Final 2013-2014 Grand Jury Report

R1

Management should configure the security settings available on their existing servers and applications to at least the security level typically found on today's computer systems, including requiring periodic password changes, implementing a longer minimum password length, enforcing a minimum age, and requiring password complexity. Management should establish, document, and implement a process to ensure timely notification and revocation of system access for all terminated personnel. 3. Management should implement a process to periodically review all users' access rights for the servers and applications. The review should be documented to provide evidence that it was performed, and to help ensure potential exceptions noted during the review are researched and resolved timely. Management Response Prior Year County Administrative Office's Response The County Administrative Office and the Information Technology Department appreciate the observations of the outside financial auditors, and will take the recommendations under advisement. In 2008, the Board of Supervisors commissioned a complete Management Audit of the Information Technology Department. The County has been following recommendations made during that audit; however, budgetary constraints subsequent to that time have limited the County's ability to take specific and/or broad action. Any action to be taken as a result of the 2008 management audit or the Reznick group's observations will be coordinated with the Information Technology Department and other County departments, and will be reported and recommended directly to the Board of Supervisors. The Information Technology Department has responded to most of the Independent Auditor's observations in the paragraphs below.