Security and Effectiveness of Division of Criminal Justice Services' Core Systems (Follow-Up)

Issued Date
April 07, 2017
Agency/Authority
Information Technology Services, Office of 

Purpose

To determine the extent of implementation of the eight recommendations included in our initial audit report, Security and Effectiveness of Department of Criminal Justice Services' Core Systems (2014-S-24).

Background

Our initial audit report, which was issued on February 24, 2015, determined whether the Division’s core systems were secure, operating effectively, and available to continue critical processing in the event of a disaster or mishap that disables normal processing. We found that ITS did not have established policies and procedures for backup of key Division systems. Also, ITS does not have an active regional backup site, and Division systems are at risk for total data loss in the event of a regional disaster. We also found ITS did not comply with certain State cybersecurity policies and did not establish adequate processes for monitoring and oversight of user access of Division systems and software and changes made to these operating systems. The eight recommendations addressed user access, change management, patching, business continuity, disaster recovery, data classification, implementation of a service level agreement and system availability and performance.

Key Finding

Department officials have made some progress in correcting the problems we identified in the initial report. However, improvements are still needed. Of the eight prior audit recommendations, four recommendations have been implemented, two recommendations have been partially implemented and two have not been implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.                                                                            

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (Follow-Up) (2016-F-15)
Office of Information Technology Services: Effectiveness of the Information Technology Transformation (2015-S-2)
Office of Information Technology Services: Security and Effectiveness of Division of Criminal Justice Services’ Core Systems (2014-S-24)

John Buyce

State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236