REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division

Similar documents
STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Postal Inspection Service Mail Covers Program

REPORT 2015/149 INTERNAL AUDIT DIVISION

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

REPORT 2015/010 INTERNAL AUDIT DIVISION

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

REPORT 2015/186 INTERNAL AUDIT DIVISION

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

Department of Public Safety and Correctional Services Information Technology and Communications Division

4.2 Electronic Mail Policy

Office of MN.IT Services Data Centers

STATE OF NORTH CAROLINA

UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

Information Technology General Control Review

Kentucky IT Consolidation

TEL2813/IS2820 Security Management

The Office of Infrastructure Protection

Texas A&M University: Learning Management System General & Application Controls Review

Statewide Information Technology Contingency Planning

Judiciary Judicial Information Systems

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Subject: University Information Technology Resource Security Policy: OUTDATED

FOLLOW-UP REPORT Industrial Control Systems Audit

INTERNAL AUDIT DIVISION REPORT 2017/138

National Policy and Guiding Principles

Cybersecurity & Privacy Enhancements

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

Security Management Models And Practices Feb 5, 2008

Judiciary Judicial Information Systems

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

University of Wyoming Mobile Communication Device Policy Effective January 1, 2013

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Public Safety Canada. Audit of the Business Continuity Planning Program

Use of Mobile Devices on Voice and Data Networks Policy

CITY OF MONTEBELLO SYSTEMS MANAGER

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

SPRING-FORD AREA SCHOOL DISTRICT

Cyber Security Program

Information Security Strategy

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Information Security Continuous Monitoring (ISCM) Program Evaluation

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Forensic Division Has Taken Appropriate Steps to Address Oregon s Sexual Assault Kit Testing Backlog

Resolution adopted by the General Assembly. [on the report of the Fifth Committee (A/61/592/Add.4)]

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Wireless Services Allowance Procedure

Number: USF System Emergency Management Responsible Office: Administrative Services

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Global Security Consulting Services, compliancy and risk asessment services

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

STATE OF NORTH CAROLINA

Criminal Case Information System for Public Defenders [Section 18B.10 of S. L , as amended by Section 18A.2 of S.L.

STATE OF NORTH CAROLINA

NASA Policy Directive

SECTION 10 CONTRACTING FOR PROFESSIONAL SERVICES CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA)

Cell and PDAs Policy

VII. GUIDE TO AGENCY PROGRAMS

INTERNAL AUDIT DIVISION REPORT 2017/037

MMARS Financial, Labor Cost Management (LCM) and Commonwealth Information Warehouse (CIW) Reports

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014

CCISO Blueprint v1. EC-Council

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

MNsure Privacy Program Strategic Plan FY

CABINET PLANNING SYSTEM PROCUREMENT

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Marshall University Information Technology Council. Procedure ITP-16 IT INFRASTRUCTURE AUTHORIZATION PROCEDURE

Cell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.

Provider Monitoring Process

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

DEPARTMENT OF HEALTH and HUMAN SERVICES. HANDBOOK for

INFORMATION ASSURANCE DIRECTORATE

Information Technology Audit

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Cellular Phone Usage and Administration

SUBJECT: Cellular Phone Policy Effective Date: 7/1/2010. Department: Information Technology Policy No.: IT-1002

Standard for Security of Information Technology Resources

I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t

Global Statement of Business Continuity

STATE OF NEW JERSEY IT CIRCULAR

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

Table of Contents. Sample

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

KSU Policy Category: Information Technology Page 1 of 5

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Overview. Business value

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Transcription:

Secretary of State Report No. 2003-20 June 3, 2003 AUDIT Department of Administrative Services Information Resources Management Division Follow Up REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division Summary PURPOSE The purpose of this audit was to determine whether the Department of Administrative Services data archive center had been meeting its primary business objective and to follow up on the status of prior audit findings included in our August 2001, audit report Department of Administrative Services: Information Resources Management Division Review (Report No. 2001-33). RESULTS IN BRIEF The Department of Administrative Services computer archive center was not meeting its primary business objective of providing a significant off-site computer data backup and storage solution for the state s computer systems. This large investment needs to be reevaluated. In following up on prior audit recommendation, we found that the department: Had made significant improvements to its strategic planning process. Had not yet developed or adopted statewide rules, policies, procedures and guidelines governing the state s use of Information Technology (IT) as directed by statute. Had not adopted industry standard System Development Life Cycle (SDLC) methodologies to reduce its system development risks. Needed to improve its rate setting process to ensure that its charges to other state agencies provide equitable and accurate cost allocation and recovery. RECOMMENDATIONS We recommend that the department: Reevaluate its use of the computer data archive center. If the current enterprise solution is preferred and necessary, according to statewide need, the department should upgrade the facility to accommodate the need. Develop and adopt statewide IT standards, policies, procedures and guidelines to plan for, acquire, implement and manage the state s IT resources and utilize the Information Resources Management Council as directed by statute. Adopt agency-wide comprehensive SDLC methodologies to better manage and control all phases and aspects of IT system development. Work with the Attorney General to recover the remaining $70,000 that the department paid to a contractor in error. Further review and revise its rate setting models and cost accounting to ensure that the resulting rates conform to Office of Management and Budget (OMB) A-87 requirements. AGENCY S RESPONSE The Department of Administrative Services generally agrees with the overall findings noted in the audit. Background The Department of Administrative Services (department) is the central administrative agency of state government. The department works in partnership with state agencies to put programs, policies, and systems in place and provide centralized services. Oregon Revised Statutes indicate that the department will play a pivotal role in shaping the way that Oregon state government uses information technology. Statutes require the department to ensure that resources fit together in a statewide system capable of providing ready access to information, computing and telecommunication resources. Further, statutes specifically direct the department to develop and adopt statewide rules, policies, procedures, standards, and guidelines so that state agencies will plan, acquire, implement and manage the state's information resources. The department's Information Resources Management Division is responsible for providing centralized information technology support and services. The division's responsibilities include: Developing and implementing statewide information technology standards and protocols; Managing the state's voice, video and data networks;

Operating the General Government Data Center; Planning, developing and managing enterprise databases and applications; Reviewing agency technology activities and plans; Providing system development consulting and programming services to state agencies; and Delivering technical training to state agencies and organizations. Audit Results The Department s Archive Center Has Not Satisfied Its Primary Business Objective The Eugene D. Timms and Jeannette K. Hamby Computer Archive Center is located in Burns, Oregon. The center was created to provide off-site computer data backup and storage for the state s computer systems. One of our audit objectives was to determine whether the department s data archive center was meeting its intended business objective. We concluded that the center has not been satisfying its primary business objective of providing a significant off-site computer data backup and storage solution for the state s computer systems. Since it began operations in February 1999, the center has not been widely used. As of February 2003, the center s primary customer was the department itself, who used the center to backup data from its Open Systems unit. One of the primary justifications for locating the archive center in such a remote location was that the center would be in a geographically stable environment, and would unlikely be affected by a catastrophic local event. The vast majority, however, of the state s critical systems that would potentially need that level of service do not utilize the center to backup or archive their data, including the mission critical systems operated by the department itself. In February 2002, one of the center s largest users, the Oregon Department of Transportation (ODOT), discontinued sending data to the center. ODOT personnel cited cost and technical limitations imposed by the data center in its justification for developing its own automated back-up solution. Costs associated with providing data backup and storage services at such a remote site factored into the center s limited success. To operate such a facility remotely requires significant resources that would not be required if the function was performed locally. For example, during fiscal year 2002 the department indicated it spent approximately $245,000 for its fiber optic connection to the center. The department indicated that total operating costs for that same period, including the above data transmission costs, totaled approximately $607,000. In addition, the center s equipment and software could only handle certain types of data. Data from mainframe computers, AS400 computers and e-mail systems could not be backed up using the center s software. This factor alone severely limited the archive center s usefulness as a preferred provider of data backup and archive services. Furthermore, the center s software did not allow the department to effectively manage the data stored at the site. Decisions to invest in enterprise technology solutions, such as the archive center, should be congruent with both long-term and short-term enterprise strategic plans. As we will discuss later in this report, the department has not provided significant enterprise wide guidance or direction regarding data backup, archiving, or restoration of IT systems in the event of a major disruption or disaster. Thus, use of the department s enterprise solution for these functions was optional. Finally, we concluded that the department built the archive center for agencies that were not in the ma rket for those specific services, and which they could not effectively use. We recommend that the department reevaluate its use of the data archive center in light of the state s current data back-up, archiving, and recovery needs. Management should reevaluate the need for the center and for providing an enterprise solution. If the current enterprise solution is preferred and necessary, according to statewide need, the department should upgrade the facility to accommodate the need. We agree with the need to examine the use of the Data Archive Center. We are in the process of assessing the financial and usability aspects of the services we provide through the Center. We are also exploring with local governments other possible uses for the facility. Statewide Governance of Information Technology Resources Continues to Need Improvement During our previous audit, we identified several issues relating to the department s responsibility to provide and ensure effective statewide governance of Information Technology (IT) resources. Generally, we concluded that the department had not effectively managed the strategic planning process relating to IT resources nor had it provided adequate statewide policies, procedures, standards or guidelines to govern the use of those resources. To specifically address these issues we recommended that the department consider and implement the following: Develop a strategic plan as defined in the Governor s 2

Executive order 98-05 and develop more effective strategic planning methodologies and exercise more affirmative control over the strategic planning process. Fully comply with statutes ORS 291.038 requiring it to adopt by rule policies, procedures, standards and guidelines to plan for, acquire, implement and manage the state s information resources. Those policies, procedures, standards, and guidelines should be based on generally applicable and accepted control standards for information technology. Implement procedures to monitor state agencies compliance with statewide IT policies and procedures. Utilize the Information Resources Management Council as directed by ORS 291.038. During our current audit we evaluated the status of the above recommendations. We concluded that the department: Developed a new enterprise-wide strategic plan that it adopted in August 2002. This plan provided significantly better guidance than its predecessor. Revised its statewide policies in October 2001. Those revisions, however, did not address the concerns raised during the prior audit. The state continues to lack uniform policies, procedures and standards addressing its most significant risks including security, system development, and disaster recovery/business continuity. Has not implemented procedures for ensuring that other state agencies comply with its IT policies and procedures. Did not reconstitute the Information Resources Management Council as directed by ORS 291.038. Enterprise level oversight of IT resources is essential because of the state s increasing dependence on technology as well as the increasing risk of threats to IT assets. In addition, the complexity and cost of information technology investments punctuate the need for statewide control, coordination, and integration of IT resources. Although the department is not directly responsible for managing other agencies resources, it is responsible for ensuring that those resources are appropriately managed and controlled. The absence of enterprise-wide IT policies and procedures increases the risk that state agencies will not act as an enterprise or provide the necessary level of control to safeguard its other members. During our various audits of state agencies IT systems and controls, we have noted, with few exceptions, the absence of critical agency-level policies and procedures to govern security, system development and disaster recovery processes. We concluded that without centralized guidance and control of the state s IT resources, it is less likely that state agencies would independently develop an appropriate framework of controls over their IT systems. We recommend that the department comply with the statute requiring it to develop and adopt by rule policies, procedures, standards and guidelines to plan for, acquire, implement and manage the state s information resources. Those policies, procedures, standards, and guidelines should be based on generally applicable and accepted control standards for information technology. In addition, the department should implement procedures to monitor state agencies compliance with the above policies, procedures, standards, and guidelines. We also recommend that the department utilize the Information Resources Management Council as directed by ORS 291.038. We recognize the need to strengthen policies, procedures, controls and guidance of state government relating to the management of information technology. We are making progress by formulating a new statewide technology policy and we continue, in collaboration with agencies, to set statewide technology standards. In addition, we are taking steps to reestablish the Information Resources Management Council. SDLC Methodologies to Improve Control of System Development Have Not Been Adopted During our prior audit, we concluded that the Information Resources Management Division did not have a comprehensive System Development Life Cycle (SDLC) methodology to manage its own information system development. In addition, it did not have project management policies and procedures and it did not ensure that contracting issues were appropriately addressed. To mitigate these risks, we made the following recommendations: Adopt an agency-wide comprehensive SDLC methodology to include specific policies and procedures to govern all aspects and phases of the system development life cycle. This SDLC was to include a project management framework to ensure all IT projects are consistently and effectively managed. Recover specific payments made in error to a contractor totaling $124,616. During our current audit, we evaluated the status of these recommendations and concluded that the department: 3

Has not completed and implemented SDLC methodologies to govern its information technology projects. Although the department made progress in this area, it had not yet completed or implemented policies and procedures to better control system development projects. Did not recover $70,000 of the $124,616 paid in error. This amount included duplicate and erroneous payments that the department made to the contractor. Based on the above, we concluded that the department has not adequately reduced its system development risks by adopting comprehensive system development life cycle methodologies. Many potential risks arise when computer-based systems are developed without adequate SDLC methodologies. The most serious risk is that the completed system may not meet the users business needs, user requirements, and expectations. Another significant risk is that the project may be delayed or cost more than anticipated. Although following an SDLC methodology reduces many of these risks, it does not provide absolute assurance that projects will be successfully completed. In our prior audit report, we provided an example of a project that had realized risks associated with developing IT systems without appropriate SDLC methodologies. For that project, the department contracted to build a system to manage the state s telephone networks. When we released our prior audit report, this project had been significantly delayed and segments of the planned work had already been suspended. Project costs through mid -February 2001 totaled approximately $4.8 million. Subsequent to that report, the department spent an estimated additional $3.6 million before releasing the contractor and halting the project. After the above project was abandoned, the department determined that an off-the-shelf solution would satisfy their business needs. The department, however, also stopped that project after spending an approximate additional $80,000. At the time of this audit, the department continued to seek a more viable software solution to manage its telephone networks. We again recommend that the department adopt an agency-wide comprehensive SDLC methodology to include specific policies and procedures to govern all aspects and phases of the system development life cycle. Those policies and procedures should incorporate a project management framework to ensure that all IT projects are consistently and effectively managed. We also recommend that department management work with the Attorney General to recover the remaining $70,000 that it paid in error. The SDLC and Project Management Methodologies are currently in place for ongoing IRMD Systems Development projects and we are taking the necessary steps to formally adopt those procedures. However, you have not reported that we have taken significant steps to improve our Systems Development Life Cycle (SDLC) methodologies and the controls of system development. Your report referenced a project IRMD stopped in early 2001. Since that time, IRMD implemented a Project Management Office (PMO). The PMO has developed a Project Management Methodology (framework) that is consistent with the Project Management Institute s Guide to the Project Management Body of Knowledge and the International Organization for Standardization Q10006-1997 standard. PMO trained and certified project managers are assigned to internal DAS IRMD systems development projects. The Systems Development and Consulting Section of IRMD has developed and implemented a clearly defined SDLC. This methodology has been shared with the PMO and has been used on projects initiated since the example you ve listed. Methods For Recovering Information Resources Management Division Costs Should Be Improved During our prior audit, we further concluded that the department s rate setting methodology for the Information Resources Management Division (division) did not provide a reasonable basis for cost allocation and recovery. As a result, the department overcharged some of its customers while undercharging others. To improve the rate setting model for the division we recommended the following: Consider beginning retained earnings and planned future costs when setting rates. Ensure that all units properly apply the approved rate setting methodology. Regularly review rates to ensure they remain valid and provide a mechanism for timely adjustment of rates should it become necessary. Discontinue volume discounts for services. During our current audit, we evaluated the status of these recommendations and concluded that: The division s current rate setting models did not appropriately consider beginning retained earnings and planned future costs. 4

The division abandoned its division-wide rate setting model. Management did not regularly review rates to ensure that they remained valid. Volume discounts were discontinued as recommended. While evaluating the rate setting structure for the division, we also noted that five of the seven sections in the division did not have adequate cost information to support equitable and reasonable rate setting. Based on the above audit results, we concluded that the department s rate setting and business processes need further improvement in order to ensure accurate and equitable cost allocation and recovery occurs for the division. In addition, we concluded that weaknesses in the proposed rate setting for the 2003-2005 biennium were consistent with the findings from our August 2001 report. As a result of weaknesses in the department s rate setting methodology and processes for the division, not all users of services were billed for the services they used. For example, various Open Systems clients were not charged for backup services provided at the Archive Center. Thus, clients representing approximately 55 percent of the Archive Center s monthly usage paid 100 percent of the costs that were recovered during calendar year 2002. Because the Archive Center provided services for federally funded state agencies, the above inequity did not conform with the Office of Management and Budget s (OMB) circular A87 cost principles. One federally funded client, the Oregon Employment Department, was billed approximately $163,000 for Archive Center services during calendar year 2002. If it had paid its pro-rata share of recovered costs, it would have paid approximately $89,000. Department personnel also acknowledged that the Enterprise Network Services section charged full cost for only 55 of the 536 agency s sites connected to its State of Oregon Enterprise Network (SOEN). Thus, approximately 90 percent of that population of users was not charged for the services they received. We recommend that the department further review and revise its rate setting models for the division to ensure that it equitably and accurately recover the costs associated with the services provided. In addition, the department should improve cost accounting methods to provide better rate-setting information. Furthermo re, the department should correct billings for Archive Center and SOEN services to ensure that they conform to OMB A87 requirements. We are pursing closure to the over-billing issues with the Network Management Control Center, in consultation with the Department of Justice. We agree with the recommendation to review and revise the rate-setting model within IRMD. However, in a majority of the sections, there are adequate rate setting methodologies that include documentation and also include a reasonable basis for cost allocation and recovery. To ensure the rate setting methodology is applied correctly across all sections, internal IRMD finance staff and Office of Business Administration (OBA) finance staff will work to develop the rates (including an ongoing review process and rate recovery analysis) in conjunction with section staff. Objectives, Scope and Methodology The objectives of this audit were to determine whether the data archive center was meeting its intended business objective and to follow-up on the status of agency efforts to resolve audit findings from our previous audit report. That report, Department of Administrative Services: Information Resources Management Division Review (Report No. 2001-33) was issued in August 2001. Our audit work included inquires of department personnel and examinations of agency records. Specifically, we reviewed the department's policies and procedures, the State of Oregon Enterprise Information Resources Management Strategy, agency accounting records, and the division's rate setting process and supporting documents. We also evaluated the department s compliance with applicable laws, rules, and regulations pertaining to our audit objectives. We performed our fieldwork between January 2003 and April 2003. We used the Information Systems Audit and Control Foundation s Control Objectives for Information and Related Technology (COBIT TM ) to identify generally accepted and applicable control objectives and practices for information systems. We conducted our audit according to generally accepted government auditing standards. 5

This report, which is a public record, is intended to promote the best possible management of public resources. Copies may be obtained by mail at Oregon Audits Division, Public Service Building, Salem, Oregon 97310, by phone at 503-986-2255 and 800-336-8218 (hotline), or internet at Audits.Hotline@state.or.us and http://www.sos.state.or.us/audits/audithp.htm. AUDIT ADMINISTRATOR: Neal E. Weatherspoon, CISA, CPA AUDIT STAFF: Mark A. Winter, CISA, CPA Stanley Y. Mar, CISA, CPA Jamie N. Ralls DEPUTY DIRECTOR: Charles A. Hibner, CPA The courtesies and cooperation extended by the officials and staff of the Department of Administrative Services were commendable and much appreciated. Auditing to Protect the Public Interest and Improve Oregon Government 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback