Objective

To assess the implementation of the two recommendations included in our original audit report, Access Controls Over Selected Critical Systems (Report 2017-S-56).

About the Program

The Office of Children and Family Services (OCFS) is charged with promoting the safety, permanency, and well-being of children, youth, families, and vulnerable populations in New York State. Its responsibilities encompass a wide range of social services programs, including: foster care and adoption; child and vulnerable adult protective services; preventive services for children and families; and juvenile justice. OCFS owns approximately 60 computer systems, which are used to support its activities. OCFS’ system infrastructure is maintained by the Office of Information Technology Services. OCFS systems contain a broad range of sensitive information that is considered confidential but is necessary to support the programs and services that OCFS provides to vulnerable populations. To ensure that only authorized users are allowed to access information stored on systems, agencies, such as OCFS, must follow New York State Information Technology (NYS IT) security policies and standards related to security and account management and access controls.

Our initial audit report, issued on March 21, 2019, examined whether access controls over selected OCFS systems were sufficient to prevent unauthorized or inappropriate access to those systems. Our audit covered the period August 1, 2016 through December 10, 2018. We found that access controls over six OCFS systems containing confidential information were insufficient to prevent unnecessary or inappropriate access to those systems. Specifically, we identified user accounts with inappropriate access to OCFS systems because OCFS hadn’t performed required annual user reviews. We also found OCFS did not keep accurate records of those individuals authorized to approve or manage access to its systems, maintain accurate inventory of systems, or classify the data on those systems, as required by NYS IT policy and standards. Further, the audit team encountered significant delays during the audit due to lack of cooperation and timely access to information necessary to complete our work, which limited the amount of testing we were able to perform.

Key Findings

OCFS has made progress in correcting the problems we identified in our initial report. Of the two recommendations in our original audit, one was implemented and one was not implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up report to provide information on any actions that are planned to address the unresolved issues discussed in this report.