Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (Follow-Up)

Issued Date
December 14, 2016
Agency/Authority
Information Technology Services, Office of 

Purpose

To determine the extent of implementation of the five recommendations included in our initial audit report, Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58).

Background

Our initial audit report, which was issued on September 19, 2014,determined whether the Department licensing and registrations systems were secure, operating effectively, and available to continue critical processing in the event of a disaster or mishap that disables normal processing.  We found that ITS and the Department  were not in compliance with Payment Card Industry (PCI) Data Security Standards that govern the systems that process credit card transactions.  We also found ITS did not comply with State cybersecurity policies and did not establish adequate processes for managing user access of Department systems.  The five recommendations covered PCI Data Security Standard compliance, policies addressing logging, controls over change management and user access, patching, and a succession plan for dated programming languages. 

Key Finding

Department officials have made some progress in correcting the problems we identified in the initial report. However, improvements are still needed. Of the five prior audit recommendations, two recommendations have been implemented and three recommendations have been partially implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.                                                                               

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Division of Criminal Justice Services’ Core Systems (2014-S-24)
Office of Information Technology Services: Effectiveness of the Information Technology Transformation (2015-S-2)

John Buyce

State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236