Citywide Identity Management Performance Audit

Transcription

1 Citywide Identity Management Performance Audit March 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA, CGAP Robert Pierce, IT Audit Supervisor, CISA, CISSP Shannon Kuhn, Lead IT Auditor, CISA Nicholas Jimroglou, Senior IT Auditor Jacqueline Boline, Senior IT Auditor You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at:

3 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX March 20, 2014 Mr. Frank Daidone, Chief Information Officer Technology Services City and County of Denver Dear Mr. Daidone: Attached is the Auditor s Office Audit Services Division s report of its audit of Citywide Identity Management. The purpose of the audit was to assess the effectiveness of internal controls used by Technology Services organizations, the Department of General Services Facilities Management unit, and the Office of Human Resources to manage and monitor access to City systems and data. We tested both physical and logical access to City systems and facilities. For physical access, we focused on the buildings under the control of General Services Facilities Management (GSFM) and the Department of Human Services (DHS). For logical access, we tested all of the networks in use throughout the City. During the course of the audit, we identified that access to all of the buildings tested were not solely administered by GSFM and DHS. As a result, copies of this report will be provided to all agencies where improvements are required. We identified several areas where controls need to be improved related to identity management. Our audit recommendations address processes related to both logical and physical access controls. If implemented, these recommendations will enhance security across the City and help ensure that access to sensitive information is appropriately restricted. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis J. Gallagher Auditor rp/dg cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

4 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of Citywide Identity Management. The purpose of the audit was to assess the effectiveness of internal controls used by the City to manage and monitor access to City systems and data. In addition to assessing overall City controls, the audit examined identify management practices for the Departments of Aviation, Human Resources, General Services, and Technology Services as well as the Denver County Court. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit found that the City does not have an adequate identity management governance structure in place to ensure that the risk of inappropriate access to City facilities and systems is mitigated. We found that the lack of consistent processes for granting and revoking physical and logical access has resulted in former employees retaining access to information that is protected by the federal Health Insurance Portability and Accountability Act as well as the Criminal Justice Information System Security Policy. This report makes a number of specific recommendations that will strengthen the governance surrounding these issues and ensure that access to City facilities and systems is appropriate. We extend our appreciation to Technology Services, Denver International Airport Technologies, Denver County Court Technologies, Facilities Management, and the Office of Human Resources and the personnel who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

5 City and County of Denver Office of the Auditor Audit Services Division REPORT HIGHLIGHTS Citywide Identity Management Performance Audit March 2014 The audit focused on Citywide identity management of both physical and logical access to systems and data. Background Identity management is the task of controlling information about users on computers. This information includes credentials that authenticate the identity of a user, within systems. Information can include user descriptions and actions they are authorized to access and perform. Access to physical spaces can also be handled through identity management when software is the mechanism to grant and revoke building access. Purpose The purpose of this audit was to determine whether physical and logical access control policies are in place and adhered to; personnel with identity management responsibilities are adequately trained; access provisioning and de-provisioning is appropriately performed; periodic entitlement reviews are conducted to identify unauthorized access; password parameters align with best practices and the Federal Information Security Management Act; and access is managed in compliance with applicable regulations. Highlights The audit found that improvements need to be made to the City s identity management governance with regard to both physical and logical access. Specifically we identified: Thirty-eight active network accounts were not removed for former employees and contractors who are no longer affiliated with the City. Six of these accounts appear to have been logged into after separating from the City. One hundred physical access badges were not disabled for former employees with clearances that allowed access to doors to the Denver Human Services Records Room, Child Welfare Office, 911 Emergency Communications Center, District and City Attorney s Offices, and the City data centers. Former employees retained access to hard copy child welfare and health information protected by the Health Insurance Portability and Accountability Act. A former Technology Services employee retained remote access to databases containing criminal information restricted by the Criminal Justice Information Services Security Policy. One individual within the City Attorney s Office did not have logical or physical access revoked following employment. These and other instances of inappropriate access have occurred as a result of the City not having an adequate governance process in place to manage all steps in granting and revoking access to facilities and systems. For a complete copy of this report, visit Or Contact the Auditor s Office at

