Organization: | Office of the State Auditor |
---|---|
Date published: | February 1, 2018 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit to review and evaluate controls over selected information technology (IT) operations and activities of the Merit Rating Board (MRB) for the period July 1, 2014 through June 30, 2016.
In this performance audit, we reviewed certain IT controls over MRB mission-critical applications related to logical access security; change management (monitoring, documenting, and approving modifications to an agency’s IT system); personally identifiable information (PII); and business continuity planning and disaster recovery (DR).
Our audit of MRB identified an issue that has been omitted from this report in accordance with Exemption (n) of the Commonwealth’s public-records law (Section 7[26] of Chapter 4 of the General Laws), which allows for the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.
In accordance with Sections 7.39–7.43 of the Government Accountability Office’s Government Auditing Standards, as well as OSA policies, for reporting confidential and sensitive information, we have given a separate, full report to MRB, which will be responsible for acting on our recommendations.
Below is a summary of our findings and recommendations, with links to each page listed.
MRB did not have policies and procedures in place to remove access rights to its Automated License and Registration System (ALARS) when employees were terminated. |
|
MRB did not review employee access rights to ALARS quarterly. |
|
|
|
MRB did not have policies and procedures to classify data and maintain a data inventory. |
|
Employees did not receive IT security training before they received access to ALARS. |
|
|
|
MRB did not have a business continuity plan (BCP). |
|
MRB did not test a DR plan for fiscal years 2015 and 2016. |
|
MRB did not have backup policies and procedures for its internal FTP server. |
|
|
A PDF copy of the audit of the Merit Rating Board is available here.
List of Abbreviations
ALARS |
Automated License and Registration System |
BCP |
business continuity plan |
COBIT |
