Commonwealth of Virginia Single Audit Report for the Year Ended ...

More documents

Recommendations

Info

details of these weaknesses to management in a separate document marked Freedom of Information Act Exempt under Section 2.2-3705.2 of the Code of Virginia, due to their sensitivity and description of the security system. We recommend that ABC utilizes a compliance validation tool to determine an appropriate baseline for the POS server configuration security settings. Additionally, we recommend that ABC configure all of their remote store servers in accordance with Center for Internet Security best practices and the Commonwealth’s Information Security Standard, SEC501-06. Management Plan for Corrective Action for Alcoholic Beverage Control ABC plans to address several outstanding issues as part of a current Center for Internet Security (CIS) remediation project. All issues that will be addressed are expected to be completed by March 1, 2012. For the remaining issues, ABC has reviewed the server configuration and has legitimate business need for most of the requirements that have not been met. For these, ABC will identify risks for the business owners to accept, document mitigating controls, and file SEC501 exceptions. The anticipated date for risk documentation and exception filing is March 30, 2012. Responsible Party: Andrew Hallberg, Information Security Officer Estimated Completion Date: March 30, 2012 11-12: Improve Database Security Applicable to: Department of Motor Vehicles Motor Vehicles does not use minimum database administrator account controls to adequately detect or prevent possible malicious or unintentional modification or disclosure of sensitive data. The Commonwealth’s information security standard, SEC 501, and the Center for Internet Security (CIS) Oracle best practices recommend organizations to use certain account controls to minimize risks to sensitive data. Since our recommendations include descriptions of security mechanisms, which are exempt from public disclosure by the Code of Virginia, management received a separate document containing a detailed description of our recommendation. The following is a public summary of our findings. Database administrator accounts are privileged accounts with direct access to the database and that have rights to add, change, and delete data without restriction normally found in user applications. • DMV does not use automated controls to enforce database administrator account compliance with password policies. • DMV does not review specific escalated privileges given to database roles. • DMV does not log and periodically review specific database administrator account activity. 23
We recommend that DMV dedicate the necessary resources to implement controls that address the weaknesses noted above. Specifically, we recommend that DMV use automated controls on all its privileged accounts to reduce the risk of unauthorized access. We also recommend that DMV reviews the privileges granted to database roles to ensure appropriate access to data. Finally, we recommend that DMV log and review account activity to detect any fraudulent activity and the ability to trace unauthorized activity in the database management system and its tables. Someone outside the database administrator group should perform these reviews. Management Plan for Corrective Action for Department of Motor Vehicles #1 DMV will dedicate the necessary resources to implement controls that address the weaknesses identified. DMV will move towards using automated controls on its privileged accounts to reduce the risk of unauthorized access. Responsible Party: Douglas Mack, DMV IT Security Director (ISO) Dave Burhop, DMV Deputy Commissioner (CIO) Estimated Completion Date: August 31, 2012 Management Plan for Corrective Action for Department of Motor Vehicles #2 DMV will review the privileges granted to database roles to ensure appropriate access to data. Responsible Party: Douglas Mack, DMV IT Security Director (ISO) Dave Burhop, DMV Deputy Commissioner (CIO) Estimated Completion Date: August 31, 2012 Management Plan for Corrective Action for Department of Motor Vehicles #3 DMV will log and review account activity to detect any fraudulent activity and to have the ability to trace unauthorized activity in the database management system and its tables. DMV will have a person outside of the database administrator group to perform the reviews. Responsible Party: Douglas Mack, DMV IT Security Director (ISO)Dave Burhop, DMV Deputy Commissioner (CIO) Estimated Completion Date: August 31, 2012 24
Page 1 and 2: COMMONWEALTH OF VIRGINIA SINGLE AUD
Page 3 and 4: - T A B L E O F C O N T E N T S - P
Page 5 and 6: INDEPENDENT AUDITOR’S REPORT ON I
Page 7 and 8: REPORT ON COMPLIANCE WITH REQUIREME
Page 9 and 10: prepare the financial statements. T
Page 11 and 12: 84.318, 84.386 Educational Technolo
Page 13 and 14: We further recommend that Motor Veh
Page 15 and 16: Not including the specific access o
Page 17 and 18: ABC is required by the Commonwealth
Page 19 and 20: We recommend that Motor Vehicles de
Page 21 and 22: Management Plan for Corrective Acti
Page 25: 11-10: Improve Information Security
Page 29 and 30: 11-14: Improve Microsoft SQL Server
Page 31 and 32: 11-16: Refine Estimates and Report
Page 35 and 36: ecord of the individuals receiving
Page 37 and 38: We recommend that Social Services d
Page 39 and 40: alternative solutions with the Depa
Page 41 and 42: U.S. DEPARTMENT OF EDUCATION 11-23:
Page 49 and 50: COMMONWEALTH OF VIRGINIA Resolution
Page 55 and 56: COMMONWEALTH OF VIRGINIA Schedule o
Page 77 and 78:
COMMONWEALTH OF VIRGINIA Schedule o
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
is classified as direct expenditure
Page 125 and 126:
Federal Department Detail Amount Ex
Page 127 and 128:
$205,061 are not included in the ac
Page 129 and 130:
financial assistance will be reflec
Page 131 and 132:
CFDA # Federal Program Name Amount
Page 133 and 134:
Page 135 and 136:
Page 137:
COMMONWEALTH OF VIRGINIA CONTACT LI
show all

Commonwealth of Virginia Single Audit Report for the Year Ended ...

Create successful ePaper yourself

Delete template?

Save as template?