, 9 outcome measures, 1 quality measure, and 1 efficiency measure. While these measures generally were aligned with its 4 goals, auditors identified some areas where DTS could clarify how it uses measures to provide information. Specifically, DTS should consider reporting a com-bination of measures for all of its goals. For example, all 4 measures associated with DTS’ sec-ond goal are identified as output measures. In addition, DTS has not identified any input meas-ures. Source: Auditor General staff compilation of unaudited information obtained from the State of Arizona Master List of Government Programs; the Division’s strategic plan; staffing information from the Division’s human resources manager; lease information from the Division of Business and Finance; equipment inventory, and other information provided by the Department and the Division of Technology Services. State of Arizona The Office of the Auditor General has conducted a performance audit of the Arizona Department of Economic Security’s information security pursuant to a November 20, 2002, resolution of the Joint Legislative Audit Committee. The audit was conducted as part of the sunset review process prescribed in Arizona Revised Statutes (A.R.S.) §41-2951 et seq and is the third in a series of six reports on the Department of Economic Security (Department). This audit addresses four major aspects of the Department’s controls over computer-based information: Controls over access by employees and others who use the data Protection of computers and local area networks (LANs) against virus attacks and other intrusions or data losses Procedures for making changes to computer programs Contingency planning for restoring service in the event of a major system failure The first report reviewed the Department’s welfare programs (Auditor General Report No. 04-02) and the second its unemployment insurance program (Auditor General Report No. 05-01). Subsequent reports will examine the Department’s service integration initiative, the Division of Developmental Disabilities, and the Department’s performance in light of the sunset factors contained in Arizona statutes. The security of the Department’s information systems is important because of the sensitive nature of its data. Department systems assist employees in important tasks such as tracking child welfare cases, monitoring information on developmentally disabled clients in state care, determining clients’ eligibility to receive welfare benefits, and processing claimants’ applications for unemployment insurance. Nearly 14,100 user accounts access various parts of department systems. About 11,730 accounts are for internal department use. In addition, more than 2,350 users, including local, state, tribal, federal, and private agencies, access the Department’s systems. The Department reports that it has more than 80 different information systems, and manages a substantial amount of money through its systems. For instance, in fiscal year 2004, the Department used its systems to process $175 million in Temporary Assistance for Needy Families (TANF) cash benefits, and approximately $395 million in unemployment claims. Office of the Auditor General SUMMARY page i Controls over data security need improvement (see pages 9 through 15) The Department needs to establish better access controls over its information systems and strengthen central oversight of data security. Access controls and other aspects of the security environment need to be strengthened throughout the Department. For example, auditors found that access rights were not periodically reviewed, old/unused accounts were not deleted in a timely fashion, and the use of special privileges that allowed individuals to create and delete user accounts was not adequately restricted. The Department has not provided sufficient central oversight of the security environment. Unlike some state agencies, the Department has not established minimum qualifications and duties for personnel involved in security administration and it has provided neither a manual nor adequate training to ensure that security personnel understand their functions. In addition, new department employees do not always take a mandatory computer security training course, and the Department lacks the legal authority, from either an executive order or statute, to request background checks for personnel in sensitive information technology positions. The Department has begun to address some entity-wide security concerns through its Information Security Administration, located in the Division of Technology Services (DTS). For example, in March 2005, it adopted new policies governing account management. This administration also recently began conducting security compliance reviews within the Department, but needs to develop a regular schedule for such reviews and better document its processes. Information in local area networks and computers not adequately protected (see pages 17 through 22) The Department needs to improve management of its local area networks (LANs) and computers to better ensure system security and operability. Good management of LANs and computers provides protection against virus attacks, hacker intrusion, and possible loss of data. However, the Department does not provide sufficient protection in three areas: Security patches—Every operating system has vulnerabilites that hackers can potentially exploit to attack a system. Security patches are designed to correct for identified security weaknesses, and need to be installed on computers in order to protect them from attacks. However, in general, the Department does not install these patches in a timely manner and exposes its information systems to an increased risk of inoperability or compromise. State of Arizona page ii Virus protection software—Since 2002, the Department has annually purchased a product that, when installed, allows it to centrally ensure that all computers have updated virus protection. However, not all divisions have installed this software on all their machines. Software downloaded from the Internet—The Department’s acceptable use policy regarding downloading software from the Internet prohibits employees from downloading any software not specifically authorized by their local IT unit. However, auditors found instances of computers with inappropriate software downloaded from the Internet. Such software potentially installs malicious programs onto department computers that could slow or lock up a computer or make it easier for hackers to attack its systems. In order to resolve these problems, the Department needs to deploy as planned a software package that will allow it to centrally manage security updates, set a time frame by which all divisions should install its entity-wide virus protection software, ensure its employees and local LAN support units understand its acceptable use policy, and monitor to ensure its divisions and employees comply with its policy. Department could improve its management of computer program changes (see pages 23 through 25) The Department could better manage its process for making changes to computer programs. Effective controls over the change process help ensure that computer program modifications are implemented only if they are properly requested, designed, tested, and approved. Failure to adequately control the program change process could lead to programs with errors or program changes that are inadequate and require additional resources to implement. For instance, in an audit released in January 2005, auditors identified computer errors in the Department’s Unemployment Insurance Program that potentially have subjected Arizona employers to fines and assessments by reporting inaccurate information to the U.S. Internal Revenue Service. Due to an apparent lapse in adequate testing, programmers were unable to fix this problem during the course of the previous audit. The Department should standardize the program change process throughout its programming teams. Auditors found that the program change process varied considerably among the 20 programming teams. The lack of a uniform, standardized process increases the risk of inappropriate or inadequate changes being introduced into a system. In addition, programming teams were unable to provide testing documentation. DTS is making efforts to address both of these weaknesses. DTS is developing a documented program change management policy and plans to apply this policy to all programming teams. In addition, DTS acquired an automated testing tool that will allow it conduct well-documented and extensive testing of program changes, which it plans to implement in July 2005. Office of the Auditor General page iii Department has made progress in disaster recovery (see pages 27 through 31) Although the Department has not completed a disaster recovery plan for its computer systems, it has begun to take steps to implement this goal and to join in a state-wide agency planning effort. Disaster recovery planning allows critical services to continue in the event of damage to an entity’s computer systems. In 2002, the Department purchased a computer software planning system for disaster recovery, but due to staff vacancies made little progress in completing the required information. Beginning in calendar year 2004, the agency has increased its disaster recovery efforts. For example, it began regular off-site remote backups of data and hired a disaster recovery manager. Further, along with other state agencies, it obtained one-year funding in fiscal year 2005 for emergency computer facility (“hot site”) services and purchased hardware to allow for faster backups of its data. The Legislature approved additional funding for fiscal year 2006, although it reduced the Department’s appropriation from the previous fiscal year.1 The Department also has begun plans to redirect its computer network to the hot site in the event of an emergency, and has started daily backups of critical system data. Finally, in addition to its own efforts, the Department is meeting with other state agencies to discuss planning for state-wide disaster recovery solutions. However, the Department needs to finish documenting its disaster recovery plan. 1 JLBC’s recommendation stated that the reduced appropriation for fiscal year 2006, which was made from the Risk Management Fund, could generate federal matching fund monies. However, because the Fund includes federal monies, the Department is working with the State Comptroller’s Office to determine whether and how this can be done while complying with restrictions on federal monies. State of Arizona page iv Office of the Auditor General TABLE OF CONTENTS continued 9 9 10 12 15 17 17 19 21 22 23 23 24 25 Introduction & Background Finding 1: Controls over data security need improvement Access controls should protect data Weaknesses exist in protecting data Department has not provided sufficient central oversight Recommendations Finding 2: Information in local area networks and computers not adequately protected LAN/computer support important to system security and operability Computers and networks not adequately protected Department has not provided sufficient central oversight Recommendations Finding 3: Department could improve its management of computer program changes Effective change process important to system functionality Current change process lacks consistency Recommendations page v State of Arizona TABLE OF CONTENTS Finding 4: Department has made progress in disaster recovery Disaster recovery planning minimizes service disruption Department has improved disaster recovery planning Comprehensive solutions require state-wide planning Recommendations Agency Response Tables: 1 Schedules of Revenues and Expenditures Years Ended June 30, 2003, 2004, and 2005 (Unaudited) 2 Examples of Common Information Technology Controls 3 Deficient Access Controls in the Department as of November 2004 4 Status of Disaster Recovery Planning Activities as of February 2005 Figure: 1 Example of a Simple Local Area Network Connected To the Internet 27 27 28 29 31 4 6 11 30 18 concluded page vi The Office of the Auditor General has conducted a performance audit of the Arizona Department of Economic Security’s information security pursuant to a November 20, 2002, resolution of the Joint Legislative Audit Committee. This audit addresses four major aspects of the Department’s controls over computer-based information: Controls over access by employees and others who use the data Protection of computers and local area networks (LANs) against virus attacks and other intrusions or data losses Procedures for making changes to computer programs Contingency planning for restoring service in the event of a major system failure The audit was conducted as part of the sunset review process prescribed in Arizona Revised Statutes (A.R.S.) §41-2951 et seq and is the third in a series of six reports on the Department of Economic Security (Department). The first report reviewed the Department’s welfare programs (Auditor General Report No. 04-02) and the second its unemployment insurance program (Auditor General Report No. 05-01). Subsequent reports will examine the Department’s service integration initiative, the Division of Developmental Disabilities, and the Department’s performance in light of the sunset factors contained in Arizona statutes. Sensitive client and benefits data increases importance of