Commonwealth of Virginia Single Audit Report for the Year Ended ...

More documents

Recommendations

Info

Timely Deletion of User Accounts We found nine individuals with active accounts to critical systems that no longer required this access. Allowing terminated employees to retain their access increases the possibility that disgruntled employees could jeopardize BHDS’ critical information. To reduce this risk, BHDS’ Security Officers for critical systems should conduct periodic reviews to ensure that managers delete terminated employees’ accounts from their systems promptly as required by the Commonwealth’s System Security Standards. Management Plan for Corrective Action for Department of Behavioral Health and Developmental Services The DBHDS Office of Internal Audit and DBHDS will work with each security region to determine what access needs to be removed from the 32 employees identified as having inappropriate access levels. Completion of required job duties will be considered when determining the access levels of these employees. The Table Maintenance access of those employees with financial duties will be reviewed and deleted where possible. FMS and Avatar access reviews will be part of the Office of Internal Audit’s annual audit plan. In the past, access has been inactivated for those employees who separated employment from DBHDS. Access will now be deleted for employees who are no longer employed with DBHDS. Additional training on internal controls as it relates to systems access will be conducted by the Office of Internal Audit. Responsible Party: Randy Sherrod (Director of Internal Audit), Russell Sarbora (Director of Information Technology) Estimated Completion Date: July 1, 2012 11-04: Improve Systems Access Controls Applicable to: State Corporation Commission The Commission needs to improve system access controls over the Commission’s systems. Managers and supervisors request system access by completing a Security Access Request form; however, the form does not contain detailed information that specifies the type of access that the employee needs for some of the agency’s systems. This lack of information about the employee’s need for access requires system administrators to communicate with the employee’s supervisor to determine what type of access individuals require. This communication may take place through different methods and system administrators do not always document these communications. The Commission should also improve its policy over terminating access to the agency’s systems. The Commission should consider an agency-wide process that Personnel initiates upon termination of any employee notifying all system administrators of the termination and the process should address the need to terminate system access within a defined time frame. Currently, the Commission’s policy does not specify a time frame for disabling or deleting system’s access. 11
Not including the specific access on the Security Access Request form and not specifying a time frame for deleting or disabling system access in the agency’s policies increases the risk of employee’s having unnecessary access to sensitive and high risk applications. Therefore, the Commission should establish a policy that documents the specific access needed by agency employees and a policy that defines a reasonable time frame for disabling and deleting systems access. Management Plan for Corrective Action for State Corporation Commission Access Levels: Commission current policies outline the concepts of least privilege and the established access requirements to SCC Systems. The System Access Request form will be revised to include the specific access level requested for each user’s application. Defined Timeframe: During the existing annual review of the security policies, the Commission will evaluate and revise the Access and Account Management Policy as necessary to define a reasonable time frame for disabling or deleting systems access. Responsible Party: Information Technology Officer and Information Security Officer Estimated Completion Date: December 31, 2012 11-05: Improve User Account Controls Applicable to: Alcoholic Beverage Control The Department of Alcoholic Beverage Control (ABC) neither deletes disabled user accounts nor reviews disabled user account activity. While certain access restrictions would prevent nonsystem users from improperly using these accounts, a knowledgeable insider could use the lack of account monitoring and not deleting the accounts to take advantage of this lack of control to improperly circumvent the system without detection. Most breaches of information security and loss of data and assets comes from insiders taking advantage of the system. ABC’s data retention policy requires the removal of disabled user accounts from Information Technology (IT) systems after three years. However, ABC is not enforcing its data retention policy nor is ABC monitoring disabled user account access to ensure that no one has improperly used the accounts. Both the monitoring and the eventual removal are essential internal controls to protect information and assets. Therefore, we recommend that ABC dedicate the necessary resources to delete disabled user accounts and monitor disabled user accounts for unusual activity. ABC also needs to re-evaluate its current three year user account retention policy and develop a policy where the timeframe is commensurate with the risk identified in its IT risk assessment and business impact analysis. 12
Page 1 and 2: COMMONWEALTH OF VIRGINIA SINGLE AUD
Page 3 and 4: - T A B L E O F C O N T E N T S - P
Page 5 and 6: INDEPENDENT AUDITOR’S REPORT ON I
Page 7 and 8: REPORT ON COMPLIANCE WITH REQUIREME
Page 9 and 10: prepare the financial statements. T
Page 11 and 12: 84.318, 84.386 Educational Technolo
Page 13: We further recommend that Motor Veh
Page 17 and 18: ABC is required by the Commonwealth
Page 19 and 20: We recommend that Motor Vehicles de
Page 21 and 22: Management Plan for Corrective Acti
Page 25 and 26: 11-10: Improve Information Security
Page 27 and 28: We recommend that DMV dedicate the
Page 29 and 30: 11-14: Improve Microsoft SQL Server
Page 31 and 32: 11-16: Refine Estimates and Report
Page 35 and 36: ecord of the individuals receiving
Page 37 and 38: We recommend that Social Services d
Page 39 and 40: alternative solutions with the Depa
Page 41 and 42: U.S. DEPARTMENT OF EDUCATION 11-23:
Page 49 and 50: COMMONWEALTH OF VIRGINIA Resolution
Page 55 and 56: COMMONWEALTH OF VIRGINIA Schedule o
Page 65 and 66:
COMMONWEALTH OF VIRGINIA Schedule o
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
is classified as direct expenditure
Page 125 and 126:
Federal Department Detail Amount Ex
Page 127 and 128:
$205,061 are not included in the ac
Page 129 and 130:
financial assistance will be reflec
Page 131 and 132:
CFDA # Federal Program Name Amount
Page 133 and 134:
Page 135 and 136:
Page 137:
COMMONWEALTH OF VIRGINIA CONTACT LI
show all

Commonwealth of Virginia Single Audit Report for the Year Ended ...

Create successful ePaper yourself

Delete template?

Save as template?