Commonwealth of Virginia Single Audit Report for the Year Ended ...

More documents

Recommendations

Info

• Information Security Program: Motor Vehicles developed each policy making up their information security program independently to address a specific need. Due to their separate nature, these policies present conflicting guidance, making implementation and enforcement more challenging. Further, in one instance a document has remained unapproved by management for more than two years. To the extent feasible, Motor Vehicles should eliminate any redundant or conflicting guidance to ensure staff compliance with their policies and procedures. Further, management should conduct an ongoing assessment and update of these documents as Motor Vehicles makes changes to its IT environment and the Commonwealth makes updates to its security standards. Finally, management should promptly and formally approve these documents to ensure their enforceability as agency policy. • Security Awareness Training: Motor Vehicles does not sufficiently monitor annual security awareness training to ensure all staff and contractors receive it in accordance with Commonwealth security standards. During the most recent cycle, Motor Vehicles did not train over 200 staff and contractors. Further, Motor Vehicles did not complete developing a role-based IT security training program for employees and contractors, who design, manage, administer, and operate IT systems and applications. Motor Vehicles should ensure the Information Security Officer actively monitors the completion of the annual IT Security Awareness and Training. We further recommend Motor Vehicles complete developing a role-based Security Awareness and Training program that gives specialized training to agency resources responsible for key areas of the information security program including, but not limited to, COOP and Disaster Recovery teams, Incident Response teams, and application design and maintenance teams. • Disaster Recovery and Contingency Planning: Motor Vehicles’ Disaster Recovery and Contingency Planning documents do not adequately address the responses or responsibilities required for Motor Vehicles’ systems, the Commonwealth’s standards for disaster recover, or Motor Vehicles’ Business Impact Analysis or Risk Assessment. Motor Vehicles IT environment includes a significant number of applications residing in multiple locations. Motor Vehicles rely heavily on the disaster recovery services and strategies of multiple organizations to ensure its ongoing operations. Without well documented plans, which are consistent with the organization’s business impact analysis and risk assessments, recovery efforts may not meet the business’ needs, negatively impacting their ability to carry out their mission as well as citizens confidence in their operations. Motor Vehicles recently updated their Business Impact Analysis and Risk Assessments for their IT environment. Motor Vehicles should use these updated documents to drive a review, assessment, and update to their entire Disaster Recovery and Continuity of Operations Plan documents, incorporating all critical systems into those documents and ensuring that these plans address the required responses and responsibilities for all systems identified and for all parties involved in accordance with Commonwealth standards. 15
We recommend that Motor Vehicles dedicate the necessary resources to implement controls that address the weaknesses noted above. We also recommend that Motor Vehicles establish the appropriate policies and procedures to document expectations and to allow consistent application and enforcement. Management Plan for Corrective Action for Department of Motor Vehicles #1 DMV will review all IT security policies and procedures comprising DMV’s IT Security Program in order to remove/reconcile all redundancies and conflicts. Currently, progress has been made in the review and analysis of DMV security policies in order to prepare an accurate list of security policies. There will be additional work with the policies as COV Security is currently in the process of significantly changing the IT Security Standard for the Commonwealth to line up with Federal Standard NIST 800-53A. The document that was unapproved for more than two years was the Trustwave Policy for PCI compliance. Because the Trustwave vendor had not fully completed the document to DMV’s satisfaction, DMV chose not to approve the policy so the task would remain on the vendor’s deliverables list. Responsible Party: Douglas Mack, DMV IT Security Director (ISO) Dave Burhop, DMV Deputy Commissioner (CIO) Estimated Completion Date: May 31, 2012 Management Plan for Corrective Action for Department of Motor Vehicles #2 DMV will consolidate and revise all IT security policies to be incorporated into one IT Security Policy. DMV will consolidate and revise all IT security procedures that will then be referenced in the new IT Security Policy and maintained in a separate IT Security Procedures Manual. Responsible Party: Douglas Mack, DMV IT Security Director (ISO) Dave Burhop, DMV Deputy Commissioner (CIO) Estimated Completion Date: September 30, 2012 Management Plan for Corrective Action for Department of Motor Vehicles #3 The new DMV IT Security Policy will include a requirement for all changes to the DMV IT Security Policy to be given to Management for review and approval within thirty days of their development. 16
Page 1 and 2: COMMONWEALTH OF VIRGINIA SINGLE AUD
Page 3 and 4: - T A B L E O F C O N T E N T S - P
Page 5 and 6: INDEPENDENT AUDITOR’S REPORT ON I
Page 7 and 8: REPORT ON COMPLIANCE WITH REQUIREME
Page 9 and 10: prepare the financial statements. T
Page 11 and 12: 84.318, 84.386 Educational Technolo
Page 13 and 14: We further recommend that Motor Veh
Page 15 and 16: Not including the specific access o
Page 17: ABC is required by the Commonwealth
Page 21 and 22: Management Plan for Corrective Acti
Page 25 and 26: 11-10: Improve Information Security
Page 27 and 28: We recommend that DMV dedicate the
Page 29 and 30: 11-14: Improve Microsoft SQL Server
Page 31 and 32: 11-16: Refine Estimates and Report
Page 35 and 36: ecord of the individuals receiving
Page 37 and 38: We recommend that Social Services d
Page 39 and 40: alternative solutions with the Depa
Page 41 and 42: U.S. DEPARTMENT OF EDUCATION 11-23:
Page 49 and 50: COMMONWEALTH OF VIRGINIA Resolution
Page 55 and 56: COMMONWEALTH OF VIRGINIA Schedule o
Page 69 and 70:
COMMONWEALTH OF VIRGINIA Schedule o
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
is classified as direct expenditure
Page 125 and 126:
Federal Department Detail Amount Ex
Page 127 and 128:
$205,061 are not included in the ac
Page 129 and 130:
financial assistance will be reflec
Page 131 and 132:
CFDA # Federal Program Name Amount
Page 133 and 134:
Page 135 and 136:
Page 137:
COMMONWEALTH OF VIRGINIA CONTACT LI
show all

Commonwealth of Virginia Single Audit Report for the Year Ended ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?