security Because the Department uses its information systems to maintain sensitive client data and process benefits, the security of these systems is critical. The Department reports that it has more than 80 different information systems, and estimates that it serves more than one million children, adults, and families each month, and it uses its computers to perform a range of functions involving client data. For example, computer systems assist the Department in tracking child welfare cases, monitoring Office of the Auditor General INTRODUCTION & BACKGROUND page 1 provider information and bill payments information for people with developmental disabilities, and determining eligibility for potential Temporary Assistance for Needy Families (TANF) clients. The Department’s systems also assist in processing client benefits, such as TANF cash benefits and unemployment insurance. In fiscal year 2004, the Department used its systems to process $175 million for TANF cash benefits and approximately $395 million in unemployment claims. Thousands of employees of various agencies use the Department’s systems. In all, there are nearly 14,100 user accounts giving access to the system. Approximately 11,730 accounts are for internal department use. In addition, more than 2,350 users, including local, state, tribal, federal, and private agencies, access the Department’s systems. For example, other government agencies and private providers access the Department’s systems to determine eligibility for programs such as employment assistance or housing and to coordinate service delivery for people with developmental disabilities. Information technology management The Department manages its information technology (IT) systems through a combination of centralized and decentralized management approaches. DTS manages some aspects of the Department’s systems centrally, while other divisions manage other aspects for their own systems. IT Functions—Division of Technology Services (DTS): DTS staff manage several department-wide information technology functions. For example, DTS operates and maintains the Department’s mainframe computer and network, and its staff perform programming changes required for the Department’s systems. DTS also has responsibility for disaster recovery planning for the Department’s mainframe and central server farm in the event of damage or destruction to its Data Center. Additionally, DTS is responsible for developing policies and procedures for the entire agency and for ensuring that the Department complies with state-wide policies established by the State of Arizona’s Government Information Technology Agency (GITA), as well as any federal requirements. IT Functions—Other Divisions: Other divisions also employ their own IT staff to manage several important information technology functions. For example, the divisions are responsible for user account management, including approving or terminating a user’s access to the division’s computer system and assigning access rights within a system. The divisions also perform their own local area network (LAN) and desktop support duties. Specifically, they are responsible for installing, configuring, upgrading, and maintaining their servers, workstations, and computer peripherals. State of Arizona page 2 Budget and staffing The Department’s budget and staffing for information technology functions are also divided between DTS and other divisions: Division of Technology Services—As of March 24, 2005, DTS had 359 authorized FTE positions with 76 vacancies. DTS is organized into the following units: Assistant Director’s Office (8 authorized positions, 3 vacancies)—The Assistant Director is the chief information officer of the Department and conducts agency-wide information technology planning activities, such as disaster recovery planning. Data Center Services (65 authorized positions, 14 vacancies)—Manages all Data Center operations, functions, and procedures. The Department reports that the Data Center processes, on average, more than 2.5 million online business transactions each day. Technical Support (51 authorized positions, 8 vacancies)—Manages the Department’s mainframe operating and database systems, its centrally located server hardware and software, and other information technology networks. Systems and Programming (159 authorized positions, 31 vacancies)— Designs, develops, and maintains the Department’s primary IT systems. DTS assigns programming personnel to specific programming teams that assist specific divisions. Support Services (22 authorized positions, 8 vacancies)—Provides services such as budget and fiscal management and agency-wide information technology planning activities. Information Security Administration (5 authorized positions, 0 vacancies)— Initiates and maintains measures to protect the Department’s computer hardware, software, and associated data against improper use, modification, or loss. Customer Service Support Center (49 authorized positions, 12 vacancies)—Responds to help desk calls, repairs PCs, and is responsible for the installation and maintenance of mainframe and other system hardware and software. Office of the Auditor General page 3 As shown in Table 1, estimated fiscal year 2005 revenues for DTS are approximately $32.4 million, including special line items for lease purchasing of nearly $7 million and for disaster recovery of approximately $750,000. Estimated fiscal year 2005 General Fund monies for DTS total approximately $6.4 million. The majority of DTS’ operating expenditures are for personnel-related expenses. Other Divisions—Although staff outside of DTS also perform IT-related functions, auditors were unable to obtain a reliable estimate for the number of staff assigned to IT duties across the other divisions because the Department does not use standardized position requirements for staff who perform duties such as State of Arizona page 4 Table 1: Schedule of Revenues and Expenditures1 Years Ended June 30, 2003, 2004, and 2005 (Unaudited) 2003 2004 2005 (Actual) (Actual) (Budgeted) Revenues: State General Fund appropriations $8,107,903 $7,273,112 $8,116,569 Government grants and contracts: Federal Centers for Medicare and Medical Services Research, Demonstrations, and Evaluations 6,037,169 6,025,094 6,368,799 Federal Child Support Enforcement 3,730,251 2,949,418 3,522,562 Federal Unemployment Insurance 2,981,122 2,826,739 3,065,696 Federal Temporary Assistance for Needy Families 1,712,780 1,481,211 1,685,150 Federal Food Stamps Cluster 1,329,074 1,720,849 1,612,514 Federal Social Services Block Grant 1,045,811 1,221,375 1,198,039 Other 4,382,019 4,450,802 4,664,101 Child support incentives 2 1,631,989 2,263,371 2,060,222 Miscellaneous 76,640 182,357 137,332 Total revenues $31,034,758 $30,394,328 $32,430,984 Expenditures: Personal services and employee-related $16,932,868 $16,914,266 $17,805,643 Professional and outside services 555,981 443,928 1,285,204 Travel 34,372 36,415 93,041 Other 4,067,953 3,904,281 4,777,876 Equipment 9,443,584 9,095,438 8,469,220 Total expenditures $31,034,758 $30,394,328 $32,430,984 1 Although amounts for 2003 and 2004 are actual revenues and expenditures as of April 20, 2005, the Department anticipates further administrative adjustments for those years. 2 Amount that is recovered by the Division of Child Support Enforcement from families who received Temporary Assistance for Needy Families. These monies are considered incentives and, therefore, are not considered federal monies. Source: Auditor General staff analysis of Arizona Department of Economic Security-provided financial information for the years ended June 30, 2003 and 2004, from its Financial Management Control System as of April 20, 2005, and budgeted information for the year ended June 30, 2005. user account management. However, according to DTS, as of March 2005, there were 23 separate security groups across the divisions, with 67 security representatives. In addition, as of February 2005, according to DTS, there were 22 separate groups that support local area networks and computers across the divisions that employ a total of at least 72 network specialists. Standards for information security This audit reviewed information security controls in four areas: access controls, local area network (LAN) and desktop computer management, program change controls, and disaster recovery management. GITA develops standards for information security controls for state agencies. At the national level, the National Institute of Standards and Technology develops standards, and the U.S. Government Accountability Office provides auditing guidelines for information security. Table 2 (see page 6) lists some of the more important controls necessary for effective information security. Audit scope and methodology This audit focused on the security of the Department’s information systems and the adequacy of its information security controls. It includes four findings and associated recommendations. The Department should improve its oversight of access controls, including (1) gaining authority to and then performing background checks on personnel according to the sensitivity of their position, (2) ensuring that employees receive the mandatory new hire computer security training course, (3) developing a job description of security representatives with minimum qualifications and description of duties, and (4) continuing to perform compliance reviews to ensure that security policies are followed. The Department should improve its oversight of LAN/desktop computer support duties, including (1) completing efforts to deploy software for controlling the implementation of security updates, (2) ensuring employees understand its acceptable use policy regarding software downloaded from the Internet, and monitoring compliance with its policy, (3) establishing a time frame by which all divisions and administrations must install centrally controlled virus protection software, and (4) establishing minimum training requirements for LAN staff that ensure staff have and maintain adequate skill levels. Office of the Auditor General page 5 The Department should ensure that computer program changes are better controlled by continuing with its efforts to develop and implement policies to help standardize the process, and to implement an automated testing tool to improve documentation of program changes that it has acquired. The Department should complete its disaster recovery plan for information technology systems and add new initiatives it has recently undertaken for disaster recovery. Auditors used several methods to review the issues addressed in this audit. Audit methods included interviews with department management and staff and review of relevant statutes, rules, policies, and procedures. Auditors also reviewed information State of Arizona page 6 Table 2: Examples of Common Information Security Controls Area Examples Access controls and security-related personnel policies • Policies and procedures for managing user accounts • User access limited to the minimum set of resources required for user’s role • Background checks of users • Security awareness training for users LAN and desktop computer management • Policies and procedures restricting the use of software downloaded from the Internet to protect against spyware, adware, and other forms of malicious software • Access to Internet and shared platforms restricted to authorized employees and contractors • Regular installation of security patch updates • Regular installation of virus protection updates • Barriers or firewalls to prevent unauthorized access and protect sensitive internal information Program change controls • Adequate controls for computer program changes so that all changes are appropriately requested, designed, tested, approved, and implemented • Testing of changes • Documentation of program changes showing supervisory approval, when and how changes are made, and testing information Disaster recovery • Regular data backup and remote storage • Plan for restoring services and recovering systems and data • Periodic testing of restoration and recovery procedures Source: Auditor General staff compilation of information from GITA security standards and the U.S. Government Accountability Office Federal Information System Controls Audit Manual (1999). technology security standards as defined by GITA and by federal sources such as the U.S. Government Accountability Office. In addition, to obtain background information for this audit, auditors reviewed unaudited department reports and records, such as the State Fiscal Year 2004 DES annual report, a list of the Department’s mainframe security system’s user account information, FTE data for DTS, and descriptive information about DTS organization and functions. Additionally, auditors used the following specific methods in reviewing each area: To evaluate the Department’s access control practices, auditors analyzed mainframe user accounts to identify old and unused accounts or accounts whose passwords were not set to expire at regular intervals. To evaluate the Department’s compliance with standards regarding computer security training for new employees, auditors reviewed the training transcripts of 50 randomly selected department employees. To gain a better understanding of what security representatives should do, auditors obtained information from two other state agencies regarding the job descriptions and salary classifications of comparable staff.1 To evaluate whether local area networks and computers are adequately protected, auditors met with LAN managers from 4 LAN support groups and analyzed reports on 39 computers provided by those 4 groups.2 In addition, auditors conducted visits to offices supported by 3 different LAN support groups and reviewed a total of 20 computers in those visits.3 During these field office visits auditors evaluated whether security patches had been installed, inspected desktop computers for the presence of software downloaded from the Internet that could introduce viruses or spyware into the network, and also reviewed for the presence and status of virus protection software. To review the program change process auditors randomly selected ten program changes for the month of October 2004 from four of the larger department systems.4 Auditors subsequently met with the team leaders for each of the 1 Auditors received information from the Departments of Transportation and Administration, two other large state agencies that handle user account management duties. 2 Auditors met with and received reports from LAN managers in the Division of Developmental Disabilities; the Division of Children, Youth and Families; the Division of Employee Services and Support; and the Division of Employment and Rehabilitation Services—Employment Administration. 3 Auditors conducted visits to field offices supported by LAN staff from the Division of Developmental Disabilities; the Division of Children, Youth and Families; and the Division of Employment and Rehabilitation Services—Employment Administration. 4 Major systems corresponded to the Division of Benefits and Medical Eligibility—Family Assistance Administration; the Division of Child Support Enforcement; the Division of Children, Youth and Families; and the Division of Employment and Rehabilitation Services—Employment Administration. Office of the Auditor General page 7 teams responsible for those systems to review program change documentation, how the process is performed in their team, and to review testing practices. To assess the status of the Department’s disaster recovery plan, auditors reviewed the computer software disaster recovery planning program the Department purchased and a staff outline showing steps completed in the planning process. Auditors also reviewed logs of backup tapes for agency data and results of tests to reduce backup time. Additionally, auditors reviewed a tri-agency Project Investment Justification (PIJ) that the Arizona Information Technology Committee approved for disaster recovery planning as well as vendor contracts for the provision of temporary emergency computer services and storage of the Department’s backup tapes. The audit was conducted in accordance with government auditing standards. The Auditor General and staff express appreciation to the director of the Department of Economic Security, the director of the Division of Technology Services, and their staff for their cooperation and assistance throughout the audit. State of Arizona page 8 Controls over data security need improvement The Department needs to establish better access controls over its information systems and strengthen central oversight of data security. Access controls and other aspects of the security environment should be strengthened throughout the Department to prevent subjecting confidential information to potential loss or disclosure. Although the Department has recently begun to strengthen central oversight, its monitoring and supervision of data security functions still needs improvement. Account management practices within individual divisions are generally poor. For instance, department units vary greatly in the qualifications they have established for employees responsible for data security, and newly hired employees are not necessarily receiving the mandatory computer security training the Department has established. Access controls should protect data Access controls should be designed to protect computer systems and data from unauthorized modification, loss, or disclosure. For example, access controls should ensure that security privileges, such as the ability to create, update, or delete user accounts and reset passwords, are limited only to those people who need this function to perform their job duties. Weak access controls increase the risk of fraud or identity theft, or the loss of data integrity. As noted in the text box, the Department has experienced internal security incidents in the past. Office of the Auditor General FINDING 1 page 9 Data Security Incidents Identity theft—In 2001, an employee of a contractor that administered public assistance programs admitted to Phoenix Police and the Department’s Office of Special Investigations that she printed out the personal information of welfare recipients from a department system, and then sold that information. Social engineering—During 2001-2002, a department employee used a social engineering technique to access the account of a coworker who was on leave and used that account to fraudulently issue herself more than $50,000 in welfare benefits. Social engineering is any technique that manipulates individuals to disclose or alter passwords, allowing others to gain unauthorized access. Fraud—Because the Department cannot legally perform background checks on people with access to its systems, it unknowingly hired an individual with a criminal record for fraud who lied on her application. This woman subsequently committed fraud against the Department in excess of $100,000. This incident occurred between 1992 and 1994, but the Department still does not have authority to perform background checks on eligibility interviewers like this former employee. Each division within the Department manages its own access controls. They hire their own security representative(s) to create user accounts, assign individuals’ access to data and resources, and manage user accounts. While every division has at least one security group, some divisions have multiple security groups designated to assist specific business units. According to DTS, as of March 2005 there were 23 separate security groups, with 67 security representatives. DTS has recently begun to address department-wide security issues through its Information Security Administration. Within the past year the Information Security Administration has begun to perform compliance reviews and general assessments of information security throughout the Department. Weaknesses exist in protecting data The Department’s current security environment and access controls should be strengthened. Auditors found that the Department does not effectively manage its user accounts. While it is beginning to address some of the deficiencies, the Department needs to take additional steps to improve. Controls to restrict access and protect data need improvement—As shown in Table 3 (see page 11), the Department lacks several controls to help ensure that data is adequately restricted and protected. Auditors found that these weaknesses are common throughout the Department and indicate that the Department is not in compliance with GITA state-wide standards. These weaknesses increase the risk that employees have too much access or authority to sensitive data and that unauthorized access could occur through old and unused accounts. Because auditors were primarily assessing system controls, they did not attempt to identify actual cases in which a breach of security occurred. However, auditors did observe situations that illustrate the potential for such occurrences. Table 3 (see page 11) explains the controls required in state and national standards and describes the situations that auditors found regarding them. Department is taking action, but needs to do more—During the course of the audit the Department began to address some of the issues identified in Table 3 (see page 11). For example, DTS has begun to address the high number of user accounts with security administration privileges by removing these privileges from some accounts. State of Arizona page 10 Office of the Auditor General page 11 Table 3: Deficient Access Controls in the Department as of November 2004 Necessary Controls Conditions Found Potential Threat Reviewing access rights: Access rights should be reviewed periodically to ensure that access to resources is granted only to those who need them to perform their jobs. • In general, security representatives do not review access rights on a regular basis to ensure users’ access to data and authority to create, modify, or delete records is appropriate. Failure to ensure appropriate access rights could permit employees to improperly access confidential or other sensitive data without a need to do so. Assigning special privileges: Security and account privileges, which provide the authority to perform special functions, such as creating, updating, and deleting user accounts, should be defined and properly restricted. • The Department has not defined who should have security administration privileges, nor documented why they need such privileges. Individuals range from a grade 8 clerical pool staff to division management. • More than 80 individuals had security administration privileges, more than the number of individuals managing user accounts at two large state agencies: the Departments of Transportation and Administration. Many of these people do not use or need this privilege and many are not members of their unit’s security group. • Some security accounts belong to individuals who either left their division or transferred to a job that does not need such special privileges. Failure to appropriately restrict security administration privileges increases the risk that unauthorized accounts may be created and data improperly accessed. In addition, individuals may not be properly trained or qualified for special privileged access. Updating passwords: Users should have to change their passwords regularly. According to department policy, passwords should be changed at least once every 30 days. • More than 200 accounts assigned to individuals do not require users to change their passwords at regular intervals. For instance, one employee has not changed his password in nearly 2 years. Not changing passwords on a regular basis increases the risk of passwords being discovered and used by unauthorized users. Removing unused user accounts: Unused accounts should be removed from the system as appropriate regularly. According to department policy, unused accounts should be deleted after 90 days of disuse. • More than 2,000 user accounts have not been accessed for 90 days or more (nearly 900 belong to specific individuals, while the rest are training or system accounts), and more than 1,300 of those accounts have not been accessed in over a year. • More than 1,100 user accounts have never been used (more than 950 belong to specific individuals). The presence of old and unused accounts increases the risk that people who should no longer have access may continue to access systems, or that other people, such as hackers, may discover and use the accounts to access systems. This is an especially serious risk in the Department because its mainframe security software does not automatically lock out a user after 90 days of disuse. Source: Auditor General staff analysis of the Department’s 14,082 mainframe user accounts as of November 29, 2004; follow-up interviews with security group personnel located in divisions and programs throughout the Department; review of department policies; and guidelines from the U.S. Government Accountability Office’s Federal Information System Controls Audit Manual (1999). In order to comply with standards regarding data security, DTS should continue to develop new guidelines and improve practices in the following control areas: Reviewing access rights—Security group personnel should conduct periodic reviews of access rights to ensure these rights are appropriately defined, and DTS should monitor security groups for compliance. Special account privileges—DTS should define who needs security administration privileges and what kind of authority is needed. The Department should then use its mainframe security software to restrict the authority of accounts with appropriate security administration privileges. For example, if the user needs to reset passwords only, he or she should not be allowed security privileges. DTS needs to collaborate with the divisions to define and restrict security administration privileges to the minimum level required for employees to perform their duties. In March 2005, DTS completed a review of accounts with security privileges. As a result, it deleted some accounts and reduced privileges for some others. Passwords and user account management—In March 2005, the Department adopted a new policy governing account management. This policy requires the production of a monthly report that shows all users who have not accessed the Department’s mainframe in 30 days, and another report showing users who have not accessed it in 90 days. In addition, in April 2005, DTS updated its access control policy to set forth clear guidelines related to deleting old and unused accounts. DTS should monitor compliance with these new and updated policies to ensure that old and unused accounts are properly deleted and account passwords are changed at least every 30 days. Department