Episode Two: Inappropriate Computer Access -
We don’t recall any performance auditors complaining to us about the frustration they must feel when they find similar operational shortcomings repeated year after year. But we can only speculate that even the most patient and understanding of auditors must want to tear their hair out when they see that governmental agencies seem condemned to repeat past problems despite the performance auditors’ good work.
Hence the Sisyphus title of this occasional series, which stems from our feeling that performance auditors have a lot in common with the mythological figure who was condemned to arduously roll a rock up a hill, only to watch it slide down again and start over.
In this, the second episode of this series, we’re looking at two related problems that come up over and over again:
Employees who leave their jobs but retain access to sensitive government technology systems.
Access to sensitive data that is granted to too many employees leaving the possibility of potentially compromised security or privacy.
Consider the December 2022 audit of the Connecticut Department of Emergency Services and Public Protection, which pointed out that the department did not “promptly or properly deactivate 17 terminated employees’ access” to the state’s criminal justice and accounting systems. For the 10 former employees who had criminal justice access, the failure to deactivate also permitted continued use of the National Crime Information Center and the International Justice and Public Safety Information Sharing Network.
For those individuals, the cutoff only occurred between a year and 25 months after they left government, according to the audit. A similar problem was found in three prior Connecticut Department of Emergency Services audits which occurred in 2012 through 2019. There’s no reason to think that any of the former employees had ill intent, but still “unauthorized access to a protected information system can jeopardize the security of the information in the system,” auditors wrote, noting that untimely deactivation stemmed from a lack of communication between human resources and individuals responsible for providing tech access.
The agency agreed with the findings and has been improving its internal controls, while also putting in place weekly reports to provide improved monitoring. That might solve one agency’s specific difficulty, but our experience gives us little doubt that the same issue will crop up elsewhere.
That same month, a Department of Law Enforcement operational audit in Florida also found that user access privileges “weren’t always removed upon separation.” One of the causes cited was “untimely notice of employee separation.”
A similar problem was also found there in 2020. In both cases, auditors also cited “inappropriate access” among employees who continued to work for the state, but whose jobs didn’t require the use of the technology. The 2022 audit noted that there was an unmet need for periodic review of who can log into potentially sensitive computer systems.
There’s more. In November 2022, two other audits came out that raised similar issues; one in Hillsborough County, Florida and the other in San Antonio, Texas.
In November 2022, in an audit titled “ServTracker System Access Controls” auditors in the county reported that “not all user accounts belonging to separated employees or contractors were disabled in a timely manner,” while the November audit of the San Antonio Fire Department Arson Bureau found that user access for fire department arson investigative software was “not routinely terminated” when fire department employees left the bureau. It also found that “employee access to the evidence tracking software was not always appropriate,” and recommended more diligent periodic reviews.
Even when problems like this persist in multiple places, journalists and other government observers don’t tend to take note.
We do.
Our hope is that columns like this one can help to draw management attention to audit findings that are depressingly common. And we invite our readers to make recommendations for future episodes of the Sisyphus files (we love that name!)
#Featured #BarrettandGreene #StateandLocalPerformanceAudit #StateandLocalPerformanceManagement #PerformanceAudit #StateandLocalHumanResources #StateandLocalGovernmentPerformance #StateandLocalGovernmentAccountability #PublicSectorDataAnalysis #Cybersecurity #StateandLocalPolicyImplementation #StateEmployeeComputerAccess #CityEmployeeComputerAccess #CountyEmployeeComputerAccess #UnprotectedComputerAccess #SisyphusFiles #RepeatAuditFindings #GovernmentOversight #BarrettandGreeneSpecialFeature #BarrettandGreeneSisyphusSeries #ConnecticutAudit #SanAntonioAudit. #HillsboroughCountyAudit #FloridaAuditorGeneral #KatherineBarrettandRichardGreene #ComputerAccessAuditFindings #OperationalAudit #LaxGovernmentPrivacyProtections
Comments