6 TABLE OF CONTENTS INTRODUCTION & BACKGROUND 1 Identity Management 1 Breach Case Studies 2 Background on Applicable Laws and Regulations 3 Logical Access Controlled through Centralized Directory Services 4 Physical Access Control Systems 5 SCOPE 6 OBJECTIVE 6 METHODOLOGY 6 FINDING 8 The City Needs to Improve Governance around Identity Management to Ensure that Access to Facilities and Systems Is Appropriately Restricted RECOMMENDATIONS 13 AGENCY RESPONSE 16

7 INTRODUCTION & BACKGROUND Identity Management Identity management (IdM) is the task of controlling information about users on computers. This information includes credentials that authenticate the identity of a user, information that describes users, and actions users are authorized to perform. It also includes the management of descriptive information about the users and how and by whom that information can be accessed and modified. Managed areas typically include users, hardware, network resources, applications, and physical premises. Effective governance around identity management helps ensure that access to facilities and systems is appropriately controlled and that threats related to unauthorized access are minimized. Threats to Denver City agencies are very real. The following example demonstrates effective identity management and physical access control and also illustrates the type of threat that a City like Denver faces when providing numerous public services to its citizens. On November 11, 2013, the Denver Post reported an incident involving a woman who drove a car onto the sidewalk, set the vehicle on fire, and then watched it burn in front of the Wellington E. Webb Municipal Office Building (Webb Building). 1 The Webb Building houses several key City agencies including the District and City Attorney s Offices, the Controller s Office, and Technology Services. The Denver Post reported that, after lighting fire to her car, the woman briefly entered the Webb Building at the main entrance off West Colfax Avenue. The woman was stopped before she could pass building security and the metal detectors, but she did publicly demonstrate one type of threat the City and County of Denver faces when providing numerous public services to Denver citizens. In today s world of increased threats related to computer hacking and terrorism, effective governance around identity management is critical. Following are a few risks associated with weak identity management: Increased risk to public and employee safety Loss or compromise of sensitive data protected by rules and regulations Heightened risk of costly fines, negative publicity, and an erosion of public trust Increased risk of fraud Elevated exposure to computer network hacking and malware 1 Denver police arrest woman suspected of setting car ablaze downtown, Denver Post, accessed January 2, 2014, Page 1 Office of the Auditor

8 Breach Case Studies A data breach is the intentional or unintentional release of secure information to an unsecured or non-trusted environment. Data breaches can be costly, create negative publicity, and occur in a number of ways. Following are a few examples of breaches that have occurred recently: Target Corporation had a massive data breach on November 15, 2013, when the company s payment system was hacked, exposing more than 40 million debit and credit cards. The hack occurred as a result of a third-party vendor having access to the Target network. Corporations often allow third-party vendors remote network access to perform periodic maintenance on information systems. It is believed that hackers stole the third-party network credentials, which allowed them to gain access to Target s payment system. 2 The City of Springfield, Missouri, had one of its websites hacked on February 28, Hackers were able to obtain more than 6,000 records containing social security numbers from online police records as well as more than 15,000 records relating to warrant information, including crime data. Officials are taking steps to notify approximately 2,100 individuals whose personal information may have been obtained when the site was breached. 3 The Alaska Department of Health and Human Services (DHHS) agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule for a breach that occurred on July 26, The HHS Office for Civil Rights (OCR s) investigation followed a breach report submitted by DHHS as required by the Breach Notification Rule within the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a USB thumb drive, possibly containing electronic protected health information (ephi), was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ephi. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule. 4 2 Target Hackers Broke in Via HVAC Company, Krebs on Security, accessed February 6, 2014, 3 Springfield city website hacked as part of series of hacks involving government and law enforcement, databreaches.net, accessed February 6, 2014, 4 Alaska settles HIPAA security case for $1,700,000, U.S. Department of Health and Human Services, accessed January 2, 2014, City and County of Denver Page 2

9 Background on Applicable Laws and Regulations Due to the breadth of services that the City provides, the City must comply with a number of rules and regulations designed to protect the personal data of the City s employees and residents. Following are examples of a few applicable rules and regulations that relate to some of the services the City and County of Denver provides: The Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rule: 5 HIPAA establishes national standards to protect the confidentiality, integrity, and availability of individuals protected health information that is created, received, used, or maintained by a covered entity. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits regarding who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. There are a variety of ways in which a city may be considered a covered entity under HIPAA, and the rule potentially impacts several departments if the city does any of the following: Administers a public health program, such as the Department of Human Services Administers police and corrections departments that retain health information on inmates Contracts with or is considered a business associate of a covered entity, such as a third-party administrator for its self-insured health plan, or is a plan sponsor under a fully insured health plan Owns medical clinics, hospitals, or ambulance services, such as the Denver 911 Emergency Communications Center Performs certain health plan functions on behalf of the insurance carrier Offers employees a Health Flexible Spending Account Transmits individual health information electronically Several of Denver s agencies are considered Covered Entities under HIPAA and are subject to the HIPAA Privacy and Security Rules that are in place to ensure the privacy of an individual s health information. The HHS OCR is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews of Covered Entities. Another key component of HIPAA s HITECH Act is that agencies are required to provide the Secretary of HHS with notice of breaches of protected health information C.F.R. 160 and Subparts A and C of 164 (2013). Page 3 Office of the Auditor

10 Criminal Justice Information System (CJIS) Security Policy: 6 Due to the need for increased information sharing between federal, state, and local law enforcement agencies, the Federal Bureau of Investigation (FBI) has developed the CJIS policy to provide consistent guidelines for all law enforcement agencies to follow when securing Criminal Justice Information (CJI). The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. The policy integrates presidential directives, federal laws, FBI directives, and the criminal justice community s Advisory Policy Board decisions along with nationally recognized guidance from the National Institute of Standards and Technology (NIST). The Denver Police, Sheriff, and Fire Departments, the District and City Attorney s Offices, and other City agencies with access to databases containing CJI must be physically and logically secured in compliance with CJIS requirements. Payment Card Industry Data Security Standards (PCI DSS): 7 Any organization or merchant that accepts, transmits, or stores any credit cardholder data must comply with PCI DSS. PCI DSS contains twelve requirements with directives against which businesses may measure their own payment card security policies, procedures, and guidelines. By complying with periodic assessments performed by Qualified Security Assessors (QSAs), businesses and entities can become accepted by the PCI Standards Council as compliant with the twelve requirements and thus receive a compliance certification and a listing on the PCI Standards Council website. Compliance with the PCI DSS is vital for all merchants who accept credit cards, online or offline, due to the sensitivity of payment card data and the risks associated with credit card fraud. Since the City acts as a credit card merchant when providing some City services, the City must comply with PCI requirements and receives a Report on Compliance annually. The PCI requirements mandate that physical and logical access to cardholder data is restricted to authorized individuals only. 8 Logical Access Controlled through Centralized Directory Services Directory services are used to manage access across various portions of the City networks. A log-on is used as a point of entry to gain access to the majority of City systems. Whether connecting remotely from outside the City s networks or in person to systems on the City s networks, directory services authentication is required to gain access to City data. The City operates multiple network segments that are designed to restrict logical access to systems and data. Although Technology Services manages a large portion of the network, some segments are managed by other agencies. 6 Criminal Justice Information Services Security Policy, last modified August 9, 2013, U.S. Department of Justice. 7 PCI DSS v3.0, last modified November, 2013, 8 Logical access refers to user based authenticated access to the application systems and data that is processed. City and County of Denver Page 4

11 Physical Badge Access Successful logon gains logical access to city data Directory Services Authentication Remote Access Source: Created by Audit Services Division Staff Unsuccessful logon restricts logical access to city data Physical Access Control Systems Several agencies throughout the City have the ability to grant and remove physical badge access to facilities under their control. For example, the Facilities Management unit within the Department of General Services is responsible for the administration of building badge access, in addition to the general management, maintenance, and daily operations of several City-owned facilities. Physical Badge Access Access to hard copy city data Source: Created by Audit Services Division Staff Prior to gaining access to secured City agencies and hard copy information, physical badge readers provide the first layer of physical security. Photo identification access badges, used for both identification and authentication of an individual, are used to restrict access to secured areas throughout the City. The City operates six separate physical access control systems. Each of the physical access control systems is used to restrict access to a number of City facilities. It is possible that an employee may have clearance to access more than one City owned location. Clearance may be granted to a current badge or a separate badge may be issued to provide access. Each access control system has a number of individuals who may grant, remove, and modify physical access clearances to their respective area. For example, we noted that the system controlling access to the Webb Building has separate agencies that may grant and revoke access rights to physical areas under their control. Agency representatives fill out a form to have Facilities Management create a badge ID card, and they notify Facilities Management when access is no longer needed. As described in the findings of this report, we identified instances where access badges were assigned by agencies other than Facilities Management and were not disabled by those groups following an employee s departure from the City. Page 5 Office of the Auditor

12 SCOPE The audit focused on Citywide identity management of both physical and logical access to systems and data. For logical access, the audit focused on all the directory services, which are used as the primary point of entry to access the majority of applications and electronic data in use within the City. For physical access, the audit tested two separate access control systems, which are used to control access to the following buildings: Performing Arts Center Minoru Yasui City Permit Center Denver Animal Shelter Roslyn Building DHS Main Family Crisis Center DHS East Webb Building City Data Center DHS Montbello 911 Technologies In accordance with Generally Accepted Government Auditing Standards the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings, however, have been presented to Technology Services and Facilities Management. As part of our regular follow-up for audit issues, we will return at a future date to ensure that all findings have been addressed. OBJECTIVE The purpose of the audit was to assess the effectiveness of internal controls used by Technology Services, the Department of General Services Facilities Management unit, and the Office of Human Resources to manage and monitor access to City facilities, systems, and data. Audit objectives included an assessment of provisioning and deprovisioning processes for user accounts. METHODOLOGY We used several methodologies to achieve the audit objectives. Our evidence-gathering techniques included, but were not limited to: Interviewing agency staff with identity management responsibilities Reviewing existing policies and procedures related to access provisioning and deprovisioning City and County of Denver Page 6

13 Querying the Office of Human Resources system of record to identify former and current employees for testing Using data analytics to compare the listing of both current and former employees against the listing of users with logical and physical access o User accounts were judgmentally selected from the full populations of potentially active accounts for former employees based on the risk associated with what each account had access to. We selected the following samples: Access de-provisioning: 85 samples Access provisioning: 20 samples Privileged accounts: 20 samples Physical de-provisioning: 100 samples Reviewing applicable laws, rules, and regulations related to identity management including: o o o o o Federal Information Security Management Act of 2002 (FISMA) Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA s Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry Data Security Standard (PCI DSS version 3.0 November 2013) Criminal Justice Information Services Security Policy (CJIS version 5.2 August 2013) Querying Technology Services help desk ticketing system to identify whether individuals access was provisioned in accordance with existing policies Reviewing existing security awareness training content Reviewing relevant audits conducted in the past related to DIA information security awareness training Performing tail-gate testing to determine the effectiveness of the physical badge control system Page 7 Office of the Auditor