has not provided sufficient central oversight The existence of general security concerns, such as poor user account management, appears to be related to a lack of central oversight of the separate security groups, security representatives, and the activities they perform, as well as a historically weak internal security structure. The Department can improve central oversight by adding an IT audit function, better defining its internal security structure and security representative job requirements, ensuring new employees receive mandatory computer security training, and obtaining legal authority to conduct background checks of employees in sensitive positions. Lack of central review for security compliance—Historically, the Department has not provided central oversight of security functions. However, DTS established an Information Security Administration in September 2003, and has State of Arizona page 12 Access rights—privileges that define the extent to which an individual can access computer systems and use or modify the programs and data. recently begun to perform some compliance reviews and general assessments of information security throughout the Department. The Information Security Administration should continue to conduct compliance reviews and assessments, develop a schedule of regular reviews, and establish policies and procedures or a manual to document its practices. In addition, the Information Security Administration should develop a follow-up process to ensure divisions appropriately comply with recommendations. While DTS’ activities will help improve central oversight, the Department needs to augment this review. The Department does have an internal auditing group, but it currently does not audit IT issues. In addition, the Department has never undergone an external independent third-party review of its information security. An internal IT audit function is important because it helps the Department obtain effective and efficient security controls. In addition, other state agencies, such as the Departments of Transportation and Administration, have contracted with external experts to perform security assessments to review the adequacy of their IT structures. Although such security assessments may cost several hundred thousands of dollars, they provide independent assurance that certain state and federally mandated standards are met. According to DTS management, if and when the Department decides to acquire an external review, it will then identify an appropriate funding source. The Department should establish an internal IT audit function. In addition, the Department should consider contracting for an independent security assessment. Department has not defined security representative position—The Department has not created a job position, description, or minimum qualifications for security representatives. Instead, each security group decides who to hire and to some extent their job responsibilities. As a result, auditors found that one division has security representatives with backgrounds in information technology. These security representatives are paid substantially better than those in other security groups, which use support and clerical staff to perform the same functions. By comparison, the Departments of Transportation and Administration have job descriptions, minimum qualifications, and pay grades for their employees who manage user accounts. These employees are paid salaries greater than the Department’s security representatives noted above. Some essential tasks of such positions include user account management, monitoring user access, and investigating security violations. The Department developed a draft job description in June 2005, which contains the minimum qualifications for a security representative. The Department should adopt this job description to ensure that only individuals who meet these qualifications are authorized to conduct security representative duties. Security representative job resources and training inadequate—In addition to lacking a job description and minimum qualifications for security representatives, the Department does not have a manual explaining what security representatives should do, and does not provide them regular training. The Office of the Auditor General page 13 Department should develop a manual regarding the duties of a security representative that can be used as a reference resource and ensure that adequate training is provided so that they understand their jobs and duties. Currently, the Department considers only employees who handle mainframe access rights to be security representatives. However, in some divisions other personnel handle system application access rights and therefore could also be considered security representatives. The Department needs to identify these people who perform similar duties, include them as security representatives, and ensure they meet certain minimum qualifications and receive appropriate training. Not all newly hired employees receive computer security training— GITA standards require that all state employees receive computer security training prior to being allowed computer access, and the Department has a similar policy. The Department’s training informs employees of its security practices. For instance, the training manual tells employees that they should never divulge their passwords to anyone. However, in a random sample of 50 employee training records maintained in a central training database, only 21 (42 percent) department employees had taken this mandatory course. According to the Department’s training management, the Department has failed to create tracking and follow-up mechanisms to ensure that all new hires receive this mandatory training. The Department should ensure that all employees receive this mandatory training and monitor for compliance. Department lacks legal authority to conduct background checks on key personnel—Background checks are an important tool in making sure that untrustworthy individuals who might commit identity theft or fraud, or otherwise compromise data integrity, are not hired or placed in positions of trust. According to Arizona Revised Statutes, noncriminal justice agencies must receive either statutory authority or an executive order granting them the ability to conduct background checks for the purpose of hiring particular employees. However, the Department does not have this authority, other than for some employees who work with juveniles or children. Another state agency, the Department of Administration, has statutory authority to request criminal background information on IT personnel. The Department should determine which positions involve the security and access of sensitive information and therefore merit a background check. The Department should then request the authority, through statute or an executive order, and ensure background checks are conducted on those individuals. In addition, periodic background checks should be conducted on long-term employees in accordance with the sensitivity of their position. State of Arizona page 14 Criminal background checks are not conducted on IT personnel. Recommendations 1. In order to address user account weaknesses, DTS should: a. Create guidelines requiring periodic reviews of access rights to ensure that users have only the access that they need to perform their jobs. b. Define who needs security administration privileges, and what kind of authority they need, so that these privileges can be restricted to the minimum levels required for employees to perform their duties. c. DTS should monitor compliance with new and updated policies addressing account management and access control to ensure that old and unused accounts are properly deleted and account passwords are changed at least every 30 days. 2. The Information Security Administration should continue to conduct compliance reviews and assessments, develop a schedule of regular reviews, and establish policies and procedures to document its practices including a follow-up process to ensure divisions comply with recommendations. 3. In order to increase compliance with security requirements, the Department should: a. Establish an internal IT audit function. b. Consider contracting for an independent security assessment. 4. In order to ensure that security representatives know their duties and are capable of doing them, DTS should work with security groups to: a. Adopt a job description with minimum qualifications for security representatives and ensure that only individuals who meet these qualifications are authorized to conduct these duties. b. Develop a manual regarding the duties of a security representative as a reference source. c. Ensure that security representatives understand their job duties and receive periodic training. d. Identify other individuals who perform duties similar to security representatives; specifically, those who perform system application (non-mainframe) access right duties, and ensure that they understand their job duties and receive periodic training. 5. The Department should ensure that new employees receive the mandatory computer security training. 6. The Department should determine which positions involve the security and access of sensitive information and therefore merit a background check. It should then request the authority, either through statute or an executive order, to conduct background checks and ensure background checks are conducted on those individuals. The Department should also conduct periodic background checks on long-term employees in accordance with the sensitivity of their position. Office of the Auditor General page 15 State of Arizona page 16 Office of the Auditor General page 17 Information in local area networks and computers not adequately protected The Department needs to improve management of its local area networks (LANs) and computers to better ensure system security and operability. Good management of LANs and computers provides protection against virus attacks, unauthorized intrusion, and possible loss of data. However, the Department does not adequately ensure that virus protection updates and security patches, which fix known security vulnerabilites from outside threats, are up-to-date, and that employees do not download unsafe software from the Internet. While the Department is taking some steps to improve security, it could do more. LAN/computer support important to system security and operability Local area networks connect computers within a limited geographic area so that they can share information, share computer peripherals such as printers, and access systems and data that support their job functions. (See Figure 1, page 18, for an illustration of a LAN.) Separate LANs can be connected to form larger networks, as is the case within the Department. The Department uses larger networks to connect computers throughout the State to each other and to central data repositories. For example, the Division of Children, Youth and Families’ employees use their network connection to use shared devices in field offices, such as printers, and to access the Internet, e-mail, the Division’s computer systems, and any other department computer systems that a given employee is authorized to use. FINDING 2 State of Arizona page 18 The Department manages LAN/computer security in a decentralized manner. Each division operates one or more local LAN support units by hiring its own network support specialists who install, configure, upgrade, and maintain the local area networks, servers, and computers. According to DTS, there are 22 separate local LAN support units, with 72 network specialists in those groups. DTS, through its own LAN manager, conducts monthly meetings for LAN support staff during which entity-wide issues may be discussed. Securing local area networks and computers is important so that viruses or security weaknesses in one computer cannot negatively impact other computers in the network, and to prevent unauthorized access into systems and data. For example, in August 2003 the Department, along with other entities that failed to implement a specific security patch update, was infected by the Nachi virus (see text box). This virus quickly spread throughout the Example of Nachi Virus Infection at the Department Discovery date—August 18, 2003 Method of infection—Spreads by exploiting a vulnerability in Microsoft Windows. Irrespective of virus protection, if the machine is not patched, it is susceptible to attack. Resolution—Apply Microsoft security update MS03-026 and then disinfect the system with a virus removal program. Intentions of the virus—Spreads by exploiting a hole in Microsoft Windows. It instructs a computer to download and execute the virus from the infected host. Source: McAfee, Inc. Web site, reviewed March 29, 2005. Internet Firewall Server Router Figure 1: Example of a Simple Local Area Network Connected To the Internet Source: Auditor General staff. User Group 1 User Group 2 User Group 3 Printer Switch Switch Switch User Group 1 Office of the Auditor General page 19 Department and increased network traffic by about eight times its normal rate, bringing down or limiting system operability for about 2 days throughout the Department. The Department’s virus protection software detected about 134,000 infections by the Nachi virus during one week. This attack was propagated due to inadequate computer security patches. Computers and networks not adequately protected The Department needs to improve management of its LANs and computers to better protect them against possible virus attacks, hackers, and possible loss of data. Auditors found that local LAN support units do not consistently perform key security functions such as installing security patches to protect computers from outside threats, installing virus protection software, and prohibiting the download and installation of Internet software that can contain harmful programs. Security patches not installed—Timely installation of security patch updates is vital in order to maintain the operational availability, confidentiality, and integrity of information technology systems, but the Department is not ensuring that these patches are deployed in a timely manner. Every operating system has vulnerabilites that hackers can potentially exploit to attack a system. For example, hackers have discovered vulnerabilites in the Microsoft Windows operating system. As a result, Microsoft regularly issues critical security updates that are designed to patch the security hole that had been identified. For instance, one February 2005 security update is necessary in order to help ensure that a computer environment is not vulnerable to an outside attack (see text box). If this update is not installed on the machine, the computer environment may be exposed to an unnecessary amount of risk. Automated computer tools exist that allow organizations to centrally control and install security updates on all computers connected to a given network. However, auditors reviewed the practices in four different local LAN support units and found that only one of the four uses an automated tool to ensure that updates are installed on all computers. Staff in the other three local LAN support units stated that they perform security updates only when they either physically go to the computer or remotely access it, installing updates one computer at a time. Auditors reviewed 57 department computers and found 55 computers missing one or more critical updates. Seven were missing more Poor protection of computers resulted in limited network operability for 2 days. Example of a Windows Security Update Release Date—February 8, 2005. Recommendation—Customers should apply the update immediately. Vulnerability details—An attacker could exploit a vulnerability that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Source: Microsoft Security Bulletin MS05-012. State of Arizona page 20 than 20 updates, and some of the missing updates have been available since 2003. For example, one update issued in October 2003 patches a vulnerability that could allow an attacker to remotely control a computer if that computer user accesses a Web site or views e-mail from someone with malicious intent. Microsoft recommends that this patch be installed immediately. In April 2005, the Department identified an automated tool that will allow it to centrally control security updates for all Department computers. DTS reports it procured the tool in June 2005, and plans to implement it in January 2006. According to department officials, this will help ensure that the Department can respond to risks in the computer environment in a more timely and effective manner. The Department should implement the tool as planned. In addition, it should periodically monitor to ensure that updates are installed on all computers. Virus protection coverage recently improved—Antivirus software helps protect a computer from virus attacks by detecting and removing computer viruses, which in turn helps protect the network from attacks because the computer would then not infect other computers in the network. The Department has recently increased participation in a centrally controlled virus protection software, but this software is still not used uniformly. Since 2002, the Department has purchased an annual license for an entity-wide version of virus protection that can be installed on every machine in the Department and allows the Department to centrally control and monitor to ensure that the most recent virus protection updates are received by every computer. However, not every division is using this software to protect all of their computers.1 The Department is in the process of moving all of its computers to this centrally controlled process, and internal reports indicate the number of computers receiving daily virus updates has increased from nearly 4,600 in November 2004 to nearly 5,700 in February 2005. According to internal reports, about 2,000 computers still remain outside the Department’s centrally controlled virus protection software. The Department should create a time frame by which all divisions and administrations must use this centrally administered virus protection software, ensure that all computers have the virus protection software installed, and then monitor to ensure that all computers regularly receive current updates. Downloaded software poses risk—Downloading and installing software from the Internet can potentially expose a computer environment to malicious code, and currently not enough is being done to minimize this risk. When an employee installs a free program from the Internet, he or she may also unknowingly be installing adware, spyware, or other forms of malware (see text box on page 21). This software can potentially allow outside users to discover passwords, slow or lock up a system, and install other forms of malware. The Department has an acceptable use policy which states that employees are prohibited from downloading and installing any Seven computers were missing more than 20 critical security updates. 1 Staff in four local LAN support units said all their computers have at least a local version of virus protection installed. One of these units provided a report indicating that all of its more than 600 personal computers have virus protection software installed and are receiving weekly updates; however, ensuring that the entire network is protected would require checking thousands of additional computers. software program not specifically authorized by local IT management. However, when auditors conducted field office visits of three divisions, they found the presence of nonbusiness-related software downloaded from the Internet on 6 of 20 computers reviewed. For example, auditors found a Web search tool that is known to also install adware that logs the computer’s Internet activity, changes the Internet browser, and displays advertisements. The Department should ensure that its employees and local LAN support units understand its current acceptable use policy, and monitor its divisions and employees for compliance. For example, local LAN support units could conduct random reviews of computers to determine if nonbusiness-related software had been installed. Department has not provided sufficient central oversight Similar to its lack of central oversight of groups of security representatives, the Department historically has not provided sufficient central oversight over the security of its LANs and computers, and therefore some of the weaknesses and recommendations identified in Finding 1—Access Controls (see pages 9 through 15) apply to LAN oversight and compliance as well. Specifically, the Department has not provided oversight to ensure that local IT staff comply with relevant standards. The Information Security Administration is now beginning to review certain LAN security issues throughout the Department, and, as recommended in Finding 1, should continue to conduct compliance reviews and assessments, develop a schedule of regular reviews, and document its practices. If, as recommended in Finding 1, the Department establishes an internal IT audit function and possibly contracts for an independent security assessment, it should include the security of LANs and computers as part of those reviews. While DTS is currently attempting to address the lack of central oversight by establishing centralized control of key LAN security tasks, more needs to be done to ensure employees have the necessary skills for their jobs. Current projects in the Department will bring all networks into a single administrative structure, centralize security patch management, and centralize virus protection. However, the Department has not established standards for minimum training requirements for network support personnel. Training for these employees is important because they work in a constantly changing environment. The Department should review the training practices of the local LAN support units and establish regular training requirements that will help ensure that LAN support staff have and maintain adequate skill levels. Office of the Auditor General page 21 Spyware—any software that covertly gathers user information, such as passwords, through the user’s Internet connection; typically bundled as a hidden component in freeware or shareware programs that are downloaded from the Internet. Adware—a form of spyware that collects information about the user in order to display advertisements in the Web browser. Malware—software designed to disrupt or harm a system, such as a virus. Recommendations 1. To ensure that all computers have up-to-date security patches installed, the Department should: a. Deploy as planned an automated tool that will allow it to centrally control and manage security updates. b. Periodically monitor to ensure that all computers have critical security updates installed. 2. To better ensure computers are protected from viruses, the Department should: a. Develop a time frame by which all divisions must install the entity-wide virus protection software the Department has already purchased. b. Ensure that all computers have the virus protection installed. c. Monitor to ensure that all department computers regularly receive current updates. 3. To better ensure computers are protected from spyware and other forms of malware, the Department should: a. Ensure that employees and local LAN support units understand the Department’s acceptable use policy. b. Monitor to ensure that its divisions and employees comply with the policy. 4. The Department should review the training practices of the local LAN support units and establish training requirements sufficient to ensure that LAN staff have and maintain adequate skill levels. State of Arizona page 22 Office of the Auditor General page 23 Department could improve its management of computer program changes The Department could better manage its process for making changes to computer programs. Effective controls over this process help ensure that only authorized modifications are made to computer programs. DTS has more than 20 project teams working on department systems. Their processes are inconsistent across programming teams and their testing of programming changes is not always adequate to ensure that program modifications are fully functional and correct. However, the Department is making efforts to address these issues. Effective change process important to system functionality Department systems frequently require changes to their computer programs. State or federal mandates, such as the federal Health Insurance Portability and Accountability Act (HIPAA), require changes in department systems. In addition, divisions that use the systems may identify errors or recommend changes for improvement. During the first half of fiscal year 2005, the Department implemented 991 change requests to its mainframe systems, according to a department report. Effective management of the program change process is important to ensure that programmers do not introduce malicious or inappropriate changes to a system, and to safeguard systems against ineffective or faulty program changes. Inadequate program change management can lead to programming errors and inefficiencies. For example, in a previous audit, auditors found significant computer errors that potentially subjected Arizona employers to penalties and assessments by providing inaccurate information to the U.S. Internal Revenue Service. During that audit the Department FINDING 3 Program Change Example Requesting Unit—Division of Benefits and Medical Eligibility Reason for Request—The Department’s electronic benefits transfer (EBT) program changed vendors. Request—Allows for changes that are necessary to convert EBT to the new vendor. attempted to correct the errors, but auditors found that the program continued to produce inaccurate information, indicating that testing of this program change was inadequate. For greater detail on this programming error, see the Department of Economic Security, Division of Employment and Rehabilitation Services— Unemployment Insurance Program, Auditor General Report No. 05-01, pages 21-24. Current change process lacks consistency The current process for making changes varies greatly among programming teams. The program change process should be adequately controlled so that all changes are appropriately requested, designed, tested, approved, and implemented. The Department’s Quality Assurance group, which moves program changes to production, does not move any change to production without documentation showing that the change is appropriately approved by the end user and the programmer’s supervisor. However, the lack of consistency between teams increases the risk of having inadequate controls over some program changes. DTS is making efforts to improve its program change process. Program change process can be improved—DTS can improve two aspects of program change management: Program change process not standardized across programming teams—The DTS programming group employs more than 120 programmers assigned to over 20 programming teams that each work on separate systems or parts of systems. Different teams use different procedures to manage the program change process. Specifically, teams use different procedures and forms to receive user requests for program changes, track progress, and note approval for program changes. Some teams had no written documentation illustrating their procedures or overall methodology. The lack of a uniform, standardized process increases the risk of having inappropriate or inadequate changes introduced into a system and having inadequate documentation necessary for performing program maintenance. Testing of program changes is not always adequate—An essential step in developing a program change is adequate testing so that the change will be fully functional and work correctly once it is moved to production. However, according to division officials, programmers typically conduct only limited testing of program changes before allowing the end user to conduct testing. Further, DTS has not established standards for what is acceptable testing of program changes. Often, DTS could not provide auditors with documentation of test plans and test results. State of Arizona page 24 DTS making efforts to address weaknesses—DTS is making efforts to address both of these weaknesses. Specifically: Standardizing the program change process—DTS is developing a written system development methodology and program change management policy. The new methodology and policy are being created to govern a new programming area within the Department, but DTS anticipates using these policies and procedures to standardize, to the extent possible, this same methodology across all teams. According to DTS management, these policies will not be finalized until some time after June 30, 2005. DTS should ensure that this methodology is applied to all project teams. Improving the adequacy of testing—In April 2005, the Department acquired an automated testing tool that will allow it to conduct well-documented, thorough testing of program changes. According to DTS management, this tool should be implemented by July 2005. DTS should ensure that the testers receive adequate training to use the new tool and ensure that it is used as frequently as possible, in accordance with the nature of the program change. Recommendations 1. DTS should standardize its program change process throughout programming teams by completing its current efforts to develop a documented system development methodology and program change policy and then applying the new practices to all project teams, to the extent possible. 2. DTS should improve its testing of program changes by: a. Continuing its efforts to implement an automated testing tool. b. Ensuring that testers receive adequate training to use the new tool. c. Using the tool as frequently as possible, in accordance with the nature of the program change. Office of the Auditor General page 25 State of Arizona page 26 Office of the Auditor General page 27 Department has made progress in disaster recovery The Department has made progress in improving its disaster recovery planning—its procedures for what to do in the event of a major hardware or software failure— although it needs to complete its efforts to put effective procedures in place. Disaster recovery planning allows critical services to continue even when major computer systems are damaged or destroyed. Since 2004, the Department has taken a number of actions to put a disaster recovery plan in place, although it still needs to complete and test the plan and move forward with plans to back up critical systems daily. However, its current plans address only those actions needed if disruptions last for a short period. A comprehensive solution will require state-wide disaster recovery planning and identification of future funding sources. Disaster recovery planning minimizes service disruption Disaster recovery planning allows critical services to continue in the event of damage to an agency’s computer systems. Without such planning, an agency can lose the ability to provide services to the public for an extended period of time. In the Department’s case, loss of its computer systems would disrupt services to an estimated over 1 million people and affect claims and benefits payments such as unemployment insurance or TANF cash assistance (see text box). Therefore, it is very important for the Department to have an up-to- date contingency plan so it can resume services as quickly as possible should a major computer hardware or software failure occur. FINDING 4 The Department reports that it serves over 1 million children, adults, and families per month. Damage to the Department’s computer systems can lead to the disruption of critical services, such as: Unemployment insurance payments: an average of over $32.9 million per month in fiscal year 2004 Federal TANF cash benefits: an average of over $14.6 million per month in fiscal year 2004 Ability to track client information for programs such as Child Protective Services and foster care Timely payments to agencies providing services to Arizona children, families, the disabled, and the elderly Source: Auditor General staff analysis of the Department of Economic Security Annual Report for SFY 2004; and list of mainframe application systems provided by the Department. Comprehensive government and industry standards exist for disaster recovery plans. For example, GITA’s standards include developing procedures and tasks for staff to assist in system recovery and arranging with vendors to provide computer services. In general, a comprehensive disaster recovery plan should include the following components: A risk analysis identifying critical transactions for department programs; A designated alternative computer facility or “hot site”; Development of test plans to determine the effectiveness of disaster recovery procedures with periodic testing of these plans; Employees organized into disaster recovery teams along with tasks assigned to those teams; A list of procedures for processing critical transactions, including forms and other documents to use; and Scheduling frequent regular backups of agency information and storing that information at remote sites throughout the year. Department has improved disaster recovery planning The Department has made progress in disaster recovery planning after experiencing some delays due primarily to lack of staff. Although the Department has made progress since hiring disaster recovery staff, it still needs to complete and update some plan components, conduct testing, and move forward with plans to conduct critical backups on a daily basis. Disaster planning started slowly but has made progress—The Department did not effectively address disaster recovery planning for several years. In 2002, the Department purchased a computer software planning system for disaster recovery that has also been used by other state agencies, such as the Department of Administration and the Department of Public Safety, and in 2003 the Department developed a nearly 40-page outline that shows steps for completing the plan. However, according to department officials, turnover in the disaster recovery planning position resulted in only partial progress in entering information into the planning software. More progress came in calendar year 2004 when the Department hired a disaster recovery manager, obtained funding for disaster recovery initiatives, began regular off-site storage of the data it backs up, and obtained access to emergency hot site State of Arizona page 28 The Department reports that lack of a disaster recovery manager slowed down initial progress that started in 2002. services. Additionally, according to department officials, it has established a timetable for completing the information in its software planning system. Table 4 (see page 30) shows the status of the Department’s disaster recovery planning activities as of February 2005. As the table shows, the Department has taken action in each of the four major planning areas—mainframe recovery, network recovery, server farm recovery, and facility recovery. Department should complete and test its plan—The Department needs to update its planning software to include information on the more recent planning activities undertaken, including the emergency hot site services, new network strategy, and regular data backups. It should also follow through with its timetable to complete the plan so that it includes all of the items shown in Table 4 (see page 30). For example, it should add information to its mainframe and network plans on recovery teams’ tasks and assignments and vendor assets and supplies. The Department adopted a maintenance plan in May 2005, which sets forth a schedule for updating individual plan components. In addition, the Department needs to determine which mainframe applications are most critical, develop a prioritized list for the sequence of recovering these applications, and add this information to its recovery planning software. The Department should also update its recovery planning software to include information about its plan to have a vendor provide backup resources for its server farm. The Department developed a final test plan prior to its scheduled testing dates at the emergency hot site in June 2005. The Department should ensure that it adds testing plan information to its recovery planning software as part of its ongoing plan maintenance. Department should conduct daily backups of critical systems—In addition to determining which mainframe systems are most critical and adding this information to the plan, the Department should also begin daily backups of its most critical applications. The Department has begun to take action in this area. For example, the Department used some of its disaster recovery funding to purchase new tape drives, allowing faster backups. The Department reports that it can now back up its systems faster. The Department began daily backups of its most critical mainframe systems starting in June 2005. In addition to adding this information to its plan, the Department should continue to conduct these daily backups, and develop policies related to these backups, and add this information to its planning software. Comprehensive solutions require state-wide planning According to department officials, current planning activities do not provide comprehensive disaster recovery solutions. For example, the Department estimates that it could take a minimum of 2 weeks to restore mainframe and network services at the current temporary hot site. In the event of an emergency, hot site services are contractually guaranteed by the vendor to be available to the Department for only 6 weeks. The funding and contract for the hot site was initially approved for fiscal year Office of the Auditor General page 29 The Department reports that its new tape drives allow faster backups of mainframe systems. State of Arizona page 30 Table 4: Status of Disaster Recovery Planning Activities as of February 2005 Plan Components Purpose of Plan Component Actions Taken Mainframe recovery Restore and recover hardware and software functions to operate the Department’s mainframe computer. • Spring 2004—The Department began to back up mainframe data on a regular basis and store it at a remote site. • Spring 2004—GITA approved a tri-agency Project Information Justification (PIJ) to allow the Department, the Department of Administration, and the Department of Public Safety to seek funding for disaster recovery initiatives. The Department reports that it subsequently: Obtained 1-year funding for a hot site and scheduled test dates for recovery of mainframe functions at the hot site; Used part of this funding to purchase tape drives for faster backups of mainframe computer data through the year. • The Department has partially completed its plan. Missing items include: Identification of the Department’s most critical mainframe applications. Tasks and assignments for 6 of its 15 restoration or recovery teams. Documentation of some vendors to supply equipment and for vendor assets and supplies. Network recovery Restore the network’s capacity to provide division and program connections to the Department’s mainframe computer. • Fiscal year 2005—the Department plans to implement a process with a contractor to enable its computer network to be redirected to the emergency hot site. • The Department has partially completed its plan. Missing items include: Tasks and assignments for 8 of its 15 recovery or restoration teams. Documentation of some vendors to supply equipment and for vendor assets and supplies. Server farm recovery Restore operations for programs run from a group of department servers at a department data center. • The Department reports that it is working with state procurement staff to efficiently obtain vendors to supply backup servers in the event of an emergency. • The Department has partially completed the plan. Missing items include: Tasks and assignments for 6 of its 58 recovery or restoration teams. Assets, equipment, and supplies lists by vendor. Telecommunication lines and equipment information. Facility1 Provide for safe evacuation and relocation of staff, assessment of damage, and the cost to restore the facility. • DTS’ main facility has an evacuation plan, which has been tested. 1 Three areas of the Department coordinate facility recovery plans: facilities management in the Division of Budget and Finance, risk management in the Division of Employee Services and Support, and building coordinators for each facility. Local office coordinators, local office managers, or building coordinators are responsible for oversight of staff evacuation. Source: Auditor General staff compilation of information from the Department’s Living Disaster Recovery Planning System software program, budget reports, interviews with DTS staff, and vendor contracts. Office of the Auditor General page 31 1 JLBC’s recommendation stated that the reduced appropriation from the Risk Management Fund for fiscal year 2006 could generate federal matching fund monies and permit total funding of $742,300. However, because the Fund includes federal monies, the Department is working with the State Comptroller’s Office to determine whether and how this can be done while complying with restrictions on federal monies. 2005 only. That year, the Legislature approved $742,300 from the State’s Risk Management Fund for the Department’s disaster recovery plan. The Legislature approved additional funding from the same funding source in its fiscal year 2006 budget, although it reduced the amount to $271,500.1 State-wide planning may be required to support comprehensive disaster recovery solutions for the Department and other state agencies that maintain critical data. Department officials are currently participating in a state-wide planning group with other agencies, such as the Department of Administration and the Department of Public Safety, to work on long-term disaster recovery solutions. This state-wide planning group, which includes the Governor’s Office, is discussing strategies such as an information systems recovery services site to serve all state agencies. In addition to state-wide planning, these long-term solutions also require the identification of additional funding beyond that which supports temporary hot site services. Recommendations 1. The Department needs to update and complete its disaster recovery planning software. Specifically, it needs to: a. Update all components of the plan—mainframe, network, and server farm plans— as needed to include new disaster recovery initiatives including the emergency hot site, new network strategy, regular data backups, and testing procedures. b. Add information to mainframe, network, and server farm plans so that they include detailed tasks and assignments for all recovery teams identified in those plans. c. Add information to its mainframe, network, and server farm plans so that they include pertinent vendor information, such as vendor assets and supplies. d. Add information to the mainframe plan to identify the most critical mainframe applications, and the priorities and sequence of events necessary to restore these applications. e. Add information to its server farm plan to have a vendor provide backup resources for its server farm. 2. The Department should ensure it adds testing plan information to its recovery planning software as part of its ongoing plan maintenance. 3. The Department’s Division of Technology Services should develop policies for critical system backups and add this information to its planning software. Current planning activities do not provide a comprehensive solution. State of Arizona page 32 Office of the Auditor General AGENCY RESPONSE State of Arizona ARIZONA DEPARTMENT OF ECONOMIC SECURITY 1717 W. Jefferson • P.O. Box 6123 • Phoenix, AZ 85005 Janet Napolitano Governor David A. Berns Director Ms. Debbie Davenport Auditor General Office of the Auditor General 2910 North 44th Street, Suite 410 Phoenix, Arizona 85018 Dear Ms. Davenport: Thank you for the opportunity to respond to the performance audit and sunset review of information security in the Department of Economic Security. We appreciate the professional approach the auditors took during the course of this review. The purpose of this letter is to forward the Department’s written responses to the preliminary draft report. As you are aware, in 2003, the current DES leadership had identified information security as a potentially vulnerable area and had implemented various improvements. We welcomed the Auditor General’s review as a means to enhance and refine those efforts. The Department agrees with the findings in the report and has identified and initiated work to implement most of the recommendations by January 2006. Five (5) recommendations that require organizational development and training will be implemented by July 2006. The remaining three (3) actions would require appropriated funding or specific authorization to implement. The Department will continue to review those three recommendations and determine the appropriateness of seeking additional funding. Sincerely, David A. Berns Enclosure DES Response - Information Security Performance Audit Draft Report Page 1 of 9 FINDING 1 - Controls over data security insufficient Recommendation 1. In order to address user account weaknesses, DTS should: a. Create guidelines requiring periodic reviews of access rights to ensure that users have only the access that they need to perform their jobs. b. Define who needs security administration privileges, and what kind of authority they need, so that these privileges can be restricted to the minimum levels required for employees to perform their duties. c. DTS should monitor compliance with new and updated policies addressing account management and access control to ensure that old and unused accounts are properly deleted and account passwords are changed at least every 30 days. DES Response 1. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. In November 2003, the Department recognized that its security controls required improvement and began to strengthen the role of this function with a realignment of the Information Security Administration (ISA) within the Division of Technology Services (DTS). This move included the hiring of a new Administrator in July 2004, who is responsible for ensuring that DES is in compliance with acceptable security industry practices. The first step in this process has been to strengthen DTS’ central oversight and establish uniform standards and practices. ISA has already accomplished significant improvement toward this end through review and strengthening of existing, and establishment of new, security policies and procedures. Additional improvements, as recommended by the Auditor General, will also be implemented. a. Review of user access will be implemented as a part of ISA’s Compliance Review Plan. By August 2005, ISA will complete the access control section of the Compliance Review Plan and will commence quarterly random reviews of user access at that time. These reviews will be done in coordination with the Division/Program Security Representatives. Any inappropriate access discovered will be addressed. b. In March 2005, DTS completed a review of accounts with security privileges. Unnecessary accounts were changed or deleted as a result of this review. A draft policy, based on industry standards and the concept of “least privilege”, has been completed and is currently under review. This policy specifies the requirements for obtaining security privileges and what restrictions apply. Adoption of this policy will occur in August 2005. The account management DES Response - Information Security Performance Audit Draft Report Page 2 of 9 section of the Compliance Review Plan, which incorporates review of security privileges, will be completed, and ISA will commence quarterly random reviews of security privileges in August 2005. c. In March 2005, new policies governing account management and access control were adopted. These policies established rules for reviewing user accounts, including old/unused accounts, accounts with password intervals, and duplicate accounts for an individual. In May 2005, ISA began enforcement of these new policies through monthly reviews and appropriate follow-up actions with the security administrators. By July 2005, ISA will begin publishing a periodic report that describes the results of compliance monitoring and follow-up regarding old and unused accounts. Recommendation: 2. The Information Security Administration should continue to conduct compliance reviews and assessments, develop a schedule of regular reviews, and establish policies and procedures to document its practices including a follow-up process to ensure divisions comply with recommendations. DES Response: 2. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. The ISA will continue to conduct periodic compliance reviews to ensure divisions are complying with security policies and procedures. In doing so, ISA will develop a schedule of these reviews and establish policies and procedures on the review process. The Compliance Review Plan, which will address the review schedule and documentation requirements, as well as all security risks not mentioned above, will be completed by October 2005. Recommendation: 3. In order to increase compliance with security requirements, the Department should: a. Establish an internal IT audit function. b. Consider contracting for an independent security assessment. DES Response: 3. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. a. In the past, DES had an IT audit function; however, due to budget constraints, the function was eliminated in 1997. The Department is using savings achieved through internal efficiencies to re-establish an IT audit position that will report to the Office of Audit and Management Services. The position will be filled by early 2006. DES Response - Information Security Performance Audit Draft Report Page 3 of 9 b. As the Audit Report indicates, an external IT security assessment is estimated to cost several hundred thousand dollars, based on the experiences of the Department of Transportation and the Department of Administration. The Department recognizes the value of such an assessment, but would require additional funding appropriated for that purpose. Recommendation: 4. In order to ensure that security representatives know their duties and are capable of doing them, DTS should work with security groups to: a. Adopt a job description with minimum qualifications for security representatives and ensure that only individuals who meet these qualifications are authorized to conduct these duties. b. Develop a manual regarding the duties of a security representative as a reference source. c. Ensure that security representatives understand their job duties and receive periodic training. d. Identify other individuals who perform duties similar to security representatives, specifically those who perform system application (non-mainframe) access right duties, and ensure that they understand their job duties and receive periodic training. DES Response: 4. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. a. In June 2005, DTS completed a draft job description that includes minimum qualifications and job duty descriptions for security representatives. These job descriptions apply to all persons who perform these duties, regardless of what job title they are in. Only staff who meet these qualifications will be given the necessary clearance to perform the security analyst functions. The Department will work with the Office of Personnel Management to adopt this job description by December 2005 and to resolve any unexpected personnel issues that may arise as a result of the implementation of these minimum qualifications. b. By December 2005, DTS, in conjunction with the Department’s security representatives, will develop and implement a manual that defines the duties of a security representative . c. Upon completion of the revised Data Security Analyst Manual, the Department’s Office of Management Development (OMD) will work with DTS to develop and deliver periodic mandatory training to the security representatives to ensure they understand the security representative job duties and expectations. Training will begin in 2006. DES Response - Information Security Performance Audit Draft Report Page 4 of 9 d. Staff who perform non-mainframe security duties will be included as the Department implements the security representative roles and responsibilities. They will also be included in the aforementioned security representative trainings. These staff will also have clear job duty descriptions and expectations. Recommendation: 5. The Department should ensure that new employees receive the mandatory computer security training. DES Response: 5. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. By October 2005, all current Department employees will have received the mandatory computer security training. DES is partnering with Arizona Government University to ensure that all training data is tracked. In addition, ISA and OMD are developing a plan to ensure that all new employees receive appropriate mandatory computer security training (DES Basic Security Awareness Training course). This new employee training plan also will be implemented by October 2005. Recommendation: 6. The Department should determine which positions involve the security and access of sensitive information and therefore merit a background check. It should then request the authority, either through statute or an executive order, to conduct background checks and ensure background checks are conducted on those individuals. The Department should also conduct periodic background checks on long-term employees in accordance with the sensitivity of their position. DES Response: 6. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. The Department will seek an Executive Order or legislation to require background checks on all current and newly hired employees that are responsible for security duties or have access to sensitive agency-maintained information. FINDING 2 - Information in local area networks and computers not adequately protected Recommendation: 1. To ensure that all computers have up-to-date security patches installed, the Department should: DES Response - Information Security Performance Audit Draft Report Page 5 of 9 a. Deploy as planned an automated tool that will allow it to centrally control and manage security updates. b. Periodically monitor to ensure that all computers have critical security updates installed. DES Response: 1. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. a. In April 2005, DTS identified an automated tool to centrally control and manage security updates. DTS procured the automated tool in June 2005 and will implement it by January 2006. b. ISA will include periodic monitoring of the automated tool in the development of its Compliance Review Plan, which will be completed by October 2005. Recommendation: 2. To better ensure computers are protected from viruses, the Department should: a. Develop a time frame by which all divisions must install the entity-wide virus protection software the Department has already purchased. b. Ensure that all computers have the virus protection installed. c. Monitor to ensure that all department computers regularly receive current updates. DES Response: 2. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. a. The Department established December 2005, as the date for all Divisions to have installed the entity-wide virus protection software. b. DTS will review Division actions in early 2006 to ensure that all Divisions have installed virus protection software. c. ISA will include periodic monitoring of the existence and regular updating of virus protection software on desktop equipment in the development of its Compliance Review Plan, which will be completed by October 2005. Recommendation: 3. To better ensure computers are protected from spyware and other forms of malware, the Department should: a. Ensure that employees and local LAN support units understand the Department’s acceptable use policy. b. Monitor to ensure that its divisions and employees comply with the policy DES Response: 3. The finding of the Auditor General is agreed to and the audit recommendation will be DES Response - Information Security Performance Audit Draft Report Page 6 of 9 implemented. a. The department requires all new employees to pass the Basic Security Awareness Training course and also requires all employees (including LAN support staff) to take a Security Awareness Refresher Course annually. Both courses include information on the acceptable use policy, employees’ responsibilities under this policy, and the potential consequences for violations of the policy, which include personnel actions up to and including termination. The LAN support staff will receive not only the above training but also additional training on the application of this policy as part of the minimum required training for LAN support staff that will be established by March 2006. See the Department’s response to Finding 2, Recommendation 4. b. ISA will include periodic monitoring of user compliance with this policy in the development of its Compliance Review Plan, which will be completed by October 2005. Recommendation: 4. The Department should review the training practices of the local LAN support units and establish training requirements sufficient to ensure that LAN staff have and maintain adequate skill levels. DES Response: 4. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. The Department will: By early 2006, establish and fill an internal IT audit function within the DES Office of Audit and Management Services. (See the Department’s response to Finding 1, recommendation 3.a.) This audit function will be charged with, among other things, reviewing the training practices of local LAN support units and recommending training requirements sufficient to ensure that LAN staff have and maintain adequate skill levels. By March 2006, establish minimum initial and ongoing training requirements for all LAN support staff, based on input from the DES internal IT auditor, IT and Information Security personnel, and staff of OMD. By March 2006, require the re-established IT audit function to monitor for adherence to the new Department IT Standard for LAN training requirements as part of its IT audit work plan. FINDING 3 – The Department could improve its management of computer program changes DES Response - Information Security Performance Audit Draft Report Page 7 of 9 Recommendation: 1. DTS should standardize its program change process throughout programming teams by completing its current efforts to develop a documented system development methodology and program change policy and then applying the new practices to all project teams, to the extent possible. DES Response: 1. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. By December 2005, DTS will complete the development and implementation of the system development methodology and will apply the new practices to all project teams, to the extent appropriate. Recommendation: 2. DTS should improve its testing of program changes by: a. Continuing its efforts to implement an automated testing tool. b. Ensuring that testers receive adequate training to use the new tool. c. Using the tool as frequently as possible, in accordance with the nature of the program change. DES Response: 2. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. a. In May 2005, DTS acquired a suite of automated testing tools. This software will be installed in July 2005 and will be used for testing new and modified programs on mainframe, internet, and server-based platforms. b. By July 2005, 25 Department staff will have attended a five-day, vendor-provided training. The training will cover all aspects of the five different tools that are part of the suite. The 25 trainees include many program staff as well as the entire DTS Quality Assurance staff. c. Beginning in July 2005, following completion of the vendor training, program staff will begin use of the suite of tools to develop and execute test scripts to evaluate program changes and to track results. FINDING 4 - Department has made progress in disaster recovery planning Recommendation: 1. The Department needs to update and complete its disaster recovery planning software. Specifically, it needs to: DES Response - Information Security Performance Audit Draft Report Page 8 of 9 a. Update all components of the plan—mainframe, network, and server farm plans—as needed to include new disaster recovery initiatives including the emergency hot site, new network strategy: regular data backups, and testing procedures. b. Add information to mainframe, network, and server farm plans so that they include detailed tasks and assignments for all recovery teams identified in those plans. c. Add information to its mainframe, network, and server farm plans so that they include pertinent vendor information, such as vendor assets and supplies. d. Add information to the mainframe plan to identify the most critical mainframe applications, and the priorities and sequence of events necessary to restore these applications. e. Add information to its server farm plan to have a vendor provide backup resources for its server farm. DES Response: 1. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. a. As new disaster recovery initiatives are implemented by the Department, the disaster recovery plans will be adjusted to include the updated recovery information. For example, in June 2005 DTS initiated daily off-site back-up tape storage, use of the IBM hot site for testing purposes, and the first phase of the DES Disaster Recovery (DR) test plan. The DES DR Plan, including the mainframe, network, and server farm components, will be updated to reflect these changes by September 2005. b. In May 2005, the Department implemented a maintenance plan, which is designed to ensure that all recovery plan owners review and update the plans on a regular basis. The Disaster Recovery Manager is responsible for monitoring the compliance with the maintenance plan. By December 2005, all three DR plans will have been updated with detailed tasks and assignments for the recovery teams identified in those plans. c. The maintenance plan adopted in May 2005 also requires that all vendor data be reviewed by recovery plan owners per the maintenance plan review schedule. In plans that have no vendor dependence for supplies or information, an annotation of “Not Applicable” will be added by the appropriate plan owners at the next scheduled review. By December 2005, all three DR plans will have been updated with vendor information, such as vendor assets and supplies. d. The Disaster Recovery Manager will work with other key staff throughout the Department to identify the most critical applications and prioritize their recovery in the event of a disaster. By January 2006, the resulting information will be added to the mainframe recovery plan. e. The Department’s disaster recovery appropriation was reduced for fiscal year 2006, which was established to address mainframe recovery services and faster DES Response - Information Security Performance Audit Draft Report Page 9 of 9 tape drives for performing backups. There were no appropriated funds earmarked for server farm backup resources. As a result, the Department will be requesting additional funds this summer in the fiscal year 2007 budget to fully address the mainframe and server farm backup resources. In the meantime, the Department will update its server farm plan to note that vendor-provided backup resources will be needed. Recommendation: 2. The Department should ensure it adds testing plan information to its recovery planning software as part of its ongoing plan maintenance. DES Response: 2. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. The Disaster Recovery Manager is responsible for ensuring that test plan information is added to its recovery planning software as part of the Department’s ongoing plan maintenance. The Department created its initial test protocol in May 2005 and executed that protocol in June 2005. The next test under the current contract is scheduled for August 2005. The test plan will be updated within the recovery planning software at that time. Recommendation: 3. The Department’s Division of Technology Services should develop policies for critical system backups and add this information to its planning software. DES Response: 3. The finding of the Auditor General is agreed to and the audit recommendation will be implemented. In June 2005, the Division of Technology Services implemented a process to create daily incremental backups of critical mainframe systems. Those tapes are created and sent off site on a nightly basis. By October 2005, the documentation of that process will be included in the Department’s disaster recovery planning software. 03-05 Department of Economic Security—Child Protective Services—Foster Care Placement Stability and Foster Parent Communication 03-06 Arizona Board of Appraisal 03-07 Arizona Board for Charter Schools 03-08 Arizona Department of Commerce 03-09 Department of Economic Security—Division of Children, Youth and Families Child Protective Services— Caseloads and Training 04-L1 Letter Report—Arizona Board of Medical Examiners 04-L2 Letter Report—Gila County Transportation Excise Tax 04-01 Arizona Tourism and Sports Authority 04-02 Department of Economic Security—Welfare Programs 04-03 Behavioral Health Services’ HB2003 Funding for Adults with Serious Mental Illness 04-04 Department of Emergency and Military Affairs and State Emergency Council 04-05 Department of Environmental Quality—Water Quality Division 04-06 Department of Environmental Quality—Waste Programs Division 04-07 Department of Environmental Quality—Air Quality Division 04-08 Department of Environmental Quality—Sunset Factors 04-09 Arizona Department of Transportation, Motor Vehicle Division— State Revenue Collection Functions 04-10 Arizona Department of Transportation, Motor Vehicle Division—Information Security and E-government Services 04-11 Arizona Department of Transportation, Motor Vehicle Division—Sunset Factors 04-12 Board of Examiners of Nursing Care Institution Administrators and Assisted Living Facility Managers 05-L1 Letter Report—Department of Health Services— Ultrasound Reviews 05-01 Department of Economic Security—Unemployment Insurance 05-02 Department of Administration— Financial Services Division 05-03 Government Information Technology Agency (GITA) & Information Technology Authorization Committee (ITAC) Performance Audit Division reports issued within the last 24 months Future Performance Audit Division reports Department of Economic Security—Service Integration Department of Revenue—Business Reengineering/Integrated Tax System (BRITS) |
