Commonwealth of Virginia Single Audit Report for the Year Ended ...

More documents

Recommendations

Info

Management Plan for Corrective Action for Alcoholic Beverage Control ABC does not concur with this finding. Retaining disabled accounts is required by the Commonwealth in both the Information Security Standard (SEC 501-06) and the Records Retention and Disposal Schedule of the Library of Virginia. ABC intentionally retains disabled accounts to maintain the integrity of its historical transactions because the accounts are tied to audit records, and removing the accounts would lead to orphaned records. The Information Security Standard, ITRM SEC 501-06 (Rev 4/11), published by the Virginia Information Technologies Agency (VITA), Section 5.2.2: Logical Access Control Account Management Requirements, specifically states: “Each agency shall or shall require that its service provider document and implement account management practices for requesting, granting, administering, and terminating accounts. At a minimum, these practices shall include the following components: 12. Disable unneeded accounts. 13. Retain unneeded accounts in a disabled state in accordance with the agency’s records retention policy.” ABC is in the process of developing record retention schedules for each system. Not all records are retained for three years; some records are retained for longer periods of time. The three year policy discussed with the APA was referencing the Library of Virginia Records Retention and Disposition General Schedule No. 113 which addresses account access. Other Library of Virginia Schedules reference different retention periods – the period is dependent upon the specific data being retained. For data with a longer retention periods, deleting accounts after three years would violate the policy. Additionally, the timeframe is “x” number of years after no longer required, not from creation. For example “Contract and Agreement Records” (GS- 101 Series 100312) says “Retain 5 years after termination.” A contract may last ten years, in which case the record (and, in theory, related accounts) would be 15 years old before destroyed. Reviewing disabled user account activity is not required by the standards and would require significant system architecture/design changes, would require significant investment, and would be of negligible value. In order to be used, the account must be re-enabled, in which case reviewing “disabled” accounts would show no activity. ABC has internal controls built into its various sensitive systems that prevent or mitigate the risk of a current employee enabling a disabled account and being able to improperly use it. For example, in order to reactivate and use an account in MyABC, ABC’s Human Resource System, a Personnel Action Notice would need to be generated and approved by the HR manager or director. 13
ABC is required by the Commonwealth’s IT Standards, and Library of Virginia, to disable accounts and retain those accounts for the same time period required by its data retention policy. While we welcome the Auditor of Public Accounts’ opinion, we respectfully disagree. ABC is in compliance with the required Standards and has invested considerable resources in internal controls to prevent unauthorized use of accounts. We believe that dedicating resources to review disabled accounts is not an efficient use of ABC’s resources and would provide little benefit for the costs involved. Responsible Party: Andrew Hallberg, Information Security Officer Estimated Completion Date: June 30, 2013 APA’s Comments on Management’s Response Retaining user accounts in a disabled state after an employee’s termination introduces the risk for fraud. An account may be re-enabled, used to process a transaction and disabled again. Without an internal control to detect whether disabled accounts have been used to process transactions, the department may not timely detect fraudulent transactions. Our recommendation relates to those systems not yet migrated into “Account Central,” ABC’s new system to centrally manage and monitor user accounts. While Account Central has the proper controls to manager user accounts, ABC does not have a project plan that outlines when all their sensitive systems are supposed to be migrated. After considering ABC’s response, our opinion remains the same. We recommend that ABC implement controls to detect the increased risk of fraudulent transactions resulting from maintaining accounts in a disabled state. SYSTEMS SECURITY PROGRAM 11-06: Enhance Information Systems Security Program Applicable to: Department of Motor Vehicles The Department of Motor Vehicles (Motor Vehicles) does not update or maintain its information security program to address data safeguard weaknesses in its IT environment. In some cases these weaknesses also reflect instances of non-compliance with Commonwealth IT security standards. Without proper safeguards to protect confidential and mission critical information, Motor Vehicles incurs an increased risk of a loss of data confidentiality, compromised data integrity and unavailable data when needed. Since our recommendations include descriptions of security mechanisms, which are exempt from public disclosure under the Code of Virginia, management received a separate document containing a detailed description of our recommendations. The following is a public summary: 14
Page 1 and 2: COMMONWEALTH OF VIRGINIA SINGLE AUD
Page 3 and 4: - T A B L E O F C O N T E N T S - P
Page 5 and 6: INDEPENDENT AUDITOR’S REPORT ON I
Page 7 and 8: REPORT ON COMPLIANCE WITH REQUIREME
Page 9 and 10: prepare the financial statements. T
Page 11 and 12: 84.318, 84.386 Educational Technolo
Page 13 and 14: We further recommend that Motor Veh
Page 15: Not including the specific access o
Page 19 and 20: We recommend that Motor Vehicles de
Page 21 and 22: Management Plan for Corrective Acti
Page 25 and 26: 11-10: Improve Information Security
Page 27 and 28: We recommend that DMV dedicate the
Page 29 and 30: 11-14: Improve Microsoft SQL Server
Page 31 and 32: 11-16: Refine Estimates and Report
Page 35 and 36: ecord of the individuals receiving
Page 37 and 38: We recommend that Social Services d
Page 39 and 40: alternative solutions with the Depa
Page 41 and 42: U.S. DEPARTMENT OF EDUCATION 11-23:
Page 49 and 50: COMMONWEALTH OF VIRGINIA Resolution
Page 55 and 56: COMMONWEALTH OF VIRGINIA Schedule o
Page 67 and 68:
COMMONWEALTH OF VIRGINIA Schedule o
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
is classified as direct expenditure
Page 125 and 126:
Federal Department Detail Amount Ex
Page 127 and 128:
$205,061 are not included in the ac
Page 129 and 130:
financial assistance will be reflec
Page 131 and 132:
CFDA # Federal Program Name Amount
Page 133 and 134:
Page 135 and 136:
Page 137:
COMMONWEALTH OF VIRGINIA CONTACT LI
show all

Commonwealth of Virginia Single Audit Report for the Year Ended ...

Create successful ePaper yourself

Delete template?

Save as template?