Audit Report Comptroller of the Treasury Information Technology Division September 2006 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY
This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland 21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877- 486-9964. Electronic copies of our audit reports can be viewed or downloaded from our website at http://www.ola.state.md.us. Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258. The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at 410-946-5400 or 301-970-5400.
September 13, 2006 Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Comptroller of the Treasury (COT) - Information Technology Division (ITD). Our audit included an internal control review of the COT data center and the network administered by ITD that supports ITD and customer agencies. Our audit disclosed that changes to certain critical production procedure libraries and operating system files were not reviewed and approved. In addition, Internet firewall logs were not regularly reviewed. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor
2
Agency Responsibilities Background Information The Information Technology Division (ITD) operates the Annapolis Data Center as a computer service bureau. All operating costs are reimbursed by user agencies that are charged for services performed. In addition, ITD develops and maintains application systems for the Comptroller of the Treasury and certain other State agencies, operates a statewide computer network, and provides a data center disaster recovery capability. Additionally, ITD maintains the operating system and security software environment in which agency applications are executed. According to the State s records, the ITD fiscal year 2006 budget totaled approximately $20.3 million. Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the four findings contained in our preceding audit report dated January 6, 2004. We determined that ITD satisfactorily addressed three of the four findings. The remaining finding is repeated in this report. 3
Findings and Recommendations Data Center Security and Network Controls Background The Department of Budget and Management s (DBM) Information Technology Security Policy and Standards stipulates that all State agencies must ensure that information is accessed by the appropriate persons for authorized use only. To accomplish this, the ITD computer system contains security software which is capable of restricting access to data files, online transactions, and programs, and is capable of providing a record of all file, transaction, and program modification accesses and all unauthorized attempted accesses to the computer system. In addition, ITD maintains an internal network that includes various servers, which support web-based services, system development, email, and file and print sharing. The ITD network has separate connections to the Internet, networkmaryland and the FMIS network. Firewalls exist at each of these separate ITD network connection points. Finding 1 Controls over critical procedure libraries and operating system files were not adequate. Analysis Changes to critical production procedure libraries, which initiate and control the processing of agency production programs and data files, were not reviewed and approved. As a result, there was a lack of assurance that production data and production programs were being processed in a manner approved by management. Furthermore, modifications made to 20 critical operating system libraries were not subject to review and approval by supervisory personnel. This condition could ultimately result in undetected and unauthorized changes being made to user agency data files. A similar condition was commented upon in our preceding audit report. Recommendation 1 We recommend that all modifications to critical production procedure libraries be properly reviewed and approved. We also again recommend that ITD management review and approve all changes to critical operating system files. Finally, we recommend that all such reviews and approvals be documented and retained. 4
Finding 2 A critical firewall was not properly monitored. Analysis The ITD Internet firewall, which helped protect the ITD network from Internetbased attacks, was not properly monitored. We were advised that the firewall log files were not regularly reviewed to identify significant security events. In addition, the reviews that were performed were not documented. Without monitoring of these firewall logs, network attacks, intrusions, and other problems could go undetected until network resources have been significantly damaged. Therefore, regular documented firewall log reviews should be performed. The DBM Information Technology Security Policy and Standards mandates that critical portions of State agency networks be protected by firewalls, which are maintained on a timely basis and have proper monitoring of security audit trails. Recommendation 2 We recommend that regular documented reviews of the ITD Internet firewall logs be performed and any unusual activity be investigated. We further recommend that all reviews of firewall logs and related investigations be documented and retained for future reference. Finally, ITD should also assess the adequacy of its firewall log review procedures for its other firewalls and, if necessary, apply similar adjustments to comply with the aforementioned DBM Policy. 5
Audit Scope, Objectives, and Methodology We have audited the Comptroller of the Treasury (COT) Information Technology Division (ITD). Fieldwork associated with our review of the data center was conducted during the period from November 2005 to April 2006. Additionally, fieldwork associated with our review of the network was conducted during the period from February 2006 to May 2006. The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine ITD s internal control over the COT data center and network, and to evaluate its compliance with applicable State laws, rules, and regulations for the computer systems that support COT and user agencies. ITD fiscal operations are audited separately and the results of those audits are included in our fiscal/compliance audit reports on ITD. The latest report, which covered ITD fiscal operations, was issued on November 15, 2005. We also determined the current status of the findings contained in our preceding audit report on ITD, dated January 6, 2004. In planning and conducting our audit, we focused on the major areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of ITD operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. ITD management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. 6
This report includes findings that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect ITD s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes a finding regarding a significant instance of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to ITD that did not warrant inclusion in this report. The response from the Comptroller, on behalf of ITD, to our findings and recommendations, is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise the Comptroller regarding the results of our review of its response. 7
AUDIT TEAM Stephen P. Jersey, CPA, CISA A. Jerome Sokol, CPA Information Systems Audit Managers Richard L. Carter, CISA R. Brendan Coffey, CPA Information Systems Senior Auditors David J. Burger Amanda L. Trythall Information Systems Staff Auditors