Objective

To determine the extent of implementation of the six confidential recommendations included in our initial audit report, Windows Domain Administration and Management (Report 2022-S-19).

About the Program

ITS provides statewide IT strategic direction, directs IT policy, and delivers centralized IT products and services that support the mission of the State. ITS operates data centers 24 hours a day, 365 days a year to support statewide mission-critical applications for 53 agencies, encompassing over 16 million public accounts, 130,000 employee accounts, 63,000 VoIP phones and 37,000 mobile phones, 100,000 workstations/laptops/tablets, 16,000 virtual and real servers, 33 petabytes of storage, and 35,000 Virtual Desktop remote connections. ITS provides State agencies secure networking and desktop support for more than 38,000 workstations on 1,600 miles of fiber.

As part of its services, ITS is responsible for maintaining Active Directory domains on behalf of the State’s Executive agencies. A domain is a group of interconnected devices, such as computers and servers, as well as users, groups, and systems. An Active Directory domain provides the methods for storing directory data and making this data available to network users and administrators. Each Active Directory domain uses servers, referred to as domain controllers, to manage the access and authentication of stored user credentials determining who can access file servers and other network resources. Since Active Directory and associated domain controllers ultimately control access and authorization in a Microsoft Windows environment, it is vital to ensure that appropriate controls are in place and that policies and standards are being adhered to.

The objective of our audit, issued May 31, 2023, was to determine whether ITS had security controls in place to ensure appropriate management and monitoring of its Active Directory environment. The audit covered the period from January 2021 through March 2023. Generally, we determined ITS did not have certain security controls in place, according to several ITS policies and standards, to ensure appropriate management and monitoring of its Active Directory environment.

Due to the confidential nature of our audit findings, our public report contained one recommendation: to implement the six recommendations included in a confidential draft report provided to ITS officials. ITS officials generally agreed with our findings and recommendations communicated in the confidential report, and, in several instances, indicated they were planning actions to address them.

Key Findings

ITS officials made progress in addressing the problems we identified in the initial audit report and implementing the six recommendations in our confidential report. Of the confidential report’s six audit recommendations, three were implemented, two were partially implemented, and one was not implemented.

Key Recommendation

ITS officials are requested, but not required, to provide information about any actions planned to address the unresolved issues discussed in this follow-up within 30 days of the report’s issuance.