Purpose

To determine whether the Division of Criminal Justice Services’ (Division) selected core systems are secure, operating effectively, and available to continue processing in the event of a disaster or mishap that disables normal processing. This audit covers the period May 22, 2014 through October 22, 2014.

Background

The New York State Office of Information Technology Services (ITS) was established in November 2012 as part of a New York State IT transformation to consolidate and merge State agencies and streamline services. ITS is responsible for providing centralized information technology (IT) services to the State and its governmental agencies, and is headed by a Chief Information Officer. ITS’s Enterprise Information Security Office (EISO) is responsible for oversight and coordination of security services. ITS organized approximately 40 executive State agencies into nine clusters based on the type of service provided. The Division is one of eight agencies that comprise the Public Safety Cluster. The Division’s mission is to enhance public safety and improve criminal justice. During the transition to ITS Enterprise-developed policies and processes, ITS is charged with ensuring proper controls are in place to protect the vast amount of personal data stored in the Division’s systems, maintain compliance with applicable standards, and ensure continuity of effective and efficient operations.

Key Findings

• ITS does not have an established monitoring and oversight process for user access management of Division systems and is not operating in compliance with State Cyber Security Policies.
• ITS does not have established policies and procedures for backup of key Division systems. Also, ITS does not have an active regional backup site, and Division systems are at risk for total data loss in the event of a regional disaster.
• ITS does not have an established monitoring and oversight process for software or operating systems and changes made to these systems.

Key Recommendations

• Adhere to the New York State IT Account Management/Access Control Standard, as issued by the EISO, by establishing a Cluster process for granting, modifying, removing, tracking, and monitoring access privileges.
• Establish a comprehensive process to inventory and monitor Division data, operating systems, and software assets as well as their associated versions. Remove unsupported systems and software or update them to vendor-supported levels.
• Establish Cluster-level backup and recovery policies. Coordinate with the Division to develop and regularly test a comprehensive disaster recovery plan.

Other Related Audits/Reports of Interest

Office for Technology: Procurement and Contracting Practices (2010-S-71)
Office of Information Technology Services: Procurement and Contracting Practices (2013-F-24)