Purpose
To determine whether the Department of Motor Vehicles’ (Department) licensing and registration systems are secure, operating effectively, and available to continue critical processing in the event of a disaster or mishap that disables normal processing. This audit covers the period November 14, 2013 through June 27, 2014.
Background
The New York State Office of Information Technology Services (ITS) was established in November 2012 as part of a New York State IT transformation to consolidate and merge State agencies and streamline services. ITS is responsible for providing centralized information technology (IT) services to the State and its governmental agencies and is headed by a Chief Information Officer. ITS’ Enterprise Information Security Office (EISO) is responsible for oversight and coordination of security services. ITS organized approximately 40 executive branch agencies into nine clusters based on the type of service provided. The Department is one of eight agencies that comprise the General Government Cluster (Cluster). The Department uses 147 IT systems and 265 software products, most of which are used to process driver licenses and vehicle registrations. In addition, the Department processes more than 6 million credit card transactions annually, totaling almost $700 million, for license and vehicle registration processing. During the transition to ITS Enterprise-developed policies and processes, ITS is charged with ensuring proper controls are in place to protect the vast amount of personal and credit card data stored in the Department’s systems, maintaining compliance with applicable security standards, and ensuring continuity of effective and efficient operations.
Key Findings
- ITS and the Department are not in compliance with the Payment Card Industry (PCI) Data Security Standards that govern the systems that process credit card transactions. Since January 2012, neither agency has completed and submitted a required self-assessment questionnaire or third-party compliance report, which are necessary to ensure that all risks have been properly identified and mitigated. Non-compliance also exposes the State to other risks ranging from extensive fines or penalties to business disruption due to cancelled accounts and the inability to accept credit card payments.
- ITS does not have an established monitoring and oversight process for user access management of Department systems and is not operating in compliance with State cybersecurity policies.
Key Recommendations
- Prioritize Cluster initiatives to include completion of appropriate tasks in order to reach compliance with PCI Data Security Standards.
- Create Enterprise-wide and resultant aligning Cluster policies that address logging and user access control.
- Create, maintain, and monitor a log of patches applied to Department software to ensure timely completion.
- Continue to move forward toward the implementation of a complete and viable change management and user access management process that will provide adequate controls.
Other Related Audits/Reports of Interest
Office for Technology: Procurement and Contracting Practices (2010-S-71)
Office of Information Technology Services: Procurement and Contracting Practices (2013-F-24)
John Buyce
State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236