Objective

To determine whether access controls over selected Office of Children and Family Services (OCFS) systems are sufficient to prevent unauthorized or inappropriate access to those systems. The audit covers the period August 1, 2016 through December 10, 2018.

About the Program

OCFS is charged with promoting the safety, permanency, and well-being of children, youth, families, and vulnerable populations in New York State. Its responsibilities encompass a wide range of social services programs, including: foster care and adoption; child and vulnerable adult protective services; and juvenile justice. OCFS owns approximately 60 computer systems, which are used to support its activities. OCFS’ system infrastructure is maintained by the Office of Information Technology Services. OCFS’ systems contain a broad range of sensitive information that is considered confidential but is necessary to support the programs and services that OCFS provides to vulnerable populations. To ensure that only authorized users are allowed to access this information, agencies, such as OCFS, must follow New York State Information Technology (NYS IT) security policy and standards related to security and account management and access controls.

Key Findings

• Access controls over six OCFS systems containing confidential information were insufficient to prevent unnecessary or inappropriate access to those systems.
• We identified 367 user accounts with access to six OCFS systems that were inappropriate because OCFS had not performed the required annual reviews of user accounts. This included 35 active user accounts on four systems containing confidential information for individuals who no longer worked for OCFS.
• OCFS did not keep accurate records of those individuals authorized to approve or manage access to its systems, maintain an accurate inventory of systems, or classify the data on those systems, as required by NYS IT policy and standards.
• We encountered significant delays during our audit due to a lack of cooperation and timely access to information necessary to complete our work. As a result, our work in certain areas was limited.

Key Recommendations

• Develop a program to ensure controls over user access to OCFS’ systems meet the applicable NYS IT requirements, including:
  • Maintaining and regularly reviewing user lists for each application;
  • Developing and maintaining an up-to-date list of administrators for each application;
  • Developing and maintaining an up-to-date inventory of systems; and
  • Formally classifying all information assets.
• Improve the timeliness of cooperation with authorized State oversight inquiries to ensure transparent and accountable agency operations.