METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION (MDECA) MONTGOMERY COUNTY SERVICE ORGANIZATION CONTROLS REPORT (SOC 1)

Transcription

1 (MDECA) MONTGOMERY COUNTY SERVICE ORGANIZATION CONTROLS REPORT (SOC 1) APRIL 1, 2014 THROUGH MARCH 31, 2015

2

3 TABLE OF CONTENTS METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION TABLE OF CONTENTS 1 INDEPENDENT SERVICE AUDITOR S REPORT SERVICE ORGANIZATION S ASSERTION DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM... 7 CONTROL OBJECTIVES AND RELATED CONTROLS... 7 OVERVIEW OF OPERATIONS... 7 RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT AND MONITORING... 8 Control Environment... 8 Risk Assessment Monitoring INFORMATION AND COMMUNICATION GENERAL COMPUTER CONTROLS Development and Implementation of New Applications and Systems Changes to Existing Applications or Systems IT Security IT Operations COMPLEMENTARY USER ENTITY CONTROLS INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS GENERAL COMPUTER CONTROLS Changes to Existing Applications and Systems IT Security IT Operations OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION (Unaudited) Information Technology Center Profile... 32

4 This Page Intentionally Left Blank

5 Independent Service Auditor s Report on a Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls Board of Directors Metropolitan Dayton Educational Cooperative Association (MDECA) 225 Linwood Street Dayton, OH To Members of the Board: Scope We have examined MDECA s accompanying Description of its Alpha /466 system used for processing transactions for users of the Uniform School Accounting System (USAS), Uniform Staff Payroll System (USPS), and School Asset Accounting System/Equipment Inventory Subsystem (SAAS/EIS) throughout the period April 1, 2014 to March 31, 2015 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the Description. The Description indicates that certain control objectives specified in the Description can be achieved only if complementary user entity controls contemplated in the design of MDECA s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. The MDECA uses the State Software Development Team (SSDT) located at the Northwest Ohio Computer Association (NWOCA) service organization for systems development and maintenance of the USAS, USPS, and SAAS/EIS application systems. The Description in section 3 includes only the controls and related control objectives of the MDECA and excludes the control objectives and related controls of the NWOCA. Our examination did not extend to controls of the NWOCA. Service organization s responsibilities In section 2, MDECA has provided an Assertion about the fairness of the presentation of the Description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the Description. MDECA is responsible for preparing the Description and for the Assertion, including the completeness, accuracy, and method of presentation of the Description and the Assertion, providing the services covered by the Description, specifying the control objectives and stating them in the Description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the Description. Service auditor s responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the Description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the Description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the Description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the Description throughout the period April 1, 2014 to March 31, East Broad Street, Tenth Floor, Columbus, Ohio Phone: or Fax:

6 Metropolitan Dayton Educational Cooperative Association (MDECA) Montgomery County Independent Service Auditor s Report Page 2 An examination of a Description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the Description involves performing procedures to obtain evidence about the fairness of the presentation of the Description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the Description. Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the Description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the Description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the Description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described in section 3. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. The information in section 5 describing the information technology center is presented by the management of MDECA to provide additional information and is not part of the MDECA s Description of controls that may be relevant to a user entity s internal control. Such information has not been subjected to the procedures applied in the examination of the Description of the controls applicable to the processing of transactions for user entities and, accordingly, we express no opinion on it. Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in MDECA s Assertion in section 2, a. the Description fairly presents the system that was designed and implemented throughout the period April 1, 2014 to March 31, b. the controls related to the control objectives stated in the Description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period April 1, 2014 to March 31, 2015 and user entities applied the complementary user entity controls contemplated in the design of the MDECA s controls throughout the period April 1, 2014 to March 31, c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the period April 1, 2014 to March 31, Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are listed in section 4.

7 Metropolitan Dayton Educational Cooperative Association (MDECA) Montgomery County Independent Service Auditor s Report Page 3 Restricted use This report, including the Description of tests of controls and results thereof in section 4, is intended solely for the information and use of MDECA, user entities of MDECA s system during some or all of the period April 1, 2014 to March 31, 2015, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. Dave Yost Auditor of State Columbus, Ohio May 28, 2015

8 This Page Intentionally Left Blank

9 Management Assertion Letter We have prepared the description of the MDECA Alpha /466 system for user entities of the system during some or all of the period April 1, 2014 to March 31, 2015, and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm, to the best of our knowledge and belief, that a) the Description fairly presents the Alpha /466 system made available to user entities of the System during some or all of the period April 1, 2014 to March 31, 2015 for processing their transactions. The MDECA service organization uses the State Software Development Team (SSDT) located at the Northwest Ohio Computer Association (NWOCA) service organization for systems development and maintenance of the USAS, USPS, and SAAS/EIS application systems. The Description includes only the controls and related control objectives of the MDECA service organization and excludes the control objectives and related controls of the NWOCA service organization. The criteria we used in making this assertion were that the Description i) presents how the System made available to user entities was designed and implemented to process relevant transactions, including 1) the classes of transactions processed. 2) the procedures, within both automated and manual systems, by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the System. 3) the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the System. 4) how the System captures and addresses significant events and conditions, other than transactions. 5) the process used to prepare reports or other information provided to user entities of the System. 6) specified control objectives and controls designed to achieve those objectives. 7) other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the System. ii) does not omit or distort information relevant to the scope of the System, while acknowledging that the Description is prepared to meet the common needs of a broad range of user entities of the System and the independent auditors of those user entities, and may not, therefore, include every aspect of the System that each individual user entity of the System and its auditor may consider important in its own particular environment. METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION 225 LINWOOD STREET, DAYTON, OH TEL (937) FAX (937)

10 b) the Description includes relevant details of changes to the service organization s System during the period from April 1, 2014 to March 31, c) the controls related to the control objectives stated in the Description were suitably designed and operated effectively throughout the period April 1, 2014 to March 31, 2015 to achieve those control objectives and subservice organizations applied the controls contemplated in the design of MDECA service organization s controls. The criteria we used in making this assertion were that i) the risks that threaten the achievement of the control objectives stated in the Description have been identified by the service organization; ii) the controls identified in the Description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the Description from being achieved; and iii) the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. Dean A. Reineke, Executive Director METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION 225 LINWOOD STREET, DAYTON, OH TEL (937) FAX (937)

11 SECTION 3 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM CONTROL OBJECTIVES AND RELATED CONTROLS METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The MDECA s control objectives and related controls are included in Section 4 of this report, Independent Service Auditor s Description of Test of Controls and Results, to eliminate the redundancy that would result from listing them here in Section 3 and repeating them in Section 4. Although the control objectives and related controls are included in Section 4, they are, nevertheless, an integral part of the MDECA s description of controls. OVERVIEW OF OPERATIONS The MDECA is one of 21 governmental computer service organizations serving more than 973 educational entities and million students in the state of Ohio. These service organizations, known as Information Technology Centers (ITCs), and their users make up the Ohio Education Computer Network (OECN) authorized pursuant to Section of the Revised Code. Such sites, in conjunction with the Ohio Department of Education (ODE), comprise a statewide delivery system to provide comprehensive, cost-efficient accounting and other administrative and 7

