Purpose

To determine whether the Department of Labor’s (Department) Unemployment Insurance System is secure, operating effectively, and available to continue critical processing in the event of a disaster or mishap that disables normal processing. This audit covers the period February 12, 2014 through September 23, 2014.

Background

The New York State Office of Information Technology Services (ITS) was established in November 2012 as part of a New York State IT transformation to consolidate and merge State agencies and streamline services. ITS is responsible for providing centralized information technology (IT) services to the State and its governmental agencies. ITS’ Enterprise Operations group oversees systems operations and service management, and the Enterprise Information Security Office (EISO) is responsible for oversight and coordination of security services. ITS organized 42 of the State agencies into nine clusters based on type of service provided. The Department is one of five agencies that comprise the Human Services Cluster. During the transition to ITS Enterprisedeveloped policies and processes, ITS is charged with ensuring proper controls are in place to protect the vast amount of personal data stored in the Department’s systems, maintaining compliance with applicable security standards, and ensuring continuity of effective and efficient operations.

Key Findings

• The Unemployment Insurance System data has not yet been classified as required by current Security Policy, even though 80 of the 83 unemployment insurance applications in use by the Department have been deemed mission critical. The Security Policy indicates that all agency information should be classified on an ongoing basis based on its confidentiality, integrity, and availability.
• Almost two years after the transition of services, ITS still does not have a Service Level Agreement in place governing responsibilities and services provided to the agencies that comprise the Human Services Cluster, including the Department. Specifically, the Service Level Agreement defines mutual expectations, roles and responsibilities, service level outcomes, and financial commitments.
• Although mainframe programming changes are logged, there is no indication of when these changes have been implemented, thereby reducing accountability.

Key Recommendations

• Complete the process of classifying the unemployment insurance data.
• Complete and sign the new Service Level Agreement as soon as possible.
• Maintain a completion date of all patches/changes applied to Department software to ensure the integrity of the unemployment insurance data.

Other Related Audits/Reports of Interest

Office for Technology: Procurement and Contracting Practices (2010-S-71)
Office of Information Technology Services: Procurement and Contracting Practices (2013-F-24)