New York City Department of Correction

Follow-up Review of Audit Reports on the Adequacy of Controls over the Inmate Information System

The three reports in this follow-up review contained a total of 99 recommendations. Of the 99, we made 90 recommendations to assist the Department in addressing issues raised. Our follow-up found DOC has not implemented 41 of the recommendations, 25 have been partially implemented, and 24 were implemented. The remaining nine recommendations were to the Mayor's Office of Operations (four recommendations) and Office of Computer Plans and Controls (five recommendations); eight of the nine were not implemented and one was no longer applicable. Some of the major current weaknesses we found at DOC include: the Inmate Information System (IIS) continues to have several access control weaknesses that make it susceptible to unauthorized use; the agency does not have a disaster recovery plan for IIS; DOC does not have staff adequately trained to audit IIS; there are poor inventory controls over millions of dollars of computer equipment; and there is lack of compliance with the Criminal Procedure Law regarding sealing of inmate records and with the City's system security standards. DOC officials stated that they still agree with many of the original recommendations, but lack adequate resources such as computer programming staff precludes implementing many of them. A-5-96