YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
YELLOW SHEET Office of the State Auditor of Missouri |
February 20, 2003
Report No. 2003-16
Controls over system access weak or missing
The Department of Revenue, which collects taxes and administers drivers’ licenses and motor vehicle records, needs to better address system access control management policies and practices. These practices protect the integrity, confidentiality, and availability of data and information, which are at risk from unauthorized use, modification, or disclosure.
System access management tools present problems
The department's two user identification (ID) management systems do not interface correctly, which results in many discrepancies in user ID status. Auditors identified 441 user IDs that had a different active or inactive status in the two management systems. These discrepancies place the department at risk of allowing inappropriate access to system resources. (See page 3)
Outside contractors’ access needs better management
A process is not in place to allow department officials to readily identify all third-party contractors who have access to department system resources and facilities. A centralized list of outside contractors doing business with the department is not maintained. Therefore, there is less assurance only active contractors have appropriate authorized access to the department’s mainframe system and facilities. (See page 6)
Access rights not periodically evaluated
The department’s mainframe system administration fails to ensure user access rights are appropriate. As of August 2002, auditors noted 82 former employees had active user IDs. At least 14 employees had more than one active user ID. Meanwhile, six user IDs assigned to contractors were still active, even though they had not been accessed since November 2000. In addition to not reviewing access rights, the department’s system administrators do not monitor dormant user IDs. At August 2002, 48 percent of active user IDs , used at least once, had not been accessed for 180 days or more. Accepted standards and the department’s draft security policies and standards require management to ensure dormant accounts are removed from the system. (See page 7)
Background screenings should be re-performed for sensitive job positions
Department officials risk not being able to detect unacceptable employee actions because background screenings are not performed on current employees. Background investigations, which include a Highway Patrol criminal background check, are only performed on applicants being offered a job with the department. Background screenings help determine whether an individual is suitable for a given position. However, similar screenings are not performed when an employee transfers to another position within the department. Accepted standards suggest periodic background reinvestigations should be performed at least once every 5 years, consistent with the sensitivity of the position. (See page 9)
Computer security framework needed
Although department divisions have developed security procedures, no formal department-wide security policy existed before July 2002. That limited policy does not cover all necessary issues. According to accepted standards, an organization should have a written, up-to-date security policy covering all major facilities and operations agency-wide. (See page 13)
Access and security violations are not sufficiently monitored
Department officials have not taken sufficient steps to ensure system security controls are functioning properly. The first step in establishing effective security is developing procedures for logging appropriate security-related events, monitoring specific access, and investigating apparent security violations. The security administrator receives a weekly report of department-wide mainframe violations for trend analysis and is working on a way to distribute this detail out to appropriate personnel for review. The department has not documented any of these processes. When potential violations are brought to the attention of appropriate officials, procedures are in place to investigate and take necessary action; however, department officials do not routinely review computer system reports, which identify what changes have been made to critical functions, such as computer system security values. (See page 15)
Physical security controls are not adequate
Computer and other information resource facilities are at risk of being accessed by unauthorized employees and visitors. Tools available to monitor employee access are not used effectively. Human resource personnel have a database of all employees and their badge type that identifies each employee’s physical access rights within department facilities. However, terminated employees are not removed from the database. As a result, there is no current employee listing to sufficiently monitor physical access. Furthermore, the department does not maintain a list of temporary badges that have been issued. Temporary badges may be issued to contractors, department employees that forgot their badges, or visitors. Without recording when a temporary badge has been issued and to whom it was issued, the department cannot identify all individuals who have access to the department facilities and if that access remains necessary and appropriate. (See page 18)