Commonwealth of Virginia Single Audit Report for the Year Ended ...

More documents

Recommendations

Info

11-13: Improve Microsoft SQL Server Security Applicable to: Department of Transportation The Virginia Department of Transportation (Transportation) does not manage its Microsoft SQL Server 2000 databases to minimize the risk of malicious or unapproved modification of data. A system of internal controls should include capabilities to prevent and detect certain actions to mission critical and confidential data. Some of these controls are recommended by industry best practices and others are necessary to compensate for other weaknesses in an IT environment. Since our observations include descriptions of security mechanisms, which are exempt from public disclosure by the Code of Virginia, management received a separate document containing a detailed description of our observations. While Transportation had planned to upgrade its legacy MS SQL Server 2000 environment to address several risks, these plans were delayed due to shifting priorities and resource limitations. It should be noted that delaying these upgrades limits Transportation’s ability to adequately safeguard data and establish a proper system of internal controls over these serves. We recommend that Transportation dedicate the necessary resources to execute its plans to upgrade the legacy Microsoft SQL Server 2000 databases. At a minimum, Transportation should consider establishing controls for the weaknesses previously communicated. We also encourage Transportation to run Microsoft Baseline Security Analyzer periodically to ensure compliance with best practices, and to document any decisions and compensating controls for those instances when Transportation needs to deviate from best practices. Management Plan for Corrective Action for Department of Transportation • SQL Server 2000 databases will be migrated to SQL Server 2008 • SQL Server 2005 and 2008 instances will be reconfigured to provide appropriate alerts • The Microsoft Baseline Security Analyzer will be used to review the security configuration of the production SQL Server servers. MBSA reviews a significant number of items, of which some may not be actionable in the VDOT environment. MBSA will be run on a periodic basis, an assessment will be made as to which recommendations should be implemented, and then the action taken and date completed will be documented. MBSA review and action will be done on the identified database server. A schedule for MBSA review and action for the remaining production SQL Server databases will be created. Responsible Party: Pam Tauer, IT Systems Engineering Manager Estimated Completion Date: Server migration will occur by December 2012, remaining items will be addressed by April 1, 2012. 25
11-14: Improve Microsoft SQL Server Security Applicable to: Virginia Port Authority The Authority does not manage its Microsoft SQL databases to minimize the risk of malicious or unapproved modification of data. The Authority should document and implement a baseline set of internal controls to prevent and detect malicious actions against mission critical data. Industry best practices recommend some of these controls and the others are necessary to compensate for other weaknesses in an IT environment. Specifically, the Authority needs to improve areas of operating system and application logical access, operating system configuration, authentication, password management, and security updates. We have communicated the details of these weaknesses to management in a separate document that is exempt under the Freedom of Information Act in accordance with Section 2.2- 3705.2 of the Code of Virginia, due to their sensitivity and description of a security system. We recommend that the Authority dedicate the necessary resources to continue improving Microsoft SQL Server database management. At a minimum, the Authority should consider establishing controls for the weaknesses noted above or specify compensating controls for those items not mitigated. We also encourage the Authority to run freely available scanning tools to ensure compliance with best practices and timely application of the latest security updates. Management Plan for Corrective Action for Virginia Port Authority The databases in question relate only to the databases on the Authority’s financial accounting server. That server was originally configured by the Authority’s financial accounting software support vendor. Responsibility for the configuration, security, support, and management of the SQL databases was not specifically addressed with VIT and the accounting software support vendor on the initial transition to VIT in 2006. As a result of comments from the auditors, the Authority has addressed the management of the SQL databases with VIT and the accounting software support vendor, and established clear lines of responsibilities. VIT is taking proactive measures to provide the necessary resolutions in accordance with Best Business Practices and to incorporate those measures with the management of other Authority servers and databases. Additionally, once the specific prescriptive security measure to a given SQL Server database may adversely affect a related software application; which is integrated with that database, VIT will notate those cases and report them to the Authority for further guidance. Implementation is expected to be completed within 90 days. Responsible Party: Rodney Oliver, Deputy Executive Director, CFO, and ISO Estimated Completion Date: January 31, 2012 26
Page 1 and 2: COMMONWEALTH OF VIRGINIA SINGLE AUD
Page 3 and 4: - T A B L E O F C O N T E N T S - P
Page 5 and 6: INDEPENDENT AUDITOR’S REPORT ON I
Page 7 and 8: REPORT ON COMPLIANCE WITH REQUIREME
Page 9 and 10: prepare the financial statements. T
Page 11 and 12: 84.318, 84.386 Educational Technolo
Page 13 and 14: We further recommend that Motor Veh
Page 15 and 16: Not including the specific access o
Page 17 and 18: ABC is required by the Commonwealth
Page 19 and 20: We recommend that Motor Vehicles de
Page 21 and 22: Management Plan for Corrective Acti
Page 25 and 26: 11-10: Improve Information Security
Page 27: We recommend that DMV dedicate the
Page 31 and 32: 11-16: Refine Estimates and Report
Page 35 and 36: ecord of the individuals receiving
Page 37 and 38: We recommend that Social Services d
Page 39 and 40: alternative solutions with the Depa
Page 41 and 42: U.S. DEPARTMENT OF EDUCATION 11-23:
Page 49 and 50: COMMONWEALTH OF VIRGINIA Resolution
Page 55 and 56: COMMONWEALTH OF VIRGINIA Schedule o
Page 79 and 80:
COMMONWEALTH OF VIRGINIA Schedule o
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
is classified as direct expenditure
Page 125 and 126:
Federal Department Detail Amount Ex
Page 127 and 128:
$205,061 are not included in the ac
Page 129 and 130:
financial assistance will be reflec
Page 131 and 132:
CFDA # Federal Program Name Amount
Page 133 and 134:
Page 135 and 136:
Page 137:
COMMONWEALTH OF VIRGINIA CONTACT LI
show all

Commonwealth of Virginia Single Audit Report for the Year Ended ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?