12 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM instructional computer services for participating Ohio entities. Funding for this network and for the MDECA is derived from the state of Ohio and from user fees. ITCs provide information technology services to school districts, community charter schools, JVS/career & technical, educational service centers (ESCs) and parochial schools; however, not all entities subscribe to the same services. Throughout the remainder of the report, the term user entity will be used to describe an entity which uses one or more of the following applications: Uniform School Accounting System (USAS). Uniform Staff Payroll System (USPS). School Asset Accounting System/Equipment Inventory Subsystem (SAAS/EIS). ITCs are organized as either consortia under ORC or Council of Governments (COG) under ORC 167. ORC allows for school districts to create a partnership (a consortia) to resolve mutual needs. One of the members of the consortia is designated as fiscal agent. The fiscal agent provides all accounting, purchasing, and personnel services for the consortia. A COG under ORC chapter 167 allows for one or more governmental entities to join together to form a new legal entity. A COG can have its own treasurer, make its own purchases, hire staff, and have debt obligations. The MDECA is organized under section and is thus required to have a board of education to serve as fiscal agent to receive OECN funds from the ODE. For this reason, the Montgomery County Educational Service Center (ESC) serves as fiscal agent for the MDECA and performs certain functions that might otherwise be performed by the board of directors. RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT AND MONITORING Control Environment Operations are under the control of the executive director and the operating committee. Its members are appointed by the MDECA board of directors. The operating committee meets monthly, with the exceptions of May and July, and is responsible for assisting the executive director in day-to-day operations and planning the short and long-range goals of the organization. The board of directors is the governing body of the MDECA and is composed of seven superintendents from the user entities within the four counties. The board is required to meet at least quarterly, with additional meetings as necessary. The board has also established several advisory committees to assist in the operation of the MDECA. The MDECA employs a staff of 21 individuals and is supported by the following functional areas: Software Support: Provides end user support and training for MDECA user entities for the state software applications, including USAS, USPS, and SAAS/EIS. Computer Operations: Provides a variety of educational technology services to subscribing MDECA user entities including software and Internet access, training, technology planning, and technical assistance. Network Support: Supports the MDECA computer systems and its networked communication system. Provides user training and support. Staff members report directly to the managers of each of the functional areas, who in turn report to the executive director. 8

13 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The MDECA is generally limited to recording user entity transactions and processing the related data. User entity personnel are responsible for authorization and initiation of all transactions. Management reinforces this segregation of duties as a part of its new employees orientation process, through on the job training, and by restricting employee access to user data. Changes to user entity data are infrequent; however, when they do occur the MDECA must receive either an or phone call from the user entity requesting the change. MDECA retains a log and allows only authorized MDECA employees to make the changes to user data. Only experienced MDECA staff may alter user data and only at the request of the user entity. The MDECA follows the same personnel policies and procedures as their fiscal agent, the Montgomery County ESC. When necessary, additional MDECA policies have been developed and approved by the board of directors to address concerns of the MDECA. Detailed job descriptions exist for all positions. The MDECA is constantly re-evaluating its need for personnel to provide for the increasing range of services provided and to foster efficiency within its organization. The reporting structure and job descriptions are periodically updated to create a more effective organization. Employee evaluations are conducted on an annual basis. The board performs an annual evaluation of the executive director. The MDECA hiring practices place an emphasis on the hiring and development of skilled information technology professionals. Most positions within the organization require some type of college degree in a computer-related field, and all the MDECA staff members are required to attend professional development and other training as a condition of continued employment. Each staff member must attend at least twenty hours of approved professional development training annually and part-time staff member training requirements are prorated. In addition, management encourages staff members to obtain additional training by paying 100% of incurred costs in attending additional professional development seminars. The MDECA is also subject to ITC Site Reviews by the Technology Solutions Group of the Management Council Ohio Education Computer Network MCOECN (mc tsg). These site reviews are conducted by a team consisting of an employee of the Ohio Department of Education (ODE), two current and/or former school district administrators, two current and/or former ITC Directors, and one additional team member to provide training to subsequent teams. Approximately three to five ITC site reviews are conducted annually. The sites chosen for review are designated by the OECN Oversight Advisory Committee as approved by ODE. The guidelines and recommended procedures for these reviews are based on the Ohio Administrative Code, which cover the following areas: governance, administration, finance, personnel and staff development, physical facilities, hardware, software, user in-service, and operations. MDECA s ITC site review was completed April, The MDECA has signed Service Level Agreements (SLA) with their user entities for certain computer, data processing, and application services. The SLA conveys to its user entities the services provided by the MDECA. The user entities agree to pay a fee based upon a fee schedule set forth by the governing board and they agree to abide by the security policies implemented by the MDECA. These SLAs are in effect beginning July 1, 2009, and will be in effect until terminated in writing by either the user entity or the MDECA. 9

14 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Risk Assessment Although the MDECA does not have a formal risk management process, the board of directors comprises representatives from the user entities who actively participate in the oversight of the MDECA. As a regular part of its activity, the board addresses: New technology. Realignment of the MDECA organization to provide better service. Personnel issues, including hiring, termination, and evaluations. Additional services provided to user entities and other entities. Changes in the operating environment as a result of ODE requirements, Auditor of State (AOS) and other accounting pronouncements, and legislative issues. In addition, the MDECA has identified operational risks resulting from the nature of the services provided to the user entities. These risks are primarily associated with computerized information systems. These risks are monitored as described under Monitoring below and in additional detail throughout the General Computer Controls section of this report. Monitoring The MDECA organization is structured so that managers of each department report directly to the executive director. Key management employees have worked for MDECA for several years and are experienced with the systems and controls at the MDECA. The MDECA executive director and supervisory personnel monitor the quality of internal control performance as a routine part of their activities. Hardware, software, network performance, database integrity, Internet usage, computer security and user help desk reports are monitored on an ongoing basis by departmental management. Some of these reports are automatically run through a scheduler program and sent to management via . Exceptions to normal processing related to hardware, software or procedural problems are logged and resolved daily. In addition, the executive director and the manager of systems and operations receive the same reports and monitor them for interrelated and recurring problems. INFORMATION AND COMMUNICATION The aspects of the information and communication component of internal control as they affect the services provided to user entities are discussed within the General Computer Controls sections. 10

15 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM GENERAL COMPUTER CONTROLS Development and Implementation of New Applications and Systems The MDECA staff does not perform system development activities. Instead, the MDECA utilizes the software developed and supplied by the State Software Development Team (SSDT), located at the Northwest Ohio Computer Association (NWOCA), another ITC of the OECN. The Ohio Department of Education (ODE) determines the scope of software development for state-supported applications. Tactical means of accomplishing software development priorities are determined by the Software Advisory Committee (SAC), which consists of members from the Management Council of the OECN (MCOECN), the Ohio Association of School Business Officials, the ODE and the SSDT. The SAC meets as needed to monitor SSDT projects and provide feedback on project priorities. Changes to Existing Applications and/or Systems End users have access to the SSDT website that contains user and technical documentation for the applications. Specific support issues or questions can be communicated to the SSDT via helpdesk software. Solutions are communicated directly to MDECA staff. Global issues are posted to the SSDT support website. The MDECA personnel do not perform program maintenance activities. Instead, they utilize the applications supplied to them by the SSDT. The OECN requires the ITC to keep the version of each application current based on the provider s standard for continued support. Procedures are in place to ensure the SSDT developed applications are used as distributed. Upon notification of their availability from SSDT, ITCs obtain quarterly updates by downloading zipped files from the SSDT s download site. The source code is not distributed with these files. Release notes, which explain the changes, enhancements and problems corrected, are provided via the SSDT website. User and system manager manuals are also made available via the SSDT website with these releases. The SSDT informs the ITCs that they will support only the latest release of the state software beginning 30 days following the software release date. The MDECA uses a software utility called OECN_INSTALL to unpack these zipped files and install each individual package into its proper OECN directory. The OECN_INSTALL utility has an INSTALL_PACKAGE procedure with several functions that installs full package releases, partial releases or patches on the system. This utility ensures that all required components are installed properly and consistently. Only vendor-supplied changes are made to the operating system or system software documentation. As a participating member of the MCOECN, an ITC can enter into a cooperative agreement, Campuswide Software License Grant (CSLG) and Education Software Library (ESL) Program, through the MCOECN, for acquiring and/or providing software maintenance services for a limited series of Hewlett Packard (HP), and other supplier s, software packages as approved by the MCOECN board of trustees. The services acquired and/or provided by the MCOECN under the agreement include the following: Provide for the acquisition and distribution of software media to the participating ITCs for a limited series of HP software packages as approved by the board of trustees of the MCOECN. Provide telephone technical support to the participant s technical staff for a limited series of HP software packages approved by the board of trustees of the MCOECN. 11

