Police Records Management System IT General Controls Follow up Report

Transcription

1 Police Records Management System IT General Controls Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice Chair Audit Management Kip Memmott, Director, MA, CGAP, CRMA John Carlson, Deputy Director, JD, MBA, CIA, CGAP, CRMA Audrey Donovan, Deputy Director, CIA, CGAP, CRMA Audit Staff Shannon Kuhn, IT Audit Supervisor, CISA Nicholas Jimroglou, Lead IT Auditor, CISA Jakki Boline, IT Senior Auditor Karin Doughty, IT Senior Auditor, CISA You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720)

3 Or download and view an electronic copy by visiting our website at: Report number A

4 City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado FAX Dennis J. Gallagher Auditor March 16, 2015 Ms. Stephanie O Malley, Executive Director of Safety Mr. Frank Daidone, Chief Information Officer, Technology Services City and County of Denver Re: Police Records Management System IT General Controls Audit Follow Up Report Dear Ms. O Malley and Mr. Daidone: In keeping with professional auditing standards and the Audit Services Division s policy, as authorized by D.R.M.C , our Division has a responsibility to monitor and follow up on audit recommendations to ensure audit findings are being addressed and to aid us in planning future audits. This report is to inform you that we have completed our follow up effort for the Police Records Management System IT General Controls Performance Audit issued December 20, Our review determined that the Department of Safety and Technology Services has implemented eight of the twenty three findings found in the audit report. For your reference, this report includes a Highlights page that provides background and summary information on the original audit and the completed follow up effort. Following the Highlights page is a detailed implementation status update for each recommendation. In addition to the eight recommendations that were implemented, fifteen recommendations were not implemented. Despite the Agencies efforts, auditors determined that the risk associated with the audit team s initial findings has not been fully mitigated. As a result, the Division may revisit these risk areas in future audits to ensure appropriate corrective action is taken. This concludes audit follow up work related to this audit. I would like to express our sincere appreciation to you and to Department of Safety and Technology Services personnel who assisted us throughout the audit and follow up process. If you have any questions, please feel free to contact me at or Shannon Kuhn, IT Audit Supervisor, at Sincerely, KRM/sk Kip Memmott, MA, CGAP, CRMA Director of Audit Services cc: Honorable Michael Hancock, Mayor Honorable Members of City Council To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

5 Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Janice Sinden, Chief of Staff Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

6 City and County of Denver Office of the Auditor Audit Services Division REPORT HIGHLIGHTS Police Records Management Systems IT General Controls Follow up Report: March 2015 The Department of Safety and Technology Services have implemented 35 percent of the recommendations made in the December 2012 audit report. Background The Denver Police Department has been using the Versaterm Records Management System (RMS) since The system can be accessed from desktop computers and from laptop computers, known as mobile data terminals (MDTs), which are installed in police cars. RMS contains general offense records including officer statements, neighborhood surveys, and lab reports. As one of the Denver Police Department s main records systems, RMS is accessed by approximately 1,700 users, including 1,400 sworn police officers, and personnel from other agencies, such as the District Attorney, City Attorney, Denver Sheriff, and Denver County Courts. Purpose The purpose and overall objective of the audit was to examine and assess the IT general controls related to the Police Department's Records Management System to ensure that they provide a sound foundation to support the system s proper operation and security. Highlights from Original Audit Our audit identified issues surrounding critical Police, Fire, and Sheriff Computer systems residing in a data center that offers little to no assurance that it can recover from a disaster. Of eight serious backup and recovery concerns, the most notable are the failure to send backup files offsite and the failure to provide enough disk space for the data backup server. In addition, there are several other important issues concerning user administration, antivirus and system patching, data center security, and change management: Backups are not stored offsite Dangerously low disk space threatens the viability of system backups User administration controls do not ensure timely termination of access or adequate user activity monitoring System software patches and antivirus updates are not monitored for successful installation and sometimes not applied at all The Department of Safety data center has no automated fire suppression and lacks adequate physical access controls Minor project change management does not provide adequate segregation of duties Findings at Follow up Technology Services and the Department of Safety have implemented eight of the twenty three recommendations made in the 2012 audit report. Additional storage was purchased for the backup of the Records Management System. Initial and periodic review of users with access to the Police Record System has been created and is being performed. Technology Services has established a server patching and change management process. Environmental and physical safety controls have been installed in the data center. For a complete copy of this report, visit Audit Contact Person: Shannon Kuhn [email protected]

7 Recommendations: Status of Implementation Recommendation Auditee Action Status Finding 1: Police, Fire and Sheriff Department Electronic Records Are At Risk of Total Loss Should There Be a Data Center Disaster 1.1 Offsite Technology Services must relocate the backup server offsite, away from the Safety data center. The new location should be far enough away so that the new location is not subject to the same hazards, such as fire, broken water pipes, or a tornado. The new location should also meet CJIS access control requirements. 1.2 Disk Space Technology Services and the Denver Safety Departments should collaborate to secure the necessary financial resources to acquire adequate disk capacity for backups. 1.3 Key Personnel Dependency Technology Services should ensure that critical job functions and essential duties related to monitoring system backups can still be performed by other staff when key employees are out of the office, such as on vacation. Documenting and operationalizing job duties and procedures will aid those who temporarily take over backuprelated job functions. 1.4 Disaster Recovery Plan Technology Services and the Denver Police Department should collaborate to develop an RMS disaster recovery plan. The previous Chief Information Officer was able to use special funds to purchase a new backup system and physical disk storage. The systems are shared solutions for both the Safety and Gov domains. Page 1 Office of the Auditor

8 Recommendations: Status of Implementation Recommendation Auditee Action Status 1.5 Disaster Recovery Test Technology Services and the Denver Police Department should schedule tests of the RMS disaster recovery plan in whole or in part to demonstrate recovery capability. 1.6 Backup Methodology The backup methodology and exception procedures used for RMS should be documented. This would include the frequency of both full and incremental backups, the number of backup generations, and how long backup generations are retained. 1.7 Frequency of Backup Technology Services and the Denver Police Department should collaborate to conduct an RMS risk assessment to determine the appropriate type and frequency of backup that is necessary. 1.8 Service Level Agreement Technology Services and the Denver Safety Department should jointly review their Service Level Agreement to ensure that it is both realistic and understood. Key performance metrics should be identified and automated reporting should be developed to alert both Technology Services and Denver Safety Department management of process failures, such as missed data backups. Agreed/Not City and County of Denver Page 2

9 Recommendations: Status of Implementation Recommendation Auditee Action Status Finding 2: User Administration Controls Do Not Ensure Timely Termination of Access or Adequate User Activity Monitoring 2.1 The Denver Police Department should manually review the list of 911 users provided by the auditors to determine the appropriateness of access granted, and disable accounts in RMS as necessary. 2.2 Technology Services should review the results from the Denver Police Department review of RMS access to ensure that the network accounts (Active Directory) of separated users is removed. The list of questionable accounts was reviewed. Several were authorized and worked for areas of responsibility that had authorized access to the RMS. Some of the areas of responsibility included the Denver Police Reserves, Denver Safety Cadets, District Attorney's office, City Attorney's office, Denver Sheriff Department, Denver Fire Arson Investigators, Crime Lab Civilians, Denver Police Victim Assistance volunteers, Electronic Engineering Bureau, Technology Services Enterprise Support, Metro Auto Theft Task Force, Missing Persons volunteers, and Crime Lab volunteers. Based on our review, 427 accounts were appropriate and 484 individuals separated from the department and the accounts were disabled. Page 3 Office of the Auditor

10 Recommendations: Status of Implementation Recommendation Auditee Action Status 2.3 The Denver Police Department should modify its procedures to notify the Information Management Unit when employees transfer or separate to allow the timely removal of their RMS access. 2.4 Technology Services should correct the processing logic of the automated process to ensure that separated users have their network accounts disabled. 2.5 The Denver Police Department should collaborate with Technology Services and the RMS vendor to collect the appropriate data and generate the reports necessary to allow review of user activity in accordance with CJIS requirements (section ). Further, the Denver Police Department should perform weekly RMS user activity reviews as required by CJIS. 2.6 Technology Services should ensure that local accounts on Linux servers and the Oracle database are administered in accordance with either City or CJIS requirements as appropriate. DPD recognizes the need for better communication between the Human Resource Bureau and the Information Management Unit. New procedures have been adopted to provide the Information Management Unit timely information within one business day of an employee separation. The notification is handled by the Information Management Unit on the same business day modifying the personnel's account. The Denver Police Department has implemented a manual process, as Technology Services and the RMS vendor have not completed the data collection and report generation piece of this recommendation. The current process has Human Resources providing a notification via e mail whenever an employee separates. The IMU disables the RMS account the same day. City and County of Denver Page 4

11 Recommendations: Status of Implementation Recommendation Auditee Action Status Finding 3: System Software Patches and Antivirus Updates Are Not Monitored for Successful Installation and Sometimes Not Applied At All 3.1 Technology Services should develop procedures to ensure that software patching and antivirus updates are applied successfully and that failures are investigated and resolved. 3.2 Technology Services should install antivirus software on all RMS servers including Linux servers. 3.3 Technology Services should adopt software patching procedures for all RMS servers. 3.4 Technology Services and the Denver Police Department should collaborate on solutions for applying software patches and antivirus updates for the nearly 500 MDTequipped police cars in the City. TS has adopted and implemented patching procedure for all RMS servers, and it includes an exception for RMS Linux serves. The vendor is responsible for installing patches. Agree/ Not Agree/ Not Agree/ Not Finding 4: The Safety Data Center Has No Automated Fire Suppression and Lacks Adequate Physical Access Controls 4.1 Technology Services and the Denver Safety Department should collaborate regarding how an automated fire suppression system can be installed for the Safety data center. Auditors toured the Safety data center and noted that a fire suppression system was installed. Page 5 Office of the Auditor

12 Recommendations: Status of Implementation Recommendation Auditee Action Status 4.2 Technology Services and the Denver Safety Department should collaborate to install a card reader to replace the barrel bolts on one of the Safety data center doors to support accountability for access. 4.3 Technology Services should institute a visitor sign in log recording access to the Safety data center in compliance with CJIS requirements. A door with a lock was installed on the Safety Center door in lieu of a badge reader. Facilities and the Data Center Manager are the only personnel with keys to the lock. Auditors attempted to open the Safety Data center door and noted it was locked. Auditors noted that a log book was present in the data center. Finding 5: Minor Project Change Management Does Not Provide Adequate Segregation of Duties 5.1 To provide segregation of duties, the Denver Police Department should require supervisory or other approval of all changes submitted to the RMS vendor. 5.2 The Denver Police Department should retain records of all changes submitted to the RMS vendor along with evidence of approval for both the changes and the test results. DPD created a new process by which a request is created by the Information Management Unit to the supervisor. The supervisor approves the request, which is then coordinated between the IMU and the vendor, Versaterm. IMU tests and confirms that the change has been made as expected. Change records are stored in the Service Now change management application. Additionally, the Change Advisory Board keeps minutes and a spreadsheet of approved changes. Auditors verified that RMS changes have been submitted and approved in the Service Now application. City and County of Denver Page 6

13 Conclusion The Department of Safety has completed all five recommendations directed to the agency in the Police Records Management System IT General Controls audit, which includes an initial and periodic review of users with access to the Police Record System. Additionally, the Department of Safety has worked with the RMS vendor, Versaterm, to ensure that system changes are incorporated into the Change Management process. We found that Technology Services has implemented three of the recommendations made; others have yet to be acted upon or fully implemented. Despite Technology Services efforts, auditors determined that risks to Police, Fire, and Sheriff Department records still exist due to outstanding recommendations. Backup and storage efforts are still in progress to address off site backup and storage, a backup frequency methodology, backup activity monitoring, reporting, and cross training for backup personnel. The removal of Police Records Management personnel from the records management system is occurring; however, Technology Services is working towards collecting the data to fully remove users from the associated server, database, and network accounts. Monitoring, patching, and anti virus updates are not fully implemented, leaving the database and operating system on servers vulnerable to security threats. As a result, the Audit Services Division may revisit these risk areas in future audits to ensure appropriate corrective action is taken. On behalf of the citizens of the City and County of Denver, we thank staff and leadership from the Department of Safety and Technology Services for their cooperation during our follow up effort and their dedicated public service. Page 7 Office of the Auditor