14 FINDING The City Needs to Improve Governance around Identity Management to Ensure that Access to Facilities and Systems Is Appropriately Restricted Audit work identified several weaknesses related to the City s identity management governance structure for both physical and logical access to facilities and systems. With regard to physical access, we found inconsistent application of procedures used to provision and de-provision employee physical access badges, which resulted in former employees having active badges after they no longer worked for the City. With regard to logical access, we found that some individuals who no longer worked for the City still had active credentials, allowing them to access City systems, some of which contain sensitive information. To mitigate the risk associated with unauthorized access to City facilities and systems, we recommend that the City create a comprehensive information security governance structure including security awareness training, periodic entitlement reviews, a list of third-party workers, and procedures for requesting and removing access. Physical Access to Some City Facilities and Secured Areas Is Not Restricted to Authorized Individuals Physical access controls prevent unauthorized individuals from accessing City buildings. The City uses a variety of idenfication tools to ensure that physical access is only granted to City employees and only to the extent that they need access to perform their job duties. However, in the course of our audit work, we found a number of instances where individuals who no longer work for the City still had active badges that would grant them entry to secured facilities. During the audit, we tested two badging systems controlling access to the Wellington E. Webb Municipal Office Building (Webb Building), Performing Arts Center, Denver Animal Shelter, City data centers, Minoru Yasui Building, Roslyn Building, City Permit Center, 911 Technologies, and Department of Human Services facilities. A Significant Number of Badges for Previous City Employees Remain Active New City employees are issued photo identification badges to access secured City facilities and rooms. Badges are provisioned upon receipt of a signed access request form from the new employee s agency. To test the badge-provisioning process, we compared the list of all former City employees since 2000 against the list of active badge holders. Our testing identified 972 active badges for employees who are no longer on the City s centralized payroll system. Some of these active badges could be legitimately active if a former employee was rehired but is paid outside of the City s centralized payroll system; however, since there is no list of these contractors, volunteers, or interns, we were not able to make that determination. City and County of Denver Page 8

15 We performed additional testing on 100 of the potentially unauthorized badges based on the sensitivity of the areas to which the badges allowed access. Testing showed that all 100 of the badges were for former employees who were no longer authorized to have access. These active badges allowed access to areas including the City Attorney s Office, the District Attorney s Office, City data centers, 911 technologies, child welfare offices, the Department of Human Services human resources file room, and the Department of Human Services records room. We found that agency representatives do not follow a consistent process to revoke badge access so we were Auditors found 100 active badges for former employees with access to high risk areas. unable to identify a single root cause for why the badges were not disabled following an employee s employment with the City. After identifying active badges for employees who were no longer authorized to have access, we attempted to identify the date of the last activity for each of the unauthorized badges. This testing showed that no unauthorized badges accessed sensitive areas at the Department of Human Services after the individuals assigned to those badges separated from the City. For sensitive areas within 911 technologies, the Webb Building, City data centers, and the City and District Attorney s Offices, we were able to determine that no unauthorized individuals accessed those facilities within the past six months. 9 Facilities Management should determine whether the remaining badges are for active employees who require access or whether the badges need to be disabled. Facilities Management should also perform additional testing to ensure that no breaches occurred related to former employees accessing high-risk areas. Badge Administrators Not Consistently Informed of Need for Badge Deactivation We found that badge administrators do not know when an employee s badge should be disabled unless the employee s manager or agency representative notifies the administrator and requests access to be revoked. In the event that a badging administrator is not notified to revoke access for a former employee, access for that individual may remain active following employment. We also found that some badging administrators cannot verify whether an individual s badge access is authorized because they do not have access to the Office of Human Resources system of record showing current City employees. For example, after we identified active badges that appear to belong to former employees, Facilities Management personnel could not confirm whether any of these individuals still require access to City facilities. Therefore badge administration personnel rely solely on City agencies to notify them when badge access should be removed. In addition, there is no documented process that City agency representatives follow to consistently disable badge access. In the absence of a consistent process, 9 Auditors were only able to inspect badge activity for the past six months due to the size of the reports, and Facilities Management had difficulty configuring them to report activity for high-risk areas only. Facilities Management should configure and run additional reports to determine whether any former employees accessed sensitive areas after they were employed by the City over the past two years. Page 9 Office of the Auditor

