YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
YELLOW SHEET Office of the State Auditor of Missouri |
May 20, 2003
Report No. 2003-44
Disbursing child support checks could be interrupted in a disaster due to inadequate data recovery plans, unauthorized access to system also possible
This audit assessed how well the state can recover data after unexpected interruptions to the state's child support computer system, which disburses child support checks. Division of Child Support Enforcement (DCSE) distributed about $447 million in child support checks to parents during fiscal year 2002. The computer system also maintains confidential child support data, such as parental and court-ordered information, and is not adequately protected from unauthorized access.
Disaster recovery planning efforts have been inadequate
DCSE has not updated or used its disaster recovery plan since 1994, when the contractor developed the plan. Instead, DCSE personnel have relied on the Department of Social Services' disaster recovery plan. However, the department's plan referred to DCSE's outdated 1994 plan and did not specifically address procedures to recover DCSE's computer system. In addition, the department has a reactive recovery plan, in which data recovery teams meet after a disaster occurs and decide what is needed. (See page 6)
Backup and recovery procedures were inadequate
Federal information system control guidelines state an entity should have the ability to restore data files if lost in a disaster. However, auditors found backup files were not properly rotated to an off-site location to avoid disruption if data is lost or damaged. In addition, no inventory existed for the off-site storage facility ensuring availability of proper data and documentation. (See page 7)
DCSE's computer system was not reestablished in some disaster recovery tests
The department could not reestablish DCSE's computer system in 2001 and 2002 disaster recovery tests. While personnel recovered DCSE's system in the 2003 test, they did not have enough time to complete all test procedures. Plan deficiencies exposed in the first two tests included incomplete back up data to recover the system. (See page 9)
Confidential, sensitive child support information not always protected
The department has risked having current and former employees gain unauthorized access to DCSE's computer system. Improvements are needed in controlling access to the computer system relating to: revoking terminated employees' passwords, keeping multiple user IDs to a minimum, sharing user IDs, checking criminal background of all employees, and restricting system access to users from remote locations. (See page 13)
Unrestricted access to sensitive data has resulted in some abuses
In the past 4 years, DCSE officials reprimanded or suspended 12 employees who allegedly misused sensitive computer information. For example, a DCSE technician, who rented an apartment to a custodial parent, electronically checked if the parent received a child support payment when she had not paid rent owed to the technician. When the technician saw the parent received the check, the technician asked for the rent. In addition, technicians have access to all cases, not just the cases in their respective caseloads. Such unlimited access has led to some of the abuses noted. (See page 17)