Score: +5 (6/1/1)

Ventura County Grand Jury • 2002-2003

County Information Technology Security

Published: June 24, 2003 10 pages

View Original PDF

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings and Recommendations 10 findings

The County "network" is a heterogeneous mix of equipment that is partially managed by the ISD and partially managed by numerous line departments. There are a high number of independently managed data-center/server rooms that duplicate basic services.

Related Recommendations (1)

The Information Technology Committee, with technical support from the ISD, sponsor the risk analysis of a major agency's systems based on ISO 17799. This study would provide a baseline for a risk analysis procedure for all of the County agency's applications.

Two significant security management controls are the management of passwords and the restriction of an individual to the appropriate level of control of information resources.

Related Recommendations (1)

That the Information Technology Committee revise the approach for Information System Planning to reflect the criticality of specific systems to the County and the management approaches used to mitigate risk.

Some key control deficiencies are lack of an automatic method to terminate a password when an individual leaves the organization and lack of periodic reviews of the status of employees to determine proper access level.

Related Recommendations (1)

That the Auditor-Controller review ISO 17799 as the basis for an information system internal control program for the County. The internal controls so developed could then be included as part of the management controls for various departments.

Each department has network elements that are common and applications that are unique.

Related Recommendations (1)

That the County Executive Officer initiate a study to determine if the complete County network needs to be managed like a utility with a single agency having responsibility. The purpose of such a study would be to gain a securable network and lower operating costs.

Many of the department strategic information system plans do not consistently and clearly identify the hierarchy of importance of departmental programs and applications. This deficiency diminishes the ability to coordinate disaster recovery efforts due to a lack of recognized priorities. 2

Related Recommendations (1)

That County Counsel develop, with the help of the ISD, standard language to be inserted into contracts that allow third party access to address the issues identified in F-9. 4

There are gross inconsistencies in the level of experience and technical knowledge among non-ISD server administrators. These inconsistencies lead to an inability to properly secure the County-wide network because these departmental systems, while allowing access to the County network, are not being hardened properly. For example, the use of initial software manufacturer default settings and passwords and laxity in making critical updates from software vendors leave an open door for intrusion into the County network.

Related Recommendations (1)

That GSA review all contracts that allow access to the County network and insure these contracts are revised in accordance with the language developed by the County Counsel. That GSA modifies its procedures to insure that future relevant contracts are not permitted without the appropriate contract language.

Many departments have contractors that are allowed access to the County network. There are limited contract controls in place to administer third party compliance with County security requirements. These deficiencies include: a. Contract and Policy Compliance i. Many third party businesses share a single (or limited number) of access tokens between employees, thereby granting untraceable access to the County network. This arrangement would never be accepted for County employees, yet is somehow adequate for employees of third party businesses with access to County infrastructures. Most of these third party employees are neither given any background checks nor are they required to be bonded. ii. There is no methodology for third party businesses to notify the County when employees leave or are fired. iii. There is no methodology to ensure that third party businesses are abiding by acceptable use and proper security for access tokens. iv. There are no clear mandatory guidelines for County legal recourse in the event a third party business provides an access point for illegal activity on the County’s network infrastructure. b. Technical and Procedural Compliance i. Security tokens that are improperly administered by outside trusted network administrators can lead to security compromises. ii. Third party servers that are not in compliance with County patch management procedures create vulnerabilities to the County network.

Related Recommendations (1)

ISD provide a standard training package for all employees who are normal users to instruct them as to their responsibilities in maintaining security of information assets and data.

Physical security (building access, hallway access, departmental access, and cubicle access) is largely non-existent in most administrative areas. The public is granted unfettered right-of-way to almost every area. This is of particular significance because of the general lack of staff awareness and suspicion of criminal information gatherers.

Related Recommendations (1)

ISD provide a mechanism for certification and training of all server administrators whose servers access the County network. Responses Required County Executive Officer (R-4) Auditor-Controller (R-3) County Counsel (R-5) Director, General Services Agency (R-6) Chief Information Officer (R-1, R-2, R-3, R-5, R-7, R-8) Chair of the Information Technology Committee (R-1, R-2) 5 Figure 1. Ventura County Network 6

The County information systems have poor password management. Theft or compromise of passwords is the Achilles heel of information technology. Staff members are generally unaware of the implications of individuals gathering seemingly innocuous information for the criminal purpose of allowing the perpetrator to impersonate a valid system user. 3

No recommendations for this finding

F10

The issue associated with securing computerized information is common throughout developed countries. The International Standards Organization (ISO) standard 17799 provides an effective template for addressing this issue. A checklist based on ISO 17799 is included in Appendix A. Conclusions C-1. The County network, as it is currently managed, is unsecurable and has elements that are duplicative. F-1, F-2, F-3, F-6, F-7, F-8, F-9 C-2. Although computer applications and the network work together, the management and security of application programs needs to be addressed distinctly from management and security of the network. F-1, F-4 C-3. Contractors have access to the network without the controls on network access that are normally applied to County employees. F-6, F-7 C-4. At present, the majority of security vulnerabilities are associated with training, procedures and internal controls rather than with the quality and performance of the technology itself. F-2, F-5, F-6, F-7, F-8, F-9, F-10 Recommendations

No recommendations for this finding

Conclusions 1

CL1 Page 4

C-1. The County network, as it is currently managed, is unsecurable and has elements that are duplicative. F-1, F-2, F-3, F-6, F-7, F-8, F-9 C-2. Although computer applications and the network work together, the management and security of application programs needs to be addressed distinctly from management and security of the network. F-1, F-4 C-3. Contractors have access to the network without the controls on network access that are normally applied to County employees. F-6, F-7 C-4. At present, the majority of security vulnerabilities are associated with training, procedures and internal controls rather than with the quality and performance of the technology itself. F-2, F-5, F-6, F-7, F-8, F-9, F-10

Agency Responses 2

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.

Aud

July 25, 2003 • 1 pages View Details ▾

PDF

Aud

July 23, 2003 • 17 pages • 10 responses • Score: +5 (+6, 1, -1) View Details ▾

PDF

10 responses to findings and recommendations

Response: Disagree Partially Score: 0

We with the Grand Jury'sfinding, concur Finding F 2: The County Executive Officer the Board of Supervisors' agent implementing the County's iniernal is in control system. ResDonse: We partially with the finding. The internal controf system management's responsibility, concur is which includes not only the County Executive Officer as agent to ihe Board of Supervisors, but also the managementof each Countydepartment, Ftndino F-3: The Auditor-Controller the Board of Supervisors' agentfor implementing independentaudit, is an Resnonse; We partially with the Onding. As independently elected ofOcial,...

Two significant security management controls are the management of passwords and the restriction of an individual to the appropriate level of control of information resources.

Response: Agree Score: +1

concur Finding F 2: The County Executive Officer the Board of Supervisors' agent implementing the County's iniernal is in control system.

Response: Agree Score: +1

concur is which includes not only the County Executive Officer as agent to ihe Board of Supervisors, but also the managementof each Countydepartment, Ftndino F-3: The Auditor-Controller the Board of Supervisors' agentfor implementing independentaudit, is an Resnonse; We partially with the Onding.

Response: Unknown

Score: 0

We partially concur with lhe recommendation. The Auditor-Controller's responsibility is to requesl additional resources. It has been noted in several public settings that the audii function becomes more important, particularlywhen facedwith difllcultHnancial times. 2 JI_lL-17-0E3 14:56 VENTtIRA COUNT`l' AUDITOR S05 654 5081 P. 17/18 Implementation requires additionai County resources. Recommendation R-4: That, considering the current budget difficulties, the Board of Supervisors be commiHed to long-term a process to turn around a deteriorating siiuation with respect to independent audits. Thi...

Each department has network elements that are common and applications that are unique.

Response: Agree Score: +1

the Auditor-Controller concur an is also directly accountable to the citizensofthe County for implementing independentaudii an Finding F4: With respectto lhe new auditing standard, the Board of Supervisors is the head of County Government, Response: We generally concur with the Onding.

That County Counsel develop, with the help of the ISD, standard language to be inserted into contracts that allow third party access to address the issues identified in F-9. 4

Response: Unknown

Score: 0

Our audit policy has always focused on and will continue to focus on the timeliness of audit reports. We are well aware of the problems associated with audit report delays and are continuously working on that issue. We have imposed a required time to respond in the past and that practce has not been successful. The primary reason for audit report delays is thal both the auditee management and we want to ensure that the report information and conclusions are fairly and accurately presented, The desire for report accuracy and faimess overrides the need to meet the required responsetime. We do no...

Response: Agree Score: +1

We generally concur with the findings. However, a numberof important functions that are mandated by California statute to be performed by the CountyAuditorhave been omitted, including. Calculating and distributing proper taxes Debt accounting, monitoring and reporting Appropiation control Financial reporting and review ofsiate quarterly and annual reports Publication of formal budgettabulation and adopted budgetdocuments 2 ll_lL-17-2003 14:5? ''ENTLIRA COtINT\\( AUDITOR S0S 654 5081 P.06/1S Cash controf and monitoring Review ofdepartmental and Countywide internal controls Findino F B: In 1981...

Response: Agree Score: +1

We actually with the finding; however, the paragraph Js misleading. In FY 1981-82, the audis concur were primarily of federal grants and of financial statements. With the advent of the Single Audit Act of 1984, all audits of federal grants consolidated into audit performed by the outside were one audiiors. As result, the focus of the Internal Audit Division changed from accomplishing primarily a federal grant and Hnancial statement audits to accomplishing performance audits. Therefore, in addition to the reduction of stafOng, the types of audits accomplished signJOcantly reduced the number of ...

F10

Response: Disagree Score: -1

We disagree with the finding. The Auditor-Controller operating accordance with state is in govemment statutes. The regulations focus external audits and Onancial audits. There new on are options available to perform intemal audits requiring further study. Internal audits include compliance, performance and operational audits. Internal audits involve oulside of Auditorareas Controller operations or accounting policy, Compliance with grant requirements and performance audits do not generaiiy focus on Auditor-Controlleroperations, butfocus on whether departments are in compliance with requirement...

No Responses Found 1

Government entities assigned to respond to this report. No response documents have been linked in our database.

Ventura County County