16 agency representatives may notify badging administrators to disable badges in a number of ways. For example, some requests to disable access are phoned in, others are ed, and still more are sent via electronic forms to Technology Services. After performing additional audit procedures and contacting supervisors of former employees, we found that at least 100 of the badges with access to high-risk areas should be disabled. There Are No Controls to Prevent Former Employees with Deactivated Badges from Entering Certain City Facilities We found that it is possible for individuals who separate from the City to access some secure facilities, circumventing the metal detectors. This can occur when employees do not turn in their badges following employment. Additional information related to this issue has been provided confidentially to the appropriate City agency. Logical Access to City Systems Is Not Appropriately Restricted Logical access controls prevent unauthorized users from accessing the City s computer information systems. The City has a variety of identification and authorization tools in place to ensure that logical access is only granted to City employees and only to the extent that they need access to perform their job duties. However, in the course of our audit work, we found a number of instances where individuals who no longer work for the City still had active credentials, allowing them to access the City s network. To determine whether any former employees retained active network credentials, we first obtained a list of all users in the City s directory services. We also obtained a list of the folders and groups the users had access to as employees and their last log-on dates. Then we generated a list of current City employees by running queries against the Office of Human Resources system of record, as well as by generating a list of all former employees since We used data analytics to compare the current and former employee lists against the active user accounts within each of the City s directory services. On three of the five City networks tested, we found that some individuals had retained network access following employment. City Government Directory Services Issues We identified three issues related to inappropriate logical access. First, some employees have retained network access following employment with the City; second, some contractor accounts have not been set up or disabled in accordance with established policy; and third, some user accounts are not being set up with appropriate password requirements. Some accounts have not been deactivated following employee separation We identified fourteen network accounts for former employees who should no longer have network access to City systems. Six of the fourteen individuals appeared to have accessed their accounts after separating from the City. Accounts should be disabled timely when an individual is no longer employed. In the event that Technology Services needs to access the account, the account should be added as an extension to an existing employee s account rather than using the former employee s City and County of Denver Page 10

17 account. Rules and regulations such as HIPAA, PCI, and CJIS mandate that certain data is protected and access is restricted to authorized individuals only. One of the accounts retained remote access to crimerelated information following employment. The account that retained remote access to crime-related information is regulated by the CJIS security policy. 10 Other directory services details have been provided confidentially to the appropriate agency separate from this report. A former City employee retained remote access to a crime database. Some contractor accounts are not being provisioned or de-provisioned in accordance with policy Many City contractors are provided with logical access to City networks to perform their job duties. We found that contractor accounts are not always end dated within the directory services and therefore may remain active after a contractor is no longer working for the City. For example, we identified several former Department of Human Services (DHS) contractors who retained access to data after they were no longer authorized. One contractor also retained remote access to DHS files and folders after the individual was no longer working on behalf of DHS. Upon further inquiry with DHS personnel, a determination could not be made as to whether former employees retained access to client files. In total, we identified twenty-four manually provisioned accounts that were not end dated across agencies managed by Technology Services. As a result, these twenty-four individuals had active network accounts after they were no longer employed by the City. Contractor end-dating is also required by the City s LAN and Policy. End dating contractor accounts helps mitigate risks to data. Some account passwords are not set to expire in accordance with policy We identified forty-one user accounts set with passwords that never expire. Passwords are required to be changed every ninety days in accordance with the City s LAN and Policy. Passwords that have been in place for long periods of time increase the risk of unauthorized access to systems. Some of the accounts we tested during the audit have passwords that have not been changed since Increased Governance Is Needed to Mitigate Physical and Logical Identity Management Risks To remediate identified issues and increase both physical and logical access security, the City should perform periodic entitlement reviews, develop and maintain a comprehensive and accurate listing of third-party workers, establish procedures for requesting and removing access to City facilities and systems, and implement security awareness training. Procedures for disabling physical and logical access should include a process for verifying 10 CJIS security violations must be reported to the regional CJIS Systems Officer, the national CJIS Director, as well as the Federal Bureau of Investigation (FBI). Upon notification, the FBI has the right to investigate any report of unauthorized use and suspend or terminate access and services. We were able to determine that the account in question did not access CJIS data following separation from the City. As a result, there was no CJIS violation; however, the City was out of compliance with the CJIS security policy and the individual could have remotely accessed crime related data following separation from the City. Page 11 Office of the Auditor

18 that access has been removed and specifically identify the parties that are responsible for removing access upon notification. Periodic entitlement reviews The City does not perform periodic access entitlement reviews to determine whether physical and logical user access remains authorized over time. These types of reviews can help identify accounts that are no longer authorized when the processes to remove access are not performed. DIA performs limited entitlement reviews related to financial systems; however, these reviews do not include areas related to privileged accounts, such as database and domain administrators. Entitlement reviews also help ensure that access is commensurate with job duties. For example, high-risk file shares containing protected or sensitive data should be identified and individuals with access to the high-risk file shares should be periodically reviewed to ensure that access is appropriate. Without a periodic review process in place, it is possible that accounts that are no longer authorized to have access, such as those identified within this audit, go unnoticed and uncorrected. Develop a list of contractors, volunteers, and interns who are not on the City s payroll In addition to regular employees, the City occasionally uses contractors, volunteers, and interns to perform work and services on behalf of the City. These third party workers may be granted access to City systems and buildings to perform their work. However, we found that Technology Services and Facilities Management organizations do not have a record of the current employment status for City workers who are paid outside of the centralized payroll system. A centralized list that includes all City employees and third-party individuals would assist in determining the full population of valid City workers and is essential for performing periodic account reviews. PeopleSoft, the Office of Human Resources system of record, is the only source for tracking active employees, which in turn serves as the control for authorization of access to City networks through an automated tool. When a third-party worker is not in PeopleSoft, it is difficult to determine whether a particular individual is authorized to have access. Currently third-party workers not paid through PeopleSoft are manually provisioned and de-provisioned, which has resulted in some of the issues identified within this audit. For example, we identified instances where manual processes failed to remove network access for former third-party workers. We used data analytics to identify manually provisioned accounts for former employees and noted that sixteen of the twenty accounts (80 percent) tested were not disabled following employment. Establish a consistent process for requesting and removing access to City facilities and systems As discussed throughout this report, the City does not have a consistent governance process to grant or remove an individual s access to City facilities and systems. Access changes may be requested through help desk tickets, electronic forms, or hard copy forms, and there is no training provided regarding which forms to use under certain circumstances. In the absence of an established process, access change requests are inconsistently sent to Technology Services and Facilities Management, which has resulted in access remaining active for some former employees, such as those identified within this audit report. City and County of Denver Page 12

