Objective

To determine whether the Office of Information Technology Services has security controls in place to ensure appropriate management and monitoring of its Active Directory environment. The audit covered the period from January 2021 through March 2023.

About the Program

The Office of Information Technology Services (ITS) provides statewide IT strategic direction, directs IT policy, and delivers centralized IT products and services that support the mission of the State. ITS operates data centers 24 hours a day, 365 days a year to support statewide mission-critical applications for 53 agencies. As part of its services, ITS is responsible for maintaining Active Directory domains on behalf of the State’s Executive agencies. A domain is a group of interconnected devices, such as computers and servers, as well as users, groups, and systems. An Active Directory domain provides the methods for storing directory data and making this data available to network users and administrators. Each Active Directory uses servers referred to as domain controllers to manage the access and authentication of stored user credentials determining who can access file servers and other network resources. Since Active Directory and associated domain controllers ultimately control access and authorization in a Microsoft Windows environment, it is vital to ensure that appropriate controls are in place and that policies and standards are being adhered to.

ITS’ Information Security Policy NYS-P03-002 (Security Policy) defines the mandatory minimum information security requirements for all State entities. The Security Policy defines a framework that will ensure appropriate measures are in place to protect the confidentiality, integrity, and availability of information assets and ensure staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policies, procedures, and practices, and know how to protect State entity information. The Security Policy acts as an umbrella document to all other ITS security policies and associated standards.

Key Findings

Generally, we determined ITS did not have certain security controls in place according to several ITS policies and standards to ensure appropriate management and monitoring of its Active Directory environment. Due to the confidential nature of our audit findings, we communicated the details of these findings with six recommendations in a separate, confidential report to ITS officials for their review and comment.

Key Recommendation

Implement the six recommendations included in our confidential draft report.