Report No. 2007-61
October 2007

Complete Audit Report

Missing Security Controls Leave Confidential Data and Technology Resources Susceptible to Unauthorized Access

This audit reviewed the management and control of information technology resources at the Department of Labor and Industrial Relations (DOLIR) Division of Workers' Compensation (DWC). Auditors found DOLIR and Information Technology Services Division (ITSD) management have not taken some of the measures necessary to maintain effective controls to protect the confidentiality, integrity and availability of data and the information technology resources supporting the mission and operations of DWC.

User account administration needs improvement

DOLIR's user account administration procedures lack key security control requirements commonly recommended by accepted standards. DOLIR and ITSD management have not implemented policies and procedures for periodically reviewing user access rights to the network or to DWC information systems and application data to ensure access rights remain appropriate. As a result, users have access to functions outside of the users' job duties, programmers have access to production data, and user account administration policies have not been developed. According to accepted standards, effective administration of users' computer access is essential to maintaining system security. (See page 6)

Physical security access controls have been inadequate

DOLIR and ITSD management have not established adequate policies and procedures for the physical security of DOLIR computer facilities. Auditors found oversight responsibilities for physical security have not been formally assigned and access to facilities has not always been properly controlled or monitored. As a result, access to the computer room has been provided to people who did not require the access levels issued based on their job titles, electronic door access card records have not always been updated when cards have been reissued, access to some secure locations has not been monitored, and a list of personnel authorized to access the offsite storage facility has not been maintained. (See page 9)

Some security controls need to be fully developed

DOLIR and ITSD management have developed and documented policies for specific security controls. However, management has not completed the process of establishing and documenting policies and procedures for some key security controls. Accepted standards state policies are necessary to set organizational strategic directions for security and assign resources for the implementation of security. (See page 11)

Complete Audit Report