Department of Transportation Office of Transportation Technology Services

Transcription

1 Audit Report Department of Transportation Office of Transportation Technology Services October 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

2 This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland The Office may be contacted by telephone at , , or Electronic copies of our audit reports can be viewed or downloaded from our website at Alternate formats may be requested through the Maryland Relay Service at The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at or

3 October 17, 2005 Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Maryland Department of Transportation - Office of Transportation Technology Services (OTTS). Our audit included an internal control review of the OTTS data center and the network administered by OTTS that supports the Maryland Department of Transportation (MDOT) and its modal agencies. Our audit disclosed that proper internal control had not been established over several significant areas. Specifically, OTTS lacked assurance that certain critical system and database files were adequately protected. Furthermore, numerous inactive accounts existed on the mainframe computer and security software reports were not properly controlled. Finally, the MDOT internal network was not adequately protected from external exposures. Consequently, unauthorized changes could be made to critical agency data such as driver license or interstate commercial vehicle records. Systems that operate on the OTTS computing platform include the Motor Vehicle Administration s Titling and Registration Information System, the Administration s Drivers Licensing Processing System, MDOT s Financial Management Information System and MDOT s payroll system. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

4 2

5 Table of Contents Background Information 4 Agency Responsibilities and Description 4 Current Status of Findings From Preceding Audit Report 5 Findings and Recommendations 6 Data Center Information System Security and Control Finding 1 Controls Over Operating System Files, Mainframe Inactive 6 User Accounts and Security Reports Were Not Sufficient Database Security and Control * Finding 2 Access and Recordation Controls Over a Critical 7 Database Were Not Adequate Finding 3 Data Security Controls Pertaining to a Critical OTTS 7 Database Application Were Not Adequate Network Security and Control Finding 4 The MDOT Internal Computer Network Was Not 8 Adequately Secured From External Exposures Audit Scope, Objectives, and Methodology 10 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report 3

6 Background Information Agency Responsibilities and Description The Maryland Department of Transportation - Office of Transportation Technology Services (OTTS) provides computing resources to the various modal units of the Maryland Department of Transportation (MDOT) and operates as a computer service bureau for these units, which are charged for services performed. OTTS staff provides computing, networking and telecommunications services for MDOT s modal units and headquarters. Additionally, the OTTS maintains the operating system and security software with which all applications are executed. OTTS operates a mainframe computer for applications, which include the Motor Vehicle Administration s Titling and Registration Information System, the Administration s Drivers Licensing Processing System, the MDOT s Financial Management Information System and MDOT s payroll system. In addition, OTTS also operates certain server based applications, such as the Maryland International Registration Plan which processes the registration of interstate commercial vehicles and associated fees. OTTS, in conjunction with a MDOT contractor, operates a Wide Area Network (WAN) connecting computer users from the modal units and headquarters, as well as providing connections to a few State networks and to multiple external vendor networks associated with the modal units activities. The WAN performs data transmission using a large number of outlying routers and key core routers. MDOT s modal units use the WAN to connect with the aforementioned mainframe applications and to send and receive communications for these applications. The modal units also use the WAN for external Internet access, with all such transmissions being controlled by either the OTTS central Internet firewall or by a dedicated virtual private network device that authenticates and safeguards such Internet transmissions. For fiscal year 2005, OTTS had authorized positions and a budget of approximately $36 million. See below for a graphic depiction of OTTS and its components. 4

7 Overview of the OTTS Networking Environment The OTTS operates a network that includes numerous servers, a mainframe computer, and connectivity to the MDOT modals, MDOT business partners, State networks and the Internet Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the five findings contained in our preceding audit report dated November 19, We determined that OTTS satisfactorily addressed four of these five findings. The remaining finding is repeated in this report. 5

8 Findings and Recommendations Data Center Information System Security and Control Finding 1 Controls over critical operating system files, mainframe inactive user accounts and security reports were not sufficient. Analysis Controls over critical operating systems files, mainframe inactive user accounts and security reports were not sufficient. Specifically, we noted the following conditions: The report of changes to critical operating system files omitted several critical operating system libraries from its selection list. In addition, the parameters in a critical report could be changed, without detection by management, because such changes were not recorded for review. Furthermore, approval entries, which provide evidence that changes to operating system files were reviewed and approved by appropriate personnel, could not be located for many changes tested. Finally, critical operating system files that were renamed or replaced were not reviewed for propriety. Twenty-two activated user accounts on OTTS mainframe computer system had not been used for periods ranging from 3 months to 7 years. Furthermore, 12 of these accounts had never been used. Unused user accounts can aggravate risks associated with other security weaknesses and can provide a means for improper system access to the OTTS mainframe system. The Department of Budget and Management s Information Technology Security Policy and Standards require an automated process to ensure that user accounts are disabled after 60 days of inactivity and deleted after 90 days. OTTS central security officers, who entered security access rule and user account modifications, also directly received and distributed security monitoring reports to modal security coordinators. As a result, the central security officers could initiate unauthorized changes to access rules and user accounts and withhold the related security reports from the modal security coordinators. 6

9 Ultimately, these conditions could result in undetected and unauthorized changes to user agency data and program files. Recommendation 1 We recommend that OTTS establish adequate controls over critical operating systems files, inactive user accounts and security reports. Accordingly, we made detailed recommendations to OTTS which, if implemented, should provide adequate controls over these areas. Database Security and Controls Finding 2 Access and recordation controls over a critical database were not adequate. Analysis Fifteen data center staff had necessary but unrecorded modification access to mainframe FMIS database system files which allowed modification of the database. A similar condition was commented upon in our preceding audit report. Additionally, an old user account, that permitted full control over the FMIS database, was still assigned to a former employee. As a result of these conditions, critical production database files could be improperly modified or deleted, without detection by management. Recommendation 2 We again recommend that mainframe database system file modifications be recorded and monitored to ensure that all changes made were proper. We also recommend that OTTS delete the former employee s user account from the security system. Finding 3 Data security controls pertaining to a critical OTTS database application were not adequate. Analysis Data security controls pertaining to the Maryland International Registration Plan (MIRP) system were not adequate. Specifically, we noted the following conditions: 7

10 Password length, expiration and history and account lockout and sharing did not meet the requirements of the Department of Budget and Management s Information Technology Security Policy and Standards. For example, the database system password length was set to one character, instead of the required password length of eight characters, and the database system account lockout was not utilized (that is, accounts were not disabled after a set number of failed login attempts). MIRP database access rules inappropriately permitted five users unnecessary, direct modification access to critical MIRP database directories and associated database configuration and control files. Security monitoring for the MIRP database was inadequate because auditing capabilities for the database system were not enabled. MIRP is an application used for the registration of interstate commercial vehicles and the collection of associated fees. As a result of the above conditions, unauthorized or inappropriate changes could be made to the database without detection by management. Recommendation 3 We recommend that MIRP password and user account settings comply with the requirements of the aforementioned Policy. We also recommend that the MIRP database access rules permit modification access to only those individuals who require such access for their job responsibilities. Finally, we recommend that MIRP database auditing be enabled, and the recorded information be reported, reviewed and documented, with evidence of the reviews retained for audit verification. Network Security and Control Finding 4 The MDOT internal computer network was not adequately secured from external exposures. Analysis The MDOT internal network was not adequately secured from external exposures. Specifically, certain traffic from untrusted third party networks and two untrusted State related networks was not adequately filtered and, therefore, could access all 8

11 MDOT internal network devices. In addition, several MDOT critical servers, accessible to external parties and secured in separate zones inside MDOT s network, were improperly permitted access to all internal network devices. Access rules for critical network devices should use a least privilege security strategy which gives users only the access needed to perform assigned tasks. Recommendation 4 We recommend that adequate firewall controls be established to protect the internal network from external exposures. We made detailed recommendations to OTTS which, if implemented, should provide for adequate security over MDOT s internal network. 9

12 Audit Scope, Objectives, and Methodology We have audited the Maryland Department of Transportation (MDOT) - Office of Transportation Technology Services (OTTS). Fieldwork associated with our review of the data center was conducted during the period from June 2004 to September Additionally, fieldwork associated with our review of the network was conducted during the period from March 2005 to June The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine OTTS internal control over its data center and network and to evaluate its compliance with applicable State laws, rules, and regulations for the computer systems that support MDOT and modal user agencies. OTTS fiscal operations are audited separately as part of our audit of the MDOT Secretary s Office. The latest report which covered OTTS fiscal operations was issued on February 5, We also determined the current status of the findings contained in our preceding audit report on OTTS. In planning and conducting our audit, we focused on the major areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of OTTS operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. OTTS management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. 10

13 This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect OTTS ability to maintain reliable financial records, operate effectively and efficiently and/or comply with applicable laws, rules, and regulations. Our report includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to OTTS that did not warrant inclusion in this report. MDOT s response, on behalf of OTTS, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise MDOT regarding the results of our review of its response. 11

14

15 Maryland Department of Transportation Office of Transportation Technology Services Draft Audit Report Responses Data Center Information System Security and Control Finding #1 Controls over critical operating system files, mainframe inactive user accounts and security reports were not sufficient. Response: The Administration concurs with the auditors recommendation. OTTS will implement the recommended changes to ensure that controls over system files, inactive user accounts and security reporting are addressed by June Database Security and Controls Finding #2 Access and recordation controls over a critical database were not adequate. Response: The Administration concurs with the auditors recommendation. The old user account referenced will be removed from the security system by December The ACF2 rule for this database was changed to ensure that changes are logged. The mainframe database system file modifications will be recorded and monitored to ensure that all changes are proper. Finding #3 Data security controls pertaining to a critical OTTS database application were not adequate. Response: The Administration concurs with the auditors recommendations. Auditing shall be enabled and reports reviewed and retained to ensure database changes made are proper. The database security shall comply with the State data security policy and database access rules will be limited to only those whose job responsibilities require it. These recommendations will be implemented beginning November 2, 2005 and completed by December 2005.

16 Maryland Department of Transportation Office of Transportation Technology Services Draft Audit Report Responses Network Security and Control Finding #4 The MDOT internal computer network was not adequately secured from external exposures. Response: The Administration concurs with the auditors recommendations. OTTS will implement the necessary changes to ensure that the firewalls and internal networks are adequately secured from external exposures by June 2006.

17 AUDIT TEAM A. Jerome Sokol, CPA Information Systems Audit Manager Richard L. Carter, CISA R. Brendan Coffey, CPA Albert E. Schmidt, CPA Information Systems Senior Auditors Veronica Arze Amanda L. Trythall Information Systems Staff Auditors