General Information System Controls Review

Similar documents
REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Data Processing Agreement

EXHIBIT A. - HIPAA Security Assessment Template -

REPORT 2015/010 INTERNAL AUDIT DIVISION

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

HIPAA Compliance Checklist

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Texas A&M University: Learning Management System General & Application Controls Review

REPORT 2015/149 INTERNAL AUDIT DIVISION

PeopleSoft Finance Access and Security Audit

Critical Cyber Asset Identification Security Management Controls

Cell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Critical Cyber Asset Identification

01.0 Policy Responsibilities and Oversight

Standard CIP Cyber Security Critical Cyber Asset Identification

Saba Hosted Customer Privacy Policy

Apex Information Security Policy

Juniper Vendor Security Requirements

SECURITY & PRIVACY DOCUMENTATION

Checklist: Credit Union Information Security and Privacy Policies

Putting It All Together:

Auditing IT General Controls

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Information Security Policy

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

University of Wyoming Mobile Communication Device Policy Effective January 1, 2013

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

Standard CIP 007 3a Cyber Security Systems Security Management

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Contracting for an IT General Controls Audit

HIPAA Federal Security Rule H I P A A

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

IMPORTANT INSTRUCTIONS:

Data Backup and Contingency Planning Procedure

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Standard CIP Cyber Security Systems Security Management

Employee Security Awareness Training Program

The Common Controls Framework BY ADOBE

Bring Your Own Device Policy

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

WIRELESS DEVICES: ACCEPTABLE USE AND GUIDELINES

Standard CIP 007 4a Cyber Security Systems Security Management

A. Facilities and critical systems employees subject to afterhours call out.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Electronic Network Acceptable Use Policy

Access to University Data Policy

Information Technology General Control Review

Privacy Breach Policy

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Wireless Communication Device Policy Policy No September 2, Standard. Practice

Building Information Modeling and Digital Data Exhibit

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Trust Services Principles and Criteria

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

Department Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Red Flag Policy and Identity Theft Prevention Program

State of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)

State of Colorado Cyber Security Policies

A full list of SaltWire Network Inc. publications is available by visiting saltwire.com.

7.16 INFORMATION TECHNOLOGY SECURITY

Information Security for Mail Processing/Mail Handling Equipment

Acceptable Use Policy

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Standard CIP Cyber Security Electronic Security Perimeter(s)

Lakeshore Technical College Official Policy

Use of Mobile Devices on Voice and Data Networks Policy

SCALARR PRIVACY POLICY

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

Process Document. Scope

MIS5206-Section Protecting Information Assets-Exam 1

Adopter s Site Support Guide

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

Frequently Asked Question Regarding 201 CMR 17.00

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Mobile Communication Devices. 1.0 Purpose. 2.0 Policy NO Virginia Polytechnic Institute and State University

INFORMATION ASSET MANAGEMENT POLICY

Wireless Communication Stipend Effective Date: 9/1/2008

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Enterprise Income Verification (EIV) System User Access Authorization Form

Privacy Policy Effective May 25 th 2018

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

Part 11 Compliance SOP

Transcription:

General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County Auditor Evan A. Lukic, CPA County Auditor

Executive Summary This report provides the results of our review of general information system (IS) controls over ECHO application software used by the Human Services Department s (HS) Broward Addiction Recovery Division (BARC). General IS controls are the structure, policies and procedures that apply to an entity s overall computer operations and help ensure their proper operation. Accordingly, our objective was to evaluate general IS controls over the integrity, confidentiality, and availability of the ECHO system and data maintained in ECHO. We identified the following general IS control weaknesses: 1. User access accounts are not maintained in accordance with established HS security policies and best practices for a secure environment. Access controls help ensure computer resources, such as the ECHO system, are protected from unauthorized changes, loss, disclosure or impairment. 2. Automated password control features of the ECHO software were not implemented to enforce criteria set forth in HS IT Security Policy. Password controls are essential to access controls, which help promote user accountability, data integrity and confidentiality. 3. System administrator access is not appropriately restricted to promote system and data integrity. Inadequate separation of incompatible duties increases the risk of compromised system and data integrity. 4. Backup resources to support and maintain ECHO have not been established, increasing the risk of system unavailability. 5. A maintenance agreement is not in place to ensure continued availability of vendor support for the ECHO software. To improve controls over system and data integrity, confidentiality, and availability, we have included specific recommendations to address the control weaknesses identified above. Background Established in 1973, the BARC Division of the Human Services Department provides medical and clinical treatment, substance abuse and nutrition education and support services to Broward County residents and homeless individuals who are chemically dependent and 18 years or older. BARC acquired and implemented ECHO software in 2003 at a cost of $461,482 to automate, track and manage operations. BARC utilizes two ECHO software modules, Clinician Desktop (CDT) and Revenue Manager (RM), for scheduling, tracking, reporting, and management of client demographic and clinical records, authorizations, assessments, treatment plans and outcomes, Office of the County Auditor 2

