This page, Audit of the Massachusetts Bay Transportation Authority (MBTA), is offered by

Audit Audit of the Massachusetts Bay Transportation Authority (MBTA)

Audit found deficiencies that allowed terminated employees to continue to access MBTA facilities after their departure from the agency. The audit (examined January 1, 2017 through March 15, 2019) notes this leaves agency facilities vulnerable to unauthorized access.

Organization: Office of the State Auditor
Date published: April 23, 2020

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of the Massachusetts Bay Transportation Authority (MBTA) for the period January 1, 2017 through March 15, 2019. When testing security access privileges, we extended the audit period through June 29, 2019, capturing data in the MBTA’s security access control system database as of the time of our fieldwork. Some testing required physically observing the then-current status of security controls at MBTA bus and rail maintenance facilities. This included conducting unannounced inspections of these facilities between May and July 2019. Specifically, when we assessed the physical condition of perimeter fencing, our last inspection was on July 1, 2019.

The vehicles owned and used by the MBTA are stored and serviced at maintenance facilities located throughout the Commonwealth. Effective physical security controls at these facilities are essential to the MBTA’s ability to protect its customers and employees and to safeguard its most critical assets.

The objective of this audit was to determine whether the MBTA had sufficient physical security measures in place to prevent unauthorized access to its vehicle maintenance and storage facilities.

Our audit of the MBTA identified information that has been omitted from this report in accordance with Exemption (n) of the Commonwealth’s public records law (Section 7[26] of Chapter 4 of the General Laws), which requires the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.

In accordance with Sections 7.39 and 7.41 of the Government Accountability Office’s Government Auditing Standards, as well as OSA policies, for reporting confidential and sensitive information, we have given a separate, full report to the MBTA, which will be responsible for acting on our recommendations.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1a

The MBTA did not ensure that employee access identification (ID) cards were retrieved and destroyed when employees left the agency.

Finding 1b

Security access was not disabled promptly.

Recommendations

  1. The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.
  2. The MBTA should develop and implement an authority-wide policy and detailed procedure for the processing of terminated employees. At a minimum, it should address the frequency of exit interviews; individual department roles; the processing of required separation documentation; and the retrieval, disabling, and destruction of employee access ID cards within a defined timeframe. Supporting documentation should be kept on file for returned and destroyed cards.
  3. The MBTA should develop and implement monitoring controls to ensure that security access for separated employees is promptly disabled.

 

A PDF copy of the audit of the Massachusetts Bay Transportation Authority (MBTA) is available here.

 

Post-Audit Action

In response to this audit report, the MBTA provided the following comments related to its post-audit actions.

The draft audit report accurately captures many issues that were prevalent during the audited period. The MBTA would like to point out that since the audited period, internal audits and self-recognition of challenges have already produced substantial progress or even resolutions related to most of the recommendations suggested. These include:

  • The MBTA expects to launch . . . an identity management solution, in February 2020. [The solution] will integrate disparate systems across [the Human Resources Department], [the Information Technology Department], and Security allowing new hire, termination, and related activity to be automatically reported and in some cases acted upon across departments with shared responsibilities in this area.
  • During the audit period, the MBTA had already independently conducted a comprehensive internal audit of its . . . electronic access control system, culminating in improved processes, documentation, and system integrity. [The system] is the technology platform the MBTA uses for electronic access control hardware and software relating to door and gate access using identification cards/badges.
  • Since 2018, the MBTA has adopted [a] platform to streamline and improve tracking of access and badge requests. This deployment took place in two phases, beginning with a backend tracking interface in 2018 and followed by a user-facing web portal in 2019. The portal by itself has reduced the average time it takes to process a badge or access related request by 60%. . . .

Already, the MBTA’s security investments over the past decade have resulted in one of the largest and most innovative transit security systems in the country. While these deployments span most of the Authority’s facilities, more work remains to be done—and is being done:

  • The MBTA has identified a prioritized list of facilities and stations and continues to actively deploy security upgrades expediently as funding and resources allow.
  • The MBTA’s security investments are further informed by a comprehensive Threat & Vulnerability Assessment that was commissioned by the MBTA and conducted by a private security consultant in 2018.
  • The specifics of each security project are defined by the MBTA’s security standard specification, which was developed in consultation with security consultants and is used to guide all deployments and configurations relating to security cameras, access control, fencing, and gates.

Downloads

Contact

Feedback