19 Additionally, we identified that electronic forms are filled out by hiring managers or agency representatives to disable physical badge access to the Webb Building, yet these forms are never sent to Facilities Management to facilitate removal of access. Instead, these forms are sent to Technology Services, but no action is taken to disable the badges. Our audit found that even though Facilities Management has developed building-specific access control criteria available through the City s intranet site, there are no procedures that address the creation and termination process for administration of employee badges. In the absence of such a guide to help ensure a consistent process is used, auditors sampled 100 badges for further testing and found that access was assigned and removed inconsistently. 11 Technology Services and Facilities Management should develop consistent processes for granting and removing access to facilities and systems and then ensure that employees are trained on the processes. Such procedures should include a process for verifying that access has been removed. Security awareness training Security awareness training is not provided consistently throughout the City. While all Department of Aviation employees receive security awareness training, only about 40 percent of the remaining City employees receive the training. This type of training informs employees of the types of threats with which cities and other entities are being targeted. For example, some City employees were recently targeted through an scam attempting to collect their user IDs and passwords. More than half of the City s employees are not trained on current information security threats. This type of threat could severely compromise the security of the City s data network. Currently, 60 percent of employees are not trained on how to identify these types of threats and effectively protect their personal access credentials. Therefore, we recommend that security awareness training should be developed jointly by Technology Services and Facilities Management to promote employee awareness of known threats to their access credentials. RECOMMENDATIONS 1.1. The Director of Facilities Management should disable active badges for former employees identified within this audit and work with other badging administrators to ensure that any other potentially active accounts for former employees are disabled The Director of Facilities Management should install badge readers on the secured facility identified within the confidential findings provided to Facilities Management The Chief Information Security Officer should update the network and account management policy to reflect the current process for network credential creation and termination. The policy should also be adopted by Technology Services so that 11 See the Methodology section of this report for all sampling methodology used during the audit. Page 13 Office of the Auditor

20 individuals responsible for access control understand the logical access requirements and comply with them. A separate process should be developed and implemented for interns, contractors, and volunteers to ensure that network accounts are provisioned and de-provisioned consistently The IT Governance Manager should disable active network accounts for former employees and contractors within this audit and ensure that any other active accounts for former employees are disabled The IT Governance Manager should ensure that password and group policy settings align with the City s LAN and Policy The IT Governance Manager should ensure that access to data protected by rules and regulations such as HIPAA and CJIS is periodically monitored and controlled appropriately over time The Chief Information Security Officer and the Director of Facilities Management should work together to develop and implement security awareness training for all City employees, contractors, volunteers, and interns who receive physical or logical access credentials. The format and extent of the security awareness training is at the discretion of Technology Services and Facilities Management; however, these entities should take the following high-risk areas into consideration when developing the program: The nature of sensitive material and physical assets employees may come in contact with, such as privacy concerns and government classified information Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage, and destruction Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication Proper methods for protecting physical access credentials, such as not sharing badges, reporting lost or stolen badges immediately, etc. Computer security concerns, including malware, phishing, social engineering, etc. Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc. Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the City, damage to individuals whose private records are divulged, and possible civil and criminal penalties 1.8. The Chief Information Security Officer and the Director of Facilities Management should implement periodic entitlement reviews and help facilitate agency access reviews, taking into consideration the following: All accounts should be reviewed on a pre-defined basis (monthly, quarterly, or annually) City and County of Denver Page 14

21 High-risk access permissions should be identified, and periodic account reviews should assess the appropriateness of high-risk access over time Account reviews should be assigned to a designated system owner with a general understanding of the appropriateness of access Account reviews should incorporate segregation of duties Reviews should be based on system-generated access reports 1.9. The Executive Director of Human Resources should work closely with the Chief Information Officer and other agencies to implement a centralized method for tracking contractor, volunteer, and intern (contingent) workers to allow these types of workers to be tracked and thereby have their network access provisioned and de-provisioned through an automated tool The Executive Director of Human Resources should work closely with the IT Governance Manager and independent IT departments across the City to train hiring managers and supervisors on provisioning and de-provisioning processes, taking into consideration the following when developing the training: A role-based approach for access provisioning Avoid mirroring accounts based on job functionality Develop a consistent agreed-upon method for physical and logical access provisioning and de-provisioning (e.g., required forms, approvals) Develop a consistent method for handling contractors and other manually provisioned accounts (e.g., account end dating) The Director of Facilities Management should create procedures that define daily badge management processes. Facilities Management should then train all badging administrators on the procedures to ensure that access is consistently provisioned and de-provisioned The Director of Facilities Management should consider centralizing the badge administration process and minimize the number of administrators assigning badge access. Page 15 Office of the Auditor