Sutter County Grand Jury
• 2013-2014
• Agency Response
Response to:
Sutter County Board of Supervisors - Filed 9-25-24
Endorsed Filed Oct 0.2 2014*
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Comments 3
-
CO1 Page 7Available security settings on the Windows servers do not require users to change their passwords periodically, and passwords are not required to be complex; other parameters, such as password history and minimum age are not consistent with current security practices. On the AS400, users are also not required to change their passwords periodically, passwords are not required to be complex, and password length of only one character is required.
-
CO2 Page 7Although Reznick Group was informed that IT disables user IDs whenever they are notified of an employee termination, there is not an established, consistently followed mechanism to ensure IT is notified immediately of all personnel terminations (employees, temporary workers, volunteers, contractors, etc.). Reznick Group observed that several terminated employees had access to the IFAS Financial application.
-
CO3 Page 7User's access rights for the servers (Windows, Unix, and AS400) and applications are not reviewed periodically. Risk Passwords are the first line of defense to help protect unauthorized access to the County's
Observations 8
-
OB1 Page 10The County does not have an IT strategic plan, and an active IT steering committee, or another IT planning and prioritizing process, has not been formally established.
-
OB2 Page 10IT risk assessments are not formally performed. As such, IT related risks are not formally documented, evaluated and addressed periodically. Risk
-
OB3 Page 11A mechanism is not in place to ensure all application programming changes were authorized as IT personnel that make changes to application programs also move those changes into production.
-
OB4 Page 11Evidence of testing and user acceptance is not always obtained and maintained for changes to the County's applications.
-
OB5 Page 11Changes to information systems, including applications, servers, network, etc., are not consistently tracked in a centralized location. Risk
-
OB6 Page 8The Financial and Payroll applications have not been configured to enforced segregation of duties; all individuals in the Auditor-Controller's department have update access to all IFAS Financial application activities, and all Payroll individuals have access to perform all Payroll application activities. Risk Dividing responsibilities and activities within a process such that one person does not control all aspects of the process, referred to as segregation of duties, is one of the basic tenets of good control. The Page 2
-
OB7 Page 9Sutter County individuals with update access can perform all accounting activities in the application, as well as make changes to the application, all with no application enforced segregation of duties. When job responsibilities and application access are assigned in such a way that all individuals have access to perform all aspects of a process or cycle, there is an increased risk of errors or omissions and automated controls and application workflows may not operate effectively. There is also an increased opportunity for unauthorized transactions or fraud to go undetected.
-
OB8 Page 9Independent IT security testing, including penetration tests of the County's firewalls, is not performed periodically. Risk A penetration test is a technique to identify potential hardware and software security vulnerabilities so that flaws and configuration weaknesses can be corrected. Without independent IT security testing being performed on a regular basis, it is difficult to know if the County's firewalls and other system security provisions are adequate and are configured to provide appropriate protection, or that data is secure from unauthorized access and possible modification.
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.