16 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Track and maintain an accurate listing of all HP hardware and software covered under the agreement. Provide and maintain support on one (1) license of Process Software s Multinet TCP/IP stack for each system registered under this program. As a participating member of the program of the MCOECN the participating ITCs agree to the following: Maintain its status as a member in good standing of the MCOECN as a qualification for participating in (or continuing to participate in) this program. Read, sign, and comply with the rules and regulations of the CSLG Program as operated by the MCOECN. Provide unrestricted privileged access to all computer systems covered under the agreement for the purposes of identifying and/or correcting problems, distributing software, or assuring licensing compliance. Provide HP or MCOECN representatives, upon prior written notice, with physical access to computer facilities at reasonable times during normal business hours to inspect sites and system records for compliance with the terms of the CSLG and ESL Programs. Make payments to MCOECN for services under the agreement within 30 days of the receipt of an invoice for said services. Before new releases are installed at the MDECA, a backup of the application or operating system affected by the change is prepared to ensure retention of the existing application or operating system in case of an error stemming from the upgrade process. Documentation for the current version of the operating system and new releases are provided on the HP web site. New releases include documented changes to the operating system and implementation procedures. In addition, the MDECA has purchased a copy of the operating system disks from INS, a third-party vendor in partnership with the MCOECN. This is part of the Technology Solutions Group program under the MCOECN (mc tsg). This program allows the MDECA to purchase the operating system software media at a reduced cost. Current release documentation is maintained by the manager of systems and operations at the MDECA. IT Security The MDECA has several security policy and procedures documents, describing the responsibilities of user entity and MDECA staff, which are distributed to all employees and its user entities. These responsibilities include computer usage, data access, remote access and password usage guidelines. Policies are provided to MDECA staff upon hiring. Policies are provided to user entities; however, it is their responsibility to ensure users acknowledge and sign the policy, indicating their understanding and agreement to the policies. The MDECA enters into a network and Internet management contract and acceptable use policy with each of its user entities, which outlines the rights and responsibilities of MDECA and the user entities. The user entity may also have its own acceptable use policies for its users. Each subsequent year, the MDECA uses the Service Level Agreement (SLA) as the user entity s acceptance to abide by MDECA s policies. The MDECA also uses a banner screen that is displayed upon logging into the system. The screen informs the user that unauthorized system access is prohibited and users of the system expressly consent to the security policies of the MDECA. Access to the Internet has been provided to the user entities through the OECN etech network. No centralized Internet usage policy is used at the MDECA. Each user entity is responsible for its 12

17 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM own Internet usage policies. All documentation is maintained at the user entities. The MDECA staff is granted access within the scope of their assigned duties, but only as may be necessary to maintain the data structure, research and correct problems, and provide backup capabilities. Access is established, granted and reviewed by the executive director and documented in an authorization form. User entity staff are granted access after their superintendent and/or treasurer submits a completed access request form. These requests are sent to the MDECA staff. Upon receipt of the request, the executive director s staff appointee creates or updates the user account. An is sent to the superintendent or the treasurer and the user notifying them of the account login credentials. A user listing, including user access rights, is created weekly and made available for review on FISCWEB, a web-site accessible to the user entity treasurer or others with authorized access. For requested changes from the FISCWEB review, the MDECA staff makes the necessary change to user access rights. Security alarm messages are sent to an operator terminal that has been enabled to receive security event messages. Security audit messages are sent to the console log file and alarms to the operator log file. Access to the console log and the operator log is limited to data processing personnel. The following detection control audits and/or alarms have been enabled through the operating system to monitor any security violations: ACL: AUTHORIZATION: Gives file owners the option to selectively alarm certain files and events. Read, Write, Execute, Delete, or Control modes can be audited. Enables monitoring of changes made to the system user authorization file or network proxy authorization file in addition to changes to the rights database. AUDIT: Enabled by default to produce a record of when other security alarms were enabled or disabled. BREAK-IN: LOGIN: LOGFAILURE: FILE ACCESS: Produces a record of break-in attempts. The DIALUP, LOCAL, REMOTE, NETWORK, DETACHED, and SERVER break-in types can be monitored. Produces a record of login attempts. The DIALUP, LOCAL, REMOTE, NETWORK, DETACHED, and SERVER break-in types can be monitored. Provides a record of logon failures. The BATCH, DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS, DETACHED, and SERVER logon failure types can be monitored. Provides a record of file access attempts. A batch processed command procedure executes each night to extract any security violations from the system audit journal and creates summary and detail reports. Log events deemed suspicious are further investigated by the manager of systems and operations to determine the exact nature of the event and the necessary corrective action. Each year, MDECA performs a positive confirmation of accounts in which each user entity signs off on the District Usernames and Identifiers report. This sign-off form indicates the treasurer has reviewed the report and approved of the accounts and privileges assigned to the individual 13

18 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM user accounts. The MDECA follows up with those user entities that do not reply with the confirmation request. The MDECA completed confirmation of all its user entities in June, 2014 The MDECA utilizes MailMarshal Anti-Virus software on the MailMarshal servers to scan all inbound and outbound . is then passed to the Alpha server which then passes it to the user s mailbox. If a virus is found, the is quarantined and the MDECA support staff and recipient are sent s informing them of the infected . Virus definitions are updated daily as part of the startup process. All traffic through the filtered and unfiltered proxy servers is logged on a regular basis. The logs are maintained on the system and may be provided to user entity officials upon request. Because of their volume and size, the logs are not reviewed on a regular basis. Instead, they are used for tracking Internet activity in the event a problem arises. The logs track the internal 10-dot address originating the web access, the date and the accessed web address. In addition, the firewalls and routing devices deny access to the inbound traffic unless the IP address originated from inside the network. Instead, the requests are routed to a proxy server located in each network segment that serves to filter all Internet access. The Internet filter service retrieves requests from the Internet for the typical user. Permission to bypass the proxy server requires management authorization. The firewall and routers also prevent all outside connections from accessing inside hosts or servers, unless the IP address originated from inside the network. All denied inbound and outbound Internet access is logged and ed to a programmer/analyst, who reviews the reports for potential security violations and other unauthorized or inappropriate activity on a daily basis. The outbound denials report lists failed attempts to bypass the MDECA firewall. The inbound denials report lists all failed attempts to access the MDECA network via the Internet. The firewall has been configured for remote operation. Alteration of the configuration files requires that an individual know the proper IP address and a series of passwords before remote access is possible. Only a few MDECA staff has been provided the passwords for the firewall. Alteration of the configuration files of the equipment is performed by the network/internet specialist. Additionally, a daily report is sent from the PaloAlto firewall to the MDECA staff that includes all possible threats to the network. Primary logical access control to the HP computers is provided by security provisions of the operating system. This includes access to data, programs and system utilities. When a user logs in to use the operating system interactively, or when a batch or network job starts, the operating system creates a process which includes the identity of the user. The operating system manages access to the process information using its authorization data and internal security mechanisms. A proxy login enables a user logged in at a remote node to be logged in automatically to a specific account at the local node, without having to supply any access control information. A proxy login differs from an interactive login because an interactive login requires a user to supply a user name and password before the user can perform any interactive operations. Proxy records are located in the proxy file. The MDECA does not utilize proxy logins. The user identification codes (UIC) are individually assigned to all data processing personnel employed at the MDECA. For user entities which use the MDECA system, UIC groups are assigned by user entity and UIC member numbers are unique to each user. UICs are assigned at the user entities request. UIC-based protection controls access to objects such as files, directories, and volumes. Associated with each object recognized by the operating system may be an Access Control List (ACL) that specifies the access rights of specific users and actions to be taken when unauthorized access attempts are made to those resources. The use of ACLs is an optional security measure 14

19 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM that provides a larger number of potential user groupings than UIC groups. An ACL allows a user to share files across UIC user groups. When a request is made to access a resource, ACLs are always checked first. An ACL may either grant access to the user requesting it or deny access. When an ACL fails to specifically grant access, or if the object does not have an ACL, the UIC is checked. In UIC protection, the relationship between the user s UIC and the object s UIC determines whether access is granted. When the ACL denies access, access may still be granted through the UIC if the user is assigned to the SYSTEM or OWNER category. Certain limited access accounts require a less restrictive environment than captive accounts. Accounts, under which network objects run, for example, require temporary access to DCL. This restricts command line access. All accounts, except MDECA staff accounts, are set up with the RESTRICED flag. The RESTRICTED flag restricts a user to a login command procedure, but allows the execution of sub-processes (e.g., other programs which may be started from within the login command procedure) within the DCL environment. Each user is subject to a minimum password length established by management. The system forces users to periodically change their passwords. The MDECA sets passwords to expire when a new user identification code is issued or when a user has forgotten his password. This parameter requires the user to change his password during the next logon procedure. The operating system has system parameters. When set appropriately, these parameters control and monitor logon attempts, and include the following: The terminal name is part of the association string for the terminal mode of break-in detection. The user is restricted on the length of time they have to correctly enter a password on a terminal on which the system password is in effect. The number of times a user can try to log in over a phone line or network connection. Once the specified number of attempts has been made without success, the connection is terminated. The length of time allowed between login retry attempts after each login failure. The length of time a user terminal, or node, is permitted to attempt a logon before the system assumes that a break-in attempt is occurring and evasive action is taken. The period for which evasive action is taken is variable and will grow as further logon failures are detected from the suspect source. The number of retry attempts allowed for users attempting to logon before evasive action consists of refusing to allow any logons during a designated period of time. System parameter standards have been established through the use of HP established defaults. Any changes are logged and reviewed by the executive director and manager of systems and operations. A timeout program, HITMAN, is used to monitor terminal inactivity and log-off inactive users after a predetermined period of time of non-use. The use of this program helps to reduce the risk of an unattended terminal being used to enter unauthorized transactions. Also, timeout programs aid in efficient use of system resources by maintaining connectivity with only active system users. 15

20 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Users must provide a valid username and password to authenticate to the USAS and USPS web applications. The SSDT developed a program called OECN_RPC (Remote Procedure Call) service which, in conjunction with Universal Service Provider (USP) created by Hewlett Packard, allows users to authenticate through a XML interface using standard authentication policies. If authentication is successful, the RPC service impersonates the user by acquiring a security profile of the authenticated user (i.e. default privileges and security identifiers). Once the RPC has acquired the corresponding security profile, the operating system process has the same security rights as the authenticated user. The network client then provides a code indicating the user entity data to be used. The RPC service uses the user entity code to define logical definitions to associate the server process with the desired user entity data. Only default privileges from the user s profile record are enabled during a session. The session does not enable any authorized privileges. Therefore, when the service process accesses data files, their default login security profile is used. A user can select predefined OECN software functions that are available to the OECN RPC service. (For example, USAS functions for posting a requisition). When the user has finished using the respective web application, the logout button is clicked to disconnect. Alternatively, the session may disconnect automatically after the configured inactivity timeout. The MDECA runs Uniform School Accounting System Data Warehouse (USASDW) on a SQL server, running on Microsoft SQL software. This application is utilized by the user entities for read only access of processed purchase orders, invoices, checks, vendor tracking and receipts. All user accounts belonging to user entities are assigned the same user ID as their system account. Access, for database management purposes, is limited to one MDECA employee. The system directory contains security files that control the security parameters for the system. When a user attempts to gain access to an object, such as a file or directory, the system compares the users UIC to the owner s UIC for that object. In UIC-based protection, the relationship between the user s UIC and the object s UIC determines whether access is granted. Owner relationships are divided into four categories: SYSTEM: Any of the following: (1) Users with a UIC group number between 1 and the MAXSYSGROUP (default decimal 8, octal 10). (2) Users with system privileges. (3) Users with group privileges whose UIC group number matches the UIC group number on the object. (4) Users whose UIC matches the owner UIC of the volume on which the file is located. OWNER: Users with the same UIC as the object s owner. GROUP: Users with the same UIC group number as the object's owner. WORLD: All users, including those in SYSTEM, OWNER, and GROUP. Through the protection code, each category of users can be allowed or denied read, write, execute, and delete access. The default file protection is for (1) SYSTEM having read, write, execute, and delete capabilities; (2) OWNER having read, write, execute and delete capabilities; (3) GROUP having read and execute capabilities; and (4) WORLD having no access capabilities. Certain privileges can override all UIC-based and ACL protection. The operating system analyzes privileges included in the user's authorization record and places the user in one of seven categories depending on which privileges have been granted to the user. Default privileges are those authorized privileges that are automatically granted at login. If an authorized privilege is not a default privilege, it will not automatically be effective at login, and must be enabled or disabled by the user. All user entity personnel have NORMAL privileges. 16

21 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Wireless access at MDECA is limited to web and services (intended for training purposes and MDECA guests). A wireless access point is set up with a Wi-Fi Protected Access (WPA) key. The user must enter the key in order to access the network. Access to specific packages is provided by granting the appropriate operating system identifiers to authorized users. Each application package has a set of unique identifiers that permit access to programs. In addition to the standard identifiers for each package, a pass through identifier can be used to further customize access. The OECN_SYSMAN identifier (defined by state software applications and consistent for all ITCs) and the BYPASS privilege (defined by the operating system) grant access to all application packages. The OECN_SYSMAN identifier or BYPASS privilege are used to grant users the same access to software functions without having to grant each individual identifier. The OECN_SYSMAN identifier and BYPASS privilege do not grant access to data. To limit access to security files, MDECA has limited WORLD access for the system file, which contains account information to identify which users are allowed access to accounts on the system; the proxy file, which contains proxy account information to identify which remote users are allowed access to proxy accounts on the system; and the rights file, which contains names of the reserved system identifiers and identifiers for each user. In addition, the MDECA does not have an alternate user authorization file that can be used in place of the original default user authorization file. The write and delete access capabilities are not activated for WORLD access to the files in the system directories. The UIC associated with each of these files is within the MAXSYSGROUP number. User entities have been set up with sub-networks that have addresses not recognizable to the Internet, known as private internal networks. Firewall equipment and additional routing devices deny all outbound traffic requests originating from the sub-network. In addition, the firewalls and routing devices deny access to the inbound traffic unless the IP address originated from inside the network. Instead, the requests are routed to a proxy server located in each network segment that serves to filter all Internet access. The Internet filter service retrieves requests from the Internet for the typical user. Permission to bypass the proxy server requires management authorization. The firewall and routers also prevent all outside connections from accessing inside hosts or servers, unless the IP address originated from inside the network. The firewalls have been configured for remote operation. Alteration of the configuration files requires that an individual know the proper IP address and a series of passwords before remote access is possible. Only a few MDECA staff has been provided the passwords for the firewalls. Alteration of the configuration files of the equipment is performed by the network/internet specialist. There is one CISCO PIX (Private Internet Exchange) Box between MDECA and the Internet. Additionally, a PaloAlto 5050 firewall, which is a layer 7 firewall provides anti-virus, threat prevention, intrusion detection and prevention and traffic shaping (all in real-time). Reports are received daily and reviewed daily. Adjustments are made to the appliance accordingly (e.g. block IPs, drop connections). This firewall sits between MDECA's network and the PIX. The computer room is located within the MDECA offices. The building is secured by two locked doors and an alarm system and is restricted to employees with an assigned access card. Additionally, four MDECA employees have been given the master code to unlock the doors should the need arise during normal business hours (arrival of large group trainings, etc.). Data processing personnel are present at all times should the doors be unlocked for brief periods of time during the normal work day. These outside doors remained locked during non-work hours as well as the alarm is set. The computer room area remains locked at all times and is secured by the card scan system which is part of the alarm system. The card access to this area is limited to the technical staff and administration. The building is secured throughout by motion detectors and monitoring (video and sound) by a third party vendor during non-business hours. 17

22 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The following items assist in controlling the computer room to protect it from adverse environmental conditions: Fire protection system (heat ion removal). Halon fire extinguisher. Raised floor with water sensor devices. Heat alarm in the event the temperature exceeds preset level. Smoke detectors. Uninterrupted Power System (UPS) device for controlled electric and 2 ½ hours of battery backup for electrical outage. Generator and Automatic Transfer switch as alternate power source during prolonged electrical outage. All detection devices are connected to the alarm system thereby alerting alarm system personnel as necessary to access the video tracking and/or contact the MDECA. IT Operations Traditional computer operations procedures are minimal because users at the user entities initiate all application jobs and are primarily responsible for ensuring the timeliness and completeness of processing. All MDECA employees have a procedures manual, which provides directions and guidelines for most of the operational functions performed by the MDECA staff. They also have access to operations procedures manuals for the system. End users have access to the SSDT website that contains user and technical documentation for the applications. Specific support issues or questions can be communicated to the SSDT via helpdesk software. Solutions are communicated directly to MDECA staff. Global issues are posted to the SSDT support website. Certain routine batch jobs can be initiated at the MDECA for system maintenance. The MDECA is responsible for some operational tasks, including: system backups, log reports, and other maintenance directed at the system as a whole. The MDECA utilizes an automated application, SUBMITALL, which schedules and performs these tasks. This application continually submits jobs on the Alpha system. The manager of systems and operations monitors the system for hardware errors throughout the day using an operating system command. Using this command throughout the day, the manager of systems and operations, reviews the log for hardware errors. If an error is detected, the manager of systems and operations utilizes either DEC EVENT or ANALYZER to obtain details about the problem. If the problem cannot be resolved, HP will be contacted for system diagnosis. If necessary, a HP field technician will perform an on-site visit to resolve the problem. Common problems that arise daily, such as terminal lockups and program crashes, are usually handled by the MDECA service representatives over the phone and may not be documented if the problem was minor. However, most problems are still logged through a Work Order Log and filed by the manager of systems and operations. Changes to data requested by user entities are entered into the CA Unicenter statewide help desk. In addition to documented tracking through the help desk, any generated hard copy documentation pertaining to the request is filed according to the associated ticket number from the entry into the help desk. The MDECA has a hardware maintenance agreement with Service Express, Inc. for the system and a maintenance agreement with DataServ for the network including routers, network cards and other network peripherals. 18

23 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The MDECA uses PRTG (Paessler Router Traffic Grapher), to monitor their network systems. PRTG shows all the user entity sites on a system screen. It utilizes a ping procedure to detect system problems. The application will send a ping out to determine if devices are active. If the ping does not receive a response from a certain device, the device will be highlighted in red on the screen and an will be sent to the MDECA staff. The level of the problem will determine the action taken by the MDECA staff. If the problem is major, such as a malfunctioning router, the MDECA will contact the user entity to resolve the matter as quickly as possible. For minor problems, such as a switch device, the MDECA will prioritize and schedule maintenance. In addition, network and Internet traffic is monitored on a regular basis. The tools used to monitor traffic on the router and firewalls are typically used for trouble shooting purposes only. The M86 system compiles performance reports which are sent daily to a programmer/analyst via . These reports are monitored to make sure the servers are operating properly and can handle the volume of requests being made. The MDECA helps prevent data file corruption through the use of ANLNDX.COM, which is run through SUBMITALL. ANLNDX.COM scans all files weekly to verify all files are readable (e.g., no bad blocks, sectors or chains). Data integrity is maintained by the software through the use of validity checks of all input. Any problems discovered by the ANLNDX program are written to a log report that is reviewed by the manager of systems and operations. The MDECA follows the guidelines of the OECN for backing up system data and programs. Full system backups are performed Sunday through Saturday for all computer systems. Backups for the system are maintained on an 84-day rotation cycle. All data required by law to be maintained for a specific duration is maintained by the MDECA. Calendar and fiscal year end information is stored up to ten years for all user entities. Full data backups are taken off-site daily to the storage facility at the Montgomery County ESC. On the second and fourth Friday of each month, a stand-alone system backup is also performed. This backup is also stored off-site. The stand-alone backup contains everything on the system, including the operating system, system files, documentation, programs, and data files. Each day, the manager of systems and operations reviews the backup log from the console screen in the computer room to ensure the previous night s backup was successful. The log is reviewed for a recorded pass date that indicates the backup of each system disk was successful. This occurs on all nineteen disks on the system. A summary screen is utilized to show the successful backup of all disks on the system. MDECA also backs up its Windows network daily with Data Protector Software that runs on the Windows server. Tapes are kept in the computer room in a tape library and are rotated on the same schedule as the Alpha tapes. The MDECA uses two off-site storage facilities: Montgomery County ESC (MCESC) and the Miami Valley Regional Center (MVRC). Each night, a full data backup is performed and these backup tapes are taken to the MCESC which is located approximately 1.5 miles from MDECA. These backups are stored in a locked cabinet. The backup tapes are taken each Friday to the MVRC and stored in a fireproof locked safe which is located approximately 5 miles from MDECA. Only the MDECA staff has access to each of these storage locations. Tapes are kept off-site indefinitely after year end processing. The daily backup tapes fall into the 84-day rotation as permanent copies are made and additional system backups occur. In addition, all data processing equipment is covered under an insurance policy. 19

24 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM COMPLEMENTARY USER ENTITY CONTROLS The applications were designed with the assumption that certain controls would be implemented by user entities. This section describes additional controls that should be in operation at the user entities to complement the controls at the ITC. User auditors should consider whether the following controls have been placed in operation at the user entity: 1. User entities should have controls over their own web applications which access their data stored at the MDECA. 2. User entity management should have practices to ensure users are aware of the MDECA security policies and that the users take precautions to ensure passwords are not compromised. 3. User entity management should immediately request the MDECA to revoke the access privileges of user entity personnel when they leave or are otherwise terminated. 4. User entity management should have a procedure for confirming user accounts and access rights as requested by MDECA. 5. User entity management should retain signed copies of the authorization form for new user accounts and utilize the monthly reports generated by the MDECA to manage their user accounts. 6. User entities should have documented acceptable use policies to define the activities deemed appropriate for use of the Internet. Internet users should be required to accept the terms of the policy before access is provided. 7. User entities should have antivirus software that is updated regularly. 8. Access privileges should only be issued to authorized users who need access to computer resources to perform their job function. 9. PCs and terminals should be protected against damage or misuse by having separate areas, either independent rooms or sections of rooms that restrict access to only authorized individuals. 10. Communication lines, junctions and modems should be secured in an area that restricts access to only authorized individuals. 11. User entity wireless networks should be secured via encryption. 12. The user entity should establish and enforce a formal data retention schedule with MDECA for the various application data files. 13. The user entity should have a policy for retention of source documents for an adequate period to ensure data can be re-entered in the event that data files are destroyed prior to being backed up and rotated off-site. The complementary user entity controls presented above do not represent a comprehensive set of all the controls that should be employed by user entities. Other controls may be required at the user entity. 20

25 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS SECTION 4 - INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS This section is intended to provide interested parties with information sufficient to obtain an understanding of those aspects of the MDECA s internal control that may be relevant to user entities internal control, and reduce the assessed level of control risk below the maximum for certain financial statement assertions. The broad objectives of data processing controls should be achieved by a combination of the procedures that are employed in various segments of the transaction processing system, for example procedures performed at the MDECA and procedures performed at user entities that utilize the MDECA. For each of the control objectives listed below, only those controls which contribute to the attainment of the related control objective are described and were tested. 21

26 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS GENERAL COMPUTER CONTROLS Changes to Existing Applications and Systems Changes to Existing Applications and Systems - Control Objective: Change Requests - Requests for application program changes or system upgrades should be appropriately considered and processed. Control Procedures: Test Descriptions: Test Results: In order to maintain continued support of the application software provided by SSDT, ITCs are required to install new releases within 30 days of the software release date The SSDT distributes release notes explaining the changes, enhancements and problems corrected. Updated user and system manuals for the applications are also made available. Documentation for the current version of the operating system and new releases are provided on the HP web site. A cyclical redundancy check (CRC) of the USAS, USPS, and SAAS/EIS program object files for each application at MDECA was compared to the CRCs of the object files at SSDT. Inspected the documentation and inquired with the manager of systems and operations regarding its availability. Inspected the online manuals for the operating system at the HP web site. Control Objective Has Been Met 22

27 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security IT Security - Control Objective: Security Management - Management should ensure the implementation of access control policies, which are based on the level of risk arising from access to programs and data. Control Procedures: Test Descriptions: Test Results: Authorization via an access request form from the appropriate level of user entity management is required before setting up a user account on the system. User entities are requested to confirm user accounts annually with a positive confirmation to MDECA. The MDECA tracks the status of the confirmation and follows-up with a reminder message to facilitate a response from the user entity. Sampled 14 of 138 new user accounts with an OECN identifier and inspected the supporting access request forms to confirm they were authorized by user entity management. Inspected the following information to confirm user accounts are periodically confirmed by the user entity. to all user entities requesting account confirmation and follow-up to those that did not respond initially Checklist kept by the executive director. Examples of returned confirmations. Control Objective Has Been Met The following user entities did not respond to the positive confirmation request. Cincinnati Technology Academy City Day Community Schools Columbus Performance Academy Columbus Prep and Fitness Dayton Regional STEM School General Chappie James Leader Miami Valley Academies Middletown Fitness and Prep Academy Mount Healthy Prep and Fitness Northland Prep and Fitness Performance Academy of Eastland Richard Allen Dayton Preparatory Richard Allen Academy II Richard Allen Academy Richard Allen III Springfield Academy of Excellence Springfield Prep and Fitness Toledo Preparatory and Fitness Academy Trotwood Fitness and Prep Academy Whitehall Preparatory and Fitness 23

28 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security - Control Objective: Security Management - Management should ensure the implementation of access control policies, which are based on the level of risk arising from access to programs and data. Control Procedures: Test Descriptions: Test Results: Tracking of security-related events, such as break-in attempts and excessive login failures, are enabled through the operating system. Security violations are extracted, compiled into summary and detailed security reports, and ed to the manager of systems and operations daily through command procedures on the system. Inspected the enabled security audits and alarms report. Inspected the following information to confirm the reports are generated and inspected daily. Example of security monitor reports for 5/12/15. Command procedure utilized to generate and the reports to the manager of systems and operations. Control Objective Has Been Met Anti-virus software scans all inbound on the MailMarshal servers before the mail is forwarded to the Alpha server. Definitions are updated automatically and infected items are quarantined to help prevent and detect computer viruses. Inspected properties of the MailMarshal console to confirm active virus protection, including updates to definition files and that incoming traffic is scanned for viruses and spam. IT Security - Control Objective: System Level Access Controls - Access to the computer system, programs, and data should be appropriately restricted. Control Procedures: Test Descriptions: Test Results: Use of wild card characters in proxy accounts is restricted to ensure proxy accounts are defined not to allow blanket access. Inspected the proxy listing to confirm wild card characters are not used. Control Objective Has Been Met A wild card character * was used for the UMP_Servers, which are now out of service. 24

29 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security - Control Objective: System Level Access Controls - Access to the computer system, programs, and data should be appropriately restricted. Control Procedures: Test Descriptions: Test Results: Password parameters are in place to aid in the authentication of user access to the production system. Passwords used by individual profiles agree to password policies established by the MDECA. Extracted information from the system user authorization file to identify: User accounts with a password minimum length less than MDECA standards. User accounts with a password lifetime greater than the MDECA standard. Control Objective Has Been Met No accounts had a password length less than the established value. There were 337 accounts of 2,070 (16%) that had a password lifetime greater than the established value. These accounts did not have a password lifetime required or established. Password changes for these accounts only take place manually. These include: Inspected accounts and inquired with the manager of systems and operations for the appropriateness of the listed accounts. 104 (31%) were test accounts for Safari report writer software. These accounts are not actively logged into and would not be subject to the password lifetime limitations established for regular user accounts Password expiration for the web applications is defined at the system or process level. Log-in parameters have been set to control and monitor sign-on attempts. Inspected the command run by the manager of systems and operations to confirm password expiration for web applications Inspected the system login parameters to confirm parameters were set to control and monitor sign-on attempts. 47 (14%) Kiosk accounts used by user entity employees to enter leave requests and to view leave balances and payroll information. 130 (38%) system accounts that are not logged into and are not subject to the password lifetime limitations established for regular user accounts. 56 user entity accounts (17%). These accounts only had the _OFFICE identifier that does not grant access to applications. No other exceptions noted. 25

30 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security - Control Objective: System Level Access Controls - Access to the computer system, programs, and data should be appropriately restricted. Control Procedures: Test Descriptions: Test Results: System and web application activity is monitored and inactive users are automatically disconnected after a predetermined period of idle time. Access to production data files and programs on the system is restricted to authorized users. A private internal network and firewall are used to control Internet traffic and maintain a logical segregation between user entities. Inspected the terminal log off parameter to confirm MDECA is automatically logging off inactive users. Inspected the configuration for the timeout values on the USAS and USPS web applications. Inspected file protection masks to confirm production data files are absent of WORLD write and/or delete access and executable files are absent of WORLD write and/or delete access. Inspected the network diagram to confirm components of the network that control Internet access. Control Objective Has Been Met A PaloAlto firewall appliance is used to detect possible threats to the MDECA network. Inspected settings in the firewall configuration to confirm that inbound and outbound IP traffic is restricted through the firewall. Inspected the PaloAlto daily report to confirm it identified possible intrusions and inquired about the actions are taken by MDECA staff. Connection to the system from the user entity is restricted through emulation software installed on each authorized user s computer. MDECA does not broadcast the System Set Identifier (SSID) for their wireless network and access requires a Wired Equivalent Privacy (WEP) key. Confirmed user entity access procedures to the system with the network support specialist/ server specialist. Identified wireless networks using personal computer tools and inquired with the manager of systems and operations about availability of wireless access to the network. 26

31 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security - Control Objective: Application Level Access Controls - Access to particular functions within applications (e.g., approving payment of vendors) should be appropriately restricted to ensure the segregation of duties and prevent unauthorized activity. Control Procedures: Test Descriptions: Test Results: Users are restricted to predefined logical access identifiers that grant varying access privileges based on requests from user entity management. Inspected the user authorization file listing all identifiers for evidence of the use of identifiers to segregate access to the applications. Inquired with the director of operations regarding the OSA utility and the process used to assign application identifiers. Control Objective Has Been Met The OECN_SYSMAN identifier that grants all access privileges for all state developed applications is restricted to authorized ITC personnel or system accounts. Sampled 14 of 138 new user accounts with identifiers for the USAS, USPS, or SAAS/EIS applications. Inspected the account request forms to confirm the access granted was authorized. Compared identifiers granted to0 authorized identifiers. Extracted all users from the system user authorization file with the OECN_SYSMAN identifier. Inspected the listings and inquired with the manager of systems and operations to confirm the appropriateness of the accounts. IT Security - Control Objective: System Software and Utilities Access Controls - Use of master passwords, powerful utilities and system manager facilities should be adequately controlled. Control Procedures: Test Descriptions: Test Results: World access to key system files is restricted. Inspected the file protection masks on the system files to confirm WORLD Write and/or Delete access is absent. Control Objective Has Been Met 27

32 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security - Control Objective: System Software and Utilities Access Controls - Use of master passwords, powerful utilities and system manager facilities should be adequately controlled. Control Procedures: Test Descriptions: Test Results: System level UICs are restricted to authorized personnel. Identified the MAXSYSGROUP value. Inspected the accounts with a UIC less than the MAXSYSGROUP value. Control Objective Has Been Met An alternate user authorization file is not permitted to be used and does not exist Remote access to firewall and router configurations used to control Internet access is restricted to authorized users through password protection and limited login attempts. Accounts on the system with elevated privileges, defined as those accounts having more than the minimum privileges to use the system or participate in groups, is limited to authorized personnel as determined by MDECA staff. Inquired with the manager of systems and operations to confirm the appropriateness of the accounts. Inspected the value of the alternate user authorization file parameter to confirm the use of an alternate user authorization file is not permitted. Inspected the system directory listings to confirm an alternate user authorization file did not exist. Inspected the firewall configuration and observed the manager of systems and operations login to the firewall to confirm a password is required to access the firewall and routing equipment. Also observed the manager of systems and operations login unsuccessfully to confirm the limit to login attempts. Inspected the remote access setup for the PaloAlto firewall with the network technician and confirmed settings for MDECA staff s access. Extracted accounts with elevated privileges from the user authorization file. Inspected the listing and inquired with the manager of systems and operations to confirm the appropriateness of the accounts. 28

33 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Security - Control Objective: Physical Security - Computer facilities and data should have appropriate physical access restrictions and be properly protected from environmental dangers. Control Procedures: Test Descriptions: Test Results: Physical access to the computer room and its contents is restricted to authorized personnel via security devices, including an electronic keypad for the computer room and security monitoring equipment for the MDECA offices. Inspected scan card-secured entrances, motion detectors and Sonitrol security cameras and associated monitors, located throughout MDECA. Compared a listing of all personnel with access to the computer room to the MDECA employee roster and confirmed access was restricted to only those individuals. Control Objective Has Been Met Environmental controls are in place to protect against and or detect fire, water, humidity, or changes in temperature. Inspected the agreement and payment documentation with Sonitrol. Inspected the MDECA data center and observed the environmental controls. Inspected the fire extinguishers for the date last serviced by technician. Inspected the maintenance agreement for the Liebert air conditioning units. 29

34 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Operations IT Operations - Control Objective: System Administration and Maintenance - Appropriate procedures should be established to ensure that the system is properly maintained and monitored. Control Procedures: Test Descriptions: Test Results: Routine system maintenance programs, such as monitoring and file cleanup, run daily through SUBMITALL. Inspected the SUBMITALL report to confirm that routine system maintenance jobs are automatically scheduled. Control Objective Has Been Met The manager of systems and operations monitors the system for hardware errors throughout the day using an operating system command. The MDECA maintains service agreements covering maintenance and failures on the computer hardware. A software procedure is run weekly by the manager of systems and operations to help prevent file failure and data corruption. The MDECA utilizes software for monitoring network performance that alerts staff of hardware failures and system problems. Inspected the batch queue and command procedure that runs the program to confirm it resubmits daily. Inspected the command procedure and an example of the SHOW/ERROR log that is generated and inspected by the manager of systems and operations. Inspected the maintenance agreements and payment documentation to confirm coverage during the audit period. Inspected the following to confirm MDECA has a software procedure to prevent file failure and data corruption: Command procedure which creates the SUBMITALL log SUBMITALL log which processes the ANLNDX command procedure Example of the ANLNDX log. Inquired with the network specialist about the functions of the PRTG utility. Inspected the PRTG screen for documentation of user entity equipment status and availability. 30

35 INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS IT Operations - Control Objective: System Administration and Maintenance - Appropriate procedures should be established to ensure that the system is properly maintained and monitored. Control Procedures: Test Descriptions: Test Results: The MDECA has a diesel generator and an Un-Interruptible Power Supply (UPS) to maintain power in the event of a power outage. Data center equipment is covered by insurance in case of loss or damage. Inspected the diesel generator and UPS with the manager of systems and operations. Inspected the maintenance agreement for services covered for the generator/ups. Inspected the insurance policy and payment documentation to confirm coverage during the audit period. Control Objective Has Been Met IT Operations - Control Objective: Backup - Up-to-date backups of programs and data should be available in emergencies. Control Procedures: Test Descriptions: Test Results: Incremental system backups of programs and data are performed nightly through SUBMITALL. The status of the backup is sent via to MDECA staff for inspection. Full system backups of programs and data are performed nightly and sent to the disaster recovery site in Columbus. Backup tapes are stored on and off-site in physically and environmentally secure locations. Tapes are rotated off-site weekly. Inspected an example of a backup log and the system daily backup summary screen showing a recorded pass date for all 19 system disks. Inspected the backup procedures for the MDECA production server (MDECA5), the SUBMITALL log and the backup command procedure FULLALLTOCARTW219.COM to confirm backups are performed on a regular basis. Inspected the directory listing sent to the DR site and the backup log to confirm backups are sent to the DR site. Inspected the on-site MDECA Tape Library Management System for dated tapes stored and to be taken to the off-site facility. Control Objective Has Been Met 31

36 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED SECTION 5 - OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION (Unaudited) INFORMATION TECHNOLOGY CENTER PROFILE OHIO EDUCATION COMPUTER NETWORK SITE DATA Name: Metropolitan Dayton Educational Cooperative Association (MDECA) Number: 22 Node Name: MDECA5 Chairperson: Dr. John Kronour Superintendent Tipp City Ex Village SD Fiscal Agent: Montgomery County Educational Service Center Administrator: Dean Reineke Executive Director MDECA Address: 225 Linwood Street Dayton, OH Telephone: FAX: Website: 32

37 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED OTHER SITE STAFF Bill Griffith Manager of systems and operations Tammy Watson Office coordinator Chris Knodel Applications support / Software support manager Chris Trepal Software support coordinator Julie Brennan Software support coordinator Sharmene Irby Software support coordinator Jean Mayer Software support coordinator Jason Otoski Software support coordinator Mike Taylor Software support coordinator Karly Gehle Software support coordinator Tammy Hrosch EMIS services manager Debra Mason Software support coordinator Cory Goldfuss Network support specialist Jacob Meckstroth Network support technician Tim Ritchey Network support technician Kim Snyder Server specialist Nathaniel Curtis Server Specialist Chris Miller Programmer Pam Tomlinson Programmer/analyst Teri Willhoite Receptionist/secretary 33

38 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED HARDWARE DATA Central Processors and Peripheral Equipment CPU Unit 1 Model Number Installed Capacity/Density/Speed CPU: Alpha /466 Lines/Ports: 0 Memory Installed: 4.0 Gb Disk: RZ1CB Units: 6 Total capacity: 25.8 Gb Disk: RZ1EF-CB Units: 2 Total capacity: 36.4 Gb Disk: RZ1ED Units: 6 Total capacity: Gb Disk: RZ1DD Units: 6 Total capacity: 54.0 Gb Tape Unit: TZ89 Units: 1 Maximum Density: 35.0 Gb 34

39 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED USER ENTITY SITE DATA IRN USER ENTITY COUNTY USAS USPS SAAS OTHER Ansonia Local SD Darke X X X Arcanum Butler Local SD Darke X X X X Aurora Academy Lucas X Bethel Local SD Miami X X X X Bradford Ex Village SD Miami X X X Brookville Local SD Montgomery X X X X Centerville City School District Montgomery X Cincinnati College Prep Academy West Hamilton X X X Cincinnati College Prep Academy East Hamilton X X X Cincinnati Speech and Reading Hamilton X X X Cincinnati Technology Academy Hamilton X X X City Day Community Schools Montgomery X X X Cleveland Academy of Scholarship Cuyahoga X College Hill Leadership Academy Hamilton X X X Columbus Bilingual Academy Franklin X X X Columbus Bilingual Academy North Franklin X X X Columbus Collegiate Academy Franklin X X X Columbus Collegiate Academy West Franklin X X X Columbus Performance Academy Franklin X X Columbus Prep and Fitness Franklin X X Covington Ex Vill SD Miami X X X 35

40 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED USER ENTITY SITE DATA IRN USER ENTITY COUNTY USAS USPS SAAS OTHER Darke County ESC Darke X X X X Dayton Early College Academy Montgomery X X X X DECA Prep Montgomery X X X X Dayton STEM School Greene X X Dayton Tech Design and High School Montgomery X X X Dayton Leadership Academy Dayton View Campus Montgomery X X X Dayton Leadership Academy Dayton Liberty Campus Montgomery X X X Dayton SMART Elementary Montgomery X X X Oak (formerly Dow) Leadership Institute Cuyahoga X X X Fairborn City SD Greene X X X X Fairborn Digital Academy Greene X X Franklin Monroe Local SD Darke X X X X Franklinton Prep Academy Franklin X X X Great Expectations Elementary School Lucas X Greenville City SD Darke X X X Huber Heights City SD Montgomery X X X X Impact Academy Hamilton X X X Jefferson Local SD Montgomery X X X Kettering City SD Montgomery X Kids Unlimited Academy Lucas X Mad River Local SD Montgomery X X X X 36

41 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED USER ENTITY SITE DATA IRN USER ENTITY COUNTY USAS USPS SAAS OTHER Miami County ESC Miami X X X X Miami East Local SD Miami X X X X Miami Valley Academies Montgomery X X X Miami Valley CTC Montgomery X X X X Miamisburg City SD Montgomery X X X X Miamisburg Secondary Digital Academy Montgomery X X X Middletown Fitness and Prep Academy Butler X X Millennium Community School Franklin X X X Milton Union Ex Village SD Miami X X X X Mississinawa Valley Local SD Darke X X X Montgomery County ESC Montgomery X X X X Mound Street Health Academy Montgomery X X X X Mound Street IT Academy Montgomery X X X X Mound Street Military Academy Montgomery X X X X Mount Healthy Prep and Fitness Hamilton X X New Lebanon Local SD Montgomery X X X X Newton Local SD Miami X X X X Northland Prep and Fitness Franklin X X Northmont City SD Montgomery X X X X Northmont Secondary Academy X X Northridge Local SD Montgomery X X X X 37

42 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED USER ENTITY SITE DATA IRN USER ENTITY COUNTY USAS USPS SAAS OTHER Oakwood City SD Montgomery X X X X Performance Academy of Eastland Franklin X X Phoenix Community Learning Center Hamilton X X X Piqua City SD Miami X X X X Richard Allen Dayton Preparatory Montgomery X X Richard Allen Academy II Montgomery X X Richard Allen Academy Montgomery X X Richard Allen III Butler X X Richland Academy School of Excellence Richland X X X Springfield Academy of Excellence Clark X X X Springfield Prep and Fitness Clark X X Tipp City Ex Village SD Miami X X X X Toledo Preparatory and Fitness Academy Lucas X X Toledo SMART Elementary School X X X Tri-Village Local SD Darke X X X X Trotwood Fitness and Prep Academy Montgomery X X Trotwood Madison City SD Montgomery X X X X Troy City SD Miami X X X X United Preparatory Academy X X X Valley View Local SD Montgomery X X X X Vandalia Butler City SD Montgomery X X X X 38

43 OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED USER ENTITY SITE DATA IRN USER ENTITY COUNTY USAS USPS SAAS OTHER Versailles Ex Village SD Darke X X X X Watkins Academy Montgomery X West Carrollton City SD Montgomery X X X X West Carrollton Secondary Academy Montgomery X X Whitehall Fitness and Prep Franklin X X TOTALS:

44 This page intentionally left blank.

45 MONTGOMERY COUNTY CLERK S CERTIFICATION This is a true and correct copy of the report which is required to be filed in the Office of the Auditor of State pursuant to Section , Revised Code, and which is filed in Columbus, Ohio. CLERK OF THE BUREAU CERTIFIED AUGUST 6, East Broad Street, Fourth Floor, Columbus, Ohio Phone: or Fax: