An audit of the Information Technology department for the city of Springfield revealed a number of places for improvement.
The audit by RubinBrown CPAs & Business Consultants was released to Springfield City Council on April 8, 2020. The information in the audit came from field work done in August 2019.
“Internal audits provide valuable data to leadership and the Council assisting them in evaluating and improving the effectiveness of the City’s risk management, control and governance processes,” Councilman Andrew Lear said.
Among the observations and recommendations:
- The COOP plan was last updated in 2016 and testing of the plan has not occurred on an annual basis. RubinBrown’s recommendation is to review, update and test the plan on a periodic basis (at least annually) to ensure the best possible plan with timely recovery. This recommendation was implemented and the target implementation date for annual COOP plan testing is July.
- Periodic user access reviews are being performed, but not documented. RubinBrown’s recommendation is for the various departments named to work with the IS department to ensure that periodic (at least annual) user access reviews are performed and documented. Departments responded that they would review user access annually or semiannually and have already begun implementation or will this month.
- The senior database administrator has system administrator access to the application, and also has the ability to install, design, migrate data, and configure data within the Oracle database (as a database administrator). RubinBrown’s recommendation is to limit the system administrator’s access to the application or the database in order to eliminate the segregation of duties conflicts. If limiting access is not possible, ensure logging is in place and perform a review of the access log on a periodic basis. This recommendation was implemented in December 2019.
- A formal written password policy was not in effect for the City. The Oracle database was not configured to enforce password parameters. Minimum password age for SCADA was “0.” Password history (passwords that cannot be reused) was zero for the SCADA system at Environmental Services, five for Public Works (Traffic) network, and five for Active, the Springfield-Greene County Park Board’s application. RubinBrown’s recommendation is to create a formal written password policy and password settings should be adjusted to best practices across the various networks and applications. This recommendation was implemented last month.
- RubinBrown reviewed a sample of 10 computer patches and found that four patches were not fully deployed and followed up on in a timely manner. RubinBrown’s recommendation is to establish a follow-up review for failed patching for machines on the network. IS created a review process for patches and began performing it on a weekly basis in December 2019.
- RubinBrown reviewed physical access controls to data rooms and data closets across the City and found that access was not properly restricted at the City data room, the Environmental Services SCADA data closet, the Workforce Development data room, and the Parks department switch rooms. RubinBrown’s recommendation was to limit physical access to data centers and rooms to only those who require access for job responsibilities to ensure protection of data and hardware assets. IS has corrected the access to the City data center and SCADA office. Access is now limited based on job responsibility. Workforce Development has implemented a sign-in sheet for both switch closets in addition to the physical controls already in place. The business systems analyst for Parks is currently in the process of working with IS to secure the switch closets and limit access to authorized personnel.
- Patches for the Public Works (Traffic) network are not tested prior to implementation. RubinBrown’s recommendation is for the Traffic division to work with the network manager to facilitate testing of patches prior to implementation into the traffic network. This recommendation will be implemented by July.
- Backup of the Public Works traffic management center (TMC) network are kept only onsite. RubinBrown’s recommendation is for the Traffic division to work with the network manager to facilitate offsite backups to ensure recovery of data and configurations for the domain server. This recommendation was implemented in October 2019.
- Data center and data room physical and environmental control gaps were identified at multiple locations. RubinBrown’s recommendation is to implement additional physical and environmental controls at the identified locations and work with IS to implement a standard set of controls for data centers and rooms across the City. These recommendations have been implemented by the departments or will be by July.
Here is the audit report:ITGC-Internal-Audit-Final-Report