and billing. ECHO also facilitates electronic submission of activity reports to the Department of Children and Families to obtain reimbursement for eligible services. ECHO was developed and is supported by the vendor, The ECHO Group at an annual maintenance cost of $40,628. Maintenance includes upgrades, problem resolution and other support services. Customization and modification services are available from The ECHO Group for additional fees. There is one BARC staff member who is responsible for supporting 155 ECHO users (80% of BARC staff). This individual is also the administrator for security, the underlying database, and operating system. Over the past two years Human Services and BARC have undergone several organizational changes, which have affected staffing of HS Information Technology (IT) roles. During our review, HS IT staff and services were in the process of combining with the County s Enterprise Technology Services Division. Objectives, Scope and Procedures General information system (IS) controls are the policies and procedures that apply to an entity s information systems and help ensure their proper operation. Effective general IS controls help safeguard data, protect software programs, prevent unauthorized access, and ensure continued computer operations in case of unexpected interruptions. 1 Accordingly, our objective was to evaluate general IS controls over the integrity, confidentiality, and availability of the ECHO system and data maintained in ECHO. To accomplish our objective, we: Reviewed applicable HS policies, procedures and forms. Interviewed BARC staff responsible for information system technology. Reviewed internal controls over system access, including system roles, user accounts, and security configuration settings. Reviewed management processes for the support and maintenance of ECHO and the underlying database (SQL). Observed management processes to evaluate compliance with documented policies, procedures, and controls for system access, use, support, maintenance and processing. 1 Federal Information System Controls Audit Manual: Volume I Financial Statement Audits. United States Government Accountability Office, GAO/AIMD-12.19.6. January 1999. Office of the County Auditor 3

In the performance of our review, we referenced criteria from Control Objectives for Information and related Technology (COBIT) published by the Information System Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT provides generally applicable and accepted measures, indicators, processes and best practices to assist organizations in the sound use and management of information technology. Findings and Recommendations Finding 1 User access accounts are not maintained in accordance with established HS security policies and best practices for a secure environment. Access controls should provide reasonable assurance that computer resources, such as the ECHO system, are protected from unauthorized changes, loss, disclosure or impairment. Inadequate access controls diminish the reliability of data and increase the risk of destruction or inappropriate disclosure of data. Although Human Services IT Security Policy includes criteria for creating and maintaining user ID's and profiles; the stated policy is not being effectively followed. Our review of internal controls over access to ECHO revealed the following: A periodic and comprehensive review of ECHO access accounts has not been performed to ensure continued effectiveness of account restrictions. In reviewing the 160 ECHO user accounts in conjunction with HS IT staff, HS IT staff identified 16 accounts which required removal of some or all of the user s access, due to changes in employee status. User accounts were created without evidence of a request form and/or proper authorization for access. In our review of twenty user accounts added since January 2008, only 8 out of 20 user accounts were supported by a user access form. Further, only 2 out of the 8 user access forms were properly authorized by a supervisor. Best practices 2 for user account management suggest the following processes be established for effective internal controls over access to systems: Periodic management review of all accounts and related privileges to ensure removal or reallocation of system rights upon change in employee status. Formal user account management procedures for requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges (profiles). An approval procedure which outlines the data or system owner responsibilities for granting access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. 2 Control Objectives for Information and related Technology (COBIT) section 4.1 Deliver and Support section 5.4 Office of the County Auditor 4

User acknowledgement of rights and obligations relative to access. Recommendation: To ensure effective access security controls, we recommend the Board of County Commissioners direct the County Administrator, within ninety days, to: 1. Comply with the HS security policy and best practices for access controls by implementing the following controls: Requiring completed, authorized access request forms prior to granting or modifying access to ECHO. Timely action on requested changes to users access: new, expand, reduce, suspend and revoke. Retention of access authorization forms to enable periodic review of ECHO accounts for compliance with HS authorized access permissions. Automated account lock-out features for dormant accounts (e.g., accounts that do not login after a specified period of time). 2. Revise the existing user access procedures to define management s responsibility for requesting, approving and granting access to ECHO for all classes of users Finding 2 Automated password control features of the ECHO software were not implemented to enforce criteria set forth in HS IT Security Policy. User IDs in conjunction with corresponding passwords are a fundamental control over access to systems. Effective access controls help promote user accountability, data integrity and confidentiality. To ensure effective access controls, best practices recommend that organizations establish a password policy. HS s IT Security Policy establishes the following password criteria, which meets suggested best practices for a secure environment: May not contain any part of the user's account name. Must be least 8 alpha-numeric characters long. Only 5 failed attempts will be allowed before account is locked. A user will not be allowed to reuse the password for 15 consecutive change cycles. While ECHO access requires a valid account and corresponding password, ECHO does not automatically enforce the password criteria from the HS IT Security Policy. HS staff report that password security features are available, but they were not configured during ECHO implementation. Office of the County Auditor 5

Since the stated password criteria are not being enforced, either manually or automatically, the effectiveness of access controls is diminished. Recommendation: 3. To ensure effective access control over user accountability, data integrity and confidentiality, we recommend the Board of County Commissioners direct the County Administrator to evaluate and report on the feasibility of implementing automated password control features for the ECHO application, within ninety days of adoption. Finding 3 System administrator access is not appropriately restricted to promote system and data integrity According to best practices for internal controls over systems, work responsibilities should be separated so that one individual does not control all stages of a critical process. For example, the ability to maintain or update software and databases should not be paired with access to the application, or the ability to administer application security. Inadequate separation of incompatible duties provides the administrator with the access to perform and conceal improper activities. As the sole IT staff for ECHO support, the IT Manager is responsible for system maintenance, processing, user support, and security administration. Upon review of ECHO account privileges we found that the IT Manager had unmonitored, unrestricted access to 17 out of 18 available ECHO privileges (profiles). In addition to ECHO application access, the IT Manager has powerful administrator access to the ECHO database and server. The size of the HS IT function does not allow appropriate separation of responsibilities for maintaining software/databases and providing user support. Access controls could be improved by the removal of ECHO sign-on accounts from core IT staff and adoption of system activity monitoring procedures. Recommendation: To mitigate the exposure of inadequate separation of conflicting responsibilities, we recommend the Board of County Commissioners direct the County Administrator to (within ninety days of adoption): 4. Remove transaction responsibilities from IT staff. The IT Manager should not be assigned to input, adjust, or void transaction data in ECHO. 5. Require supervisors (other than the IT Manager) to monitor daily transactions and reconcile system reports of BARC activity to source documents. 6. Request ETS to perform a routine review of the database and Microsoft server configurations to ensure HS is maintaining the ECHO infrastructure in compliance with established County standards for operations and security. Office of the County Auditor 6

Finding 4 Backup resources to support and maintain ECHO have not been established, increasing the risk of system unavailability One individual has supported ECHO since the 2003 implementation. No other staff member has been trained to fulfill the role of application support. BARCs' reliance on one individual to support ECHO increases the risk of system unavailability. Should ECHO become unavailable and ECHO support staff not be accessible, recovery and ongoing problem resolution would be hampered. Recommendation: To mitigate the exposure to system unavailability, we recommend the Board of County Commissioners direct the County Administrator to (within ninety days of adoption): 7. Identify and train a backup resource for the BARC IT Manager. 8. Maintain ECHO system and database documentation as systems updates/upgrades are implemented, to facilitate backup administration, support and maintenance of ECHO. Finding 5 A maintenance agreement is not in place to ensure continued availability of vendor support for the ECHO software. In lieu of a software maintenance agreement, BARC paid vendor invoices for annual software maintenance using the direct payment voucher process. The amount paid for annual maintenance in 2009 was $40,628. This practice does not comply with established internal controls 3 for vendor payments, and exposes BARC to a potential loss of vendor support. Without a software maintenance agreement, there is no contractual obligation from the vendor to continue to support and maintain ECHO. The vendor has submitted an agreement renewal form letter each year; however, BARC staff did not negotiate the terms of the agreement and the agreement was not executed. Without an effective support agreement, BARC has no recourse from the vendor for non-performance or protection provided under the standard terms of a properly executed software maintenance agreement. Recommendation: To ensure compliance with the County's Administrative Code and provide for continued maintenance/support of ECHO, we recommend the Board of County Commissioners direct the County Administrator, within ninety days, to: 9. Re-evaluate vendor supplied support terms and process maintenance agreements and payments as required by Administrative Code, purchasing ordinance and Broward County procedures. 3 Volume 6, Accounting, Payroll & Tangible Property Procedures, Chapter 3, Payment Process, Section II. Documentation Required for Payment Section IV. Payment Requests Direct Voucher Payment Office of the County Auditor 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback