Department of Transportation Office of Transportation Technology Services



Similar documents
Comptroller of the Treasury Information Technology Division

Judiciary Judicial Information Systems

Judiciary Judicial Information Systems

Department of Public Safety and Correctional Services Information Technology and Communications Division

Department of Transportation Financial Management Information System Centralized Operations

Comptroller of the Treasury. Central Payroll Bureau

Audit Report. Comptroller of the Treasury Central Payroll Bureau. May 2009

Department of Public Safety and Correctional Services Information Technology and Communications Division

Financial Management Information System Centralized Operations

Department of Transportation Financial Management Information System Centralized Operations

University System of Maryland University of Maryland Biotechnology Institute

Comptroller of Maryland Information Technology Division Annapolis Data Center Operations

University System of Maryland University of Maryland, College Park Division of Information Technology

How To Audit The Board Of Health Of The Board

Comptroller of Maryland Central Payroll Bureau

Office of the Register of Wills Baltimore County, Maryland

Maryland Department of Aging

Maryland Transportation Authority

University System of Maryland University of Baltimore

University of Maryland School of Nursing Governor s Wellmobile Program

Department of Health and Mental Hygiene Alcohol and Drug Abuse Administration

Department of Juvenile Justice Youth Centers

Department of Labor, Licensing and Regulation Division of Unemployment Insurance

Maryland Aviation Administration Maryland Transportation Authority

Department of Health and Mental Hygiene. Alcohol and Drug Abuse Administration

Department of Health and Mental Hygiene Thomas B. Finan Hospital Center and Joseph D. Brandenburg Center

Medical Mutual Liability Insurance Society of Maryland

Comptroller of Maryland Motor-fuel, Alcohol and Tobacco Tax Division

Department of Health and Mental Hygiene Crownsville Hospital Center

Maryland Insurance Administration

Department of Health and Mental Hygiene Alcohol and Drug Abuse Administration

Department of Veterans Affairs

Department of Health and Mental Hygiene Infectious Disease and Environmental Health Administration

Department of Health and Mental Hygiene Community and Public Health Administration

Maryland Automobile Insurance Fund

Workers Compensation Commission

Office of the Clerk of Circuit Court Baltimore City, Maryland

Department of Labor, Licensing and Regulation Division of Unemployment Insurance Division of Workforce Development

Department of Transportation Maryland Port Administration

Subsequent Injury Fund

University System of Maryland University of Baltimore

Maryland Automobile Insurance Fund

Department of Health and Mental Hygiene Family Health Administration

University System of Maryland University of Maryland University College

Baltimore City Community College

Maryland Health Insurance Plan

Department of Health and Mental Hygiene. Health Professional Boards and Commission State Board of Physicians State Board of Nursing

Comptroller of Maryland Compliance Division

Department of Health and Mental Hygiene Regulatory Services

Workers Compensation Commission

Department of Health and Mental Hygiene Family Health Administration

Maryland Legal Services Corporation

Department of Public Safety and Correctional Services Criminal Injuries Compensation Board

Maryland Public Broadcasting Commission

Comptroller of Maryland Central Payroll Bureau

Department of Budget and Management Central Collection Unit

Department of Health and Mental Hygiene. Eastern Shore Hospital Center and Upper Shore Community Mental Health Center

Workers Compensation Commission

Maryland State Department of Education

Frederick County Public Schools

Performance Audit Report. Department of Human Resources The Maryland Energy Assistance Program and the Electric Universal Service Program

State Corporate Purchasing Card Program

Review of Community College Audit Reports. Fiscal Year Ending June 30, 2001

College Savings Plans of Maryland

State Department of Assessments and Taxation

Maryland Insurance Administration

Sample Budget Review For Annual Audits of Maryland Community College Professions

State Cell Phone Usage

Department of Business and Economic Development

University System of Maryland University of Maryland, Baltimore

Baltimore City Public School System

Maryland Thoroughbred and Harness Horse Racing Tracks

University System of Maryland University of Maryland University College

Baltimore County Public Schools

Department of Health and Mental Hygiene Office of the Secretary and Other Units

Review of Community College Audit Reports

Prince George s County Public Schools

Wicomico County Public Schools

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Department of Health and Mental Hygiene Department of Human Resources. Medical Assistance Program

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Department of Health and Mental Hygiene Medical Care Programs Administration

Video Lottery Operations Revenue Small, Minority, and Women-Owned Businesses Account

STATE OF NORTH CAROLINA

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No July 2015

Department of Public Utilities Customer Information System (BANNER)

AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS

New York City Budget -audit

Video Lottery Operations Revenue Small, Minority, and Women-Owned Businesses Account

GAO INFORMATION SYSTEMS. The Status of Computer Security at the Department of Veterans Affairs. Report to the Secretary of Veterans Affairs

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

Review of Community College Audit Reports

U.S. Department of the Interior Office of Inspector General AUDIT REPORT

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Subsequent Injury Fund

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Harford County Public Schools

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

NEW HAMPSHIRE RETIREMENT SYSTEM

Transcription:

Audit Report Department of Transportation Office of Transportation Technology Services October 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland 21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877- 486-9964. Electronic copies of our audit reports can be viewed or downloaded from our website at http://www.ola.state.md.us. Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258. The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at 410-946-5400 or 301-970-5400.

October 17, 2005 Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Maryland Department of Transportation - Office of Transportation Technology Services (OTTS). Our audit included an internal control review of the OTTS data center and the network administered by OTTS that supports the Maryland Department of Transportation (MDOT) and its modal agencies. Our audit disclosed that proper internal control had not been established over several significant areas. Specifically, OTTS lacked assurance that certain critical system and database files were adequately protected. Furthermore, numerous inactive accounts existed on the mainframe computer and security software reports were not properly controlled. Finally, the MDOT internal network was not adequately protected from external exposures. Consequently, unauthorized changes could be made to critical agency data such as driver license or interstate commercial vehicle records. Systems that operate on the OTTS computing platform include the Motor Vehicle Administration s Titling and Registration Information System, the Administration s Drivers Licensing Processing System, MDOT s Financial Management Information System and MDOT s payroll system. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

2

Table of Contents Background Information 4 Agency Responsibilities and Description 4 Current Status of Findings From Preceding Audit Report 5 Findings and Recommendations 6 Data Center Information System Security and Control Finding 1 Controls Over Operating System Files, Mainframe Inactive 6 User Accounts and Security Reports Were Not Sufficient Database Security and Control * Finding 2 Access and Recordation Controls Over a Critical 7 Database Were Not Adequate Finding 3 Data Security Controls Pertaining to a Critical OTTS 7 Database Application Were Not Adequate Network Security and Control Finding 4 The MDOT Internal Computer Network Was Not 8 Adequately Secured From External Exposures Audit Scope, Objectives, and Methodology 10 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report 3

Background Information Agency Responsibilities and Description The Maryland Department of Transportation - Office of Transportation Technology Services (OTTS) provides computing resources to the various modal units of the Maryland Department of Transportation (MDOT) and operates as a computer service bureau for these units, which are charged for services performed. OTTS staff provides computing, networking and telecommunications services for MDOT s modal units and headquarters. Additionally, the OTTS maintains the operating system and security software with which all applications are executed. OTTS operates a mainframe computer for applications, which include the Motor Vehicle Administration s Titling and Registration Information System, the Administration s Drivers Licensing Processing System, the MDOT s Financial Management Information System and MDOT s payroll system. In addition, OTTS also operates certain server based applications, such as the Maryland International Registration Plan which processes the registration of interstate commercial vehicles and associated fees. OTTS, in conjunction with a MDOT contractor, operates a Wide Area Network (WAN) connecting computer users from the modal units and headquarters, as well as providing connections to a few State networks and to multiple external vendor networks associated with the modal units activities. The WAN performs data transmission using a large number of outlying routers and key core routers. MDOT s modal units use the WAN to connect with the aforementioned mainframe applications and to send and receive communications for these applications. The modal units also use the WAN for external Internet access, with all such transmissions being controlled by either the OTTS central Internet firewall or by a dedicated virtual private network device that authenticates and safeguards such Internet transmissions. For fiscal year 2005, OTTS had 115.5 authorized positions and a budget of approximately $36 million. See below for a graphic depiction of OTTS and its components. 4

Overview of the OTTS Networking Environment The OTTS operates a network that includes numerous servers, a mainframe computer, and connectivity to the MDOT modals, MDOT business partners, State networks and the Internet Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the five findings contained in our preceding audit report dated November 19, 2002. We determined that OTTS satisfactorily addressed four of these five findings. The remaining finding is repeated in this report. 5

Findings and Recommendations Data Center Information System Security and Control Finding 1 Controls over critical operating system files, mainframe inactive user accounts and security reports were not sufficient. Analysis Controls over critical operating systems files, mainframe inactive user accounts and security reports were not sufficient. Specifically, we noted the following conditions: The report of changes to critical operating system files omitted several critical operating system libraries from its selection list. In addition, the parameters in a critical report could be changed, without detection by management, because such changes were not recorded for review. Furthermore, approval entries, which provide evidence that changes to operating system files were reviewed and approved by appropriate personnel, could not be located for many changes tested. Finally, critical operating system files that were renamed or replaced were not reviewed for propriety. Twenty-two activated user accounts on OTTS mainframe computer system had not been used for periods ranging from 3 months to 7 years. Furthermore, 12 of these accounts had never been used. Unused user accounts can aggravate risks associated with other security weaknesses and can provide a means for improper system access to the OTTS mainframe system. The Department of Budget and Management s Information Technology Security Policy and Standards require an automated process to ensure that user accounts are disabled after 60 days of inactivity and deleted after 90 days. OTTS central security officers, who entered security access rule and user account modifications, also directly received and distributed security monitoring reports to modal security coordinators. As a result, the central security officers could initiate unauthorized changes to access rules and user accounts and withhold the related security reports from the modal security coordinators. 6

Ultimately, these conditions could result in undetected and unauthorized changes to user agency data and program files. Recommendation 1 We recommend that OTTS establish adequate controls over critical operating systems files, inactive user accounts and security reports. Accordingly, we made detailed recommendations to OTTS which, if implemented, should provide adequate controls over these areas. Database Security and Controls Finding 2 Access and recordation controls over a critical database were not adequate. Analysis Fifteen data center staff had necessary but unrecorded modification access to mainframe FMIS database system files which allowed modification of the database. A similar condition was commented upon in our preceding audit report. Additionally, an old user account, that permitted full control over the FMIS database, was still assigned to a former employee. As a result of these conditions, critical production database files could be improperly modified or deleted, without detection by management. Recommendation 2 We again recommend that mainframe database system file modifications be recorded and monitored to ensure that all changes made were proper. We also recommend that OTTS delete the former employee s user account from the security system. Finding 3 Data security controls pertaining to a critical OTTS database application were not adequate. Analysis Data security controls pertaining to the Maryland International Registration Plan (MIRP) system were not adequate. Specifically, we noted the following conditions: 7

Password length, expiration and history and account lockout and sharing did not meet the requirements of the Department of Budget and Management s Information Technology Security Policy and Standards. For example, the database system password length was set to one character, instead of the required password length of eight characters, and the database system account lockout was not utilized (that is, accounts were not disabled after a set number of failed login attempts). MIRP database access rules inappropriately permitted five users unnecessary, direct modification access to critical MIRP database directories and associated database configuration and control files. Security monitoring for the MIRP database was inadequate because auditing capabilities for the database system were not enabled. MIRP is an application used for the registration of interstate commercial vehicles and the collection of associated fees. As a result of the above conditions, unauthorized or inappropriate changes could be made to the database without detection by management. Recommendation 3 We recommend that MIRP password and user account settings comply with the requirements of the aforementioned Policy. We also recommend that the MIRP database access rules permit modification access to only those individuals who require such access for their job responsibilities. Finally, we recommend that MIRP database auditing be enabled, and the recorded information be reported, reviewed and documented, with evidence of the reviews retained for audit verification. Network Security and Control Finding 4 The MDOT internal computer network was not adequately secured from external exposures. Analysis The MDOT internal network was not adequately secured from external exposures. Specifically, certain traffic from untrusted third party networks and two untrusted State related networks was not adequately filtered and, therefore, could access all 8

MDOT internal network devices. In addition, several MDOT critical servers, accessible to external parties and secured in separate zones inside MDOT s network, were improperly permitted access to all internal network devices. Access rules for critical network devices should use a least privilege security strategy which gives users only the access needed to perform assigned tasks. Recommendation 4 We recommend that adequate firewall controls be established to protect the internal network from external exposures. We made detailed recommendations to OTTS which, if implemented, should provide for adequate security over MDOT s internal network. 9

Audit Scope, Objectives, and Methodology We have audited the Maryland Department of Transportation (MDOT) - Office of Transportation Technology Services (OTTS). Fieldwork associated with our review of the data center was conducted during the period from June 2004 to September 2004. Additionally, fieldwork associated with our review of the network was conducted during the period from March 2005 to June 2005. The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine OTTS internal control over its data center and network and to evaluate its compliance with applicable State laws, rules, and regulations for the computer systems that support MDOT and modal user agencies. OTTS fiscal operations are audited separately as part of our audit of the MDOT Secretary s Office. The latest report which covered OTTS fiscal operations was issued on February 5, 2003. We also determined the current status of the findings contained in our preceding audit report on OTTS. In planning and conducting our audit, we focused on the major areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of OTTS operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. OTTS management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. 10

This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect OTTS ability to maintain reliable financial records, operate effectively and efficiently and/or comply with applicable laws, rules, and regulations. Our report includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to OTTS that did not warrant inclusion in this report. MDOT s response, on behalf of OTTS, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise MDOT regarding the results of our review of its response. 11

Maryland Department of Transportation Office of Transportation Technology Services Draft Audit Report Responses Data Center Information System Security and Control Finding #1 Controls over critical operating system files, mainframe inactive user accounts and security reports were not sufficient. Response: The Administration concurs with the auditors recommendation. OTTS will implement the recommended changes to ensure that controls over system files, inactive user accounts and security reporting are addressed by June 2006. Database Security and Controls Finding #2 Access and recordation controls over a critical database were not adequate. Response: The Administration concurs with the auditors recommendation. The old user account referenced will be removed from the security system by December 2005. The ACF2 rule for this database was changed to ensure that changes are logged. The mainframe database system file modifications will be recorded and monitored to ensure that all changes are proper. Finding #3 Data security controls pertaining to a critical OTTS database application were not adequate. Response: The Administration concurs with the auditors recommendations. Auditing shall be enabled and reports reviewed and retained to ensure database changes made are proper. The database security shall comply with the State data security policy and database access rules will be limited to only those whose job responsibilities require it. These recommendations will be implemented beginning November 2, 2005 and completed by December 2005.

Maryland Department of Transportation Office of Transportation Technology Services Draft Audit Report Responses Network Security and Control Finding #4 The MDOT internal computer network was not adequately secured from external exposures. Response: The Administration concurs with the auditors recommendations. OTTS will implement the necessary changes to ensure that the firewalls and internal networks are adequately secured from external exposures by June 2006.

AUDIT TEAM A. Jerome Sokol, CPA Information Systems Audit Manager Richard L. Carter, CISA R. Brendan Coffey, CPA Albert E. Schmidt, CPA Information Systems Senior Auditors Veronica Arze Amanda L. Trythall Information Systems Staff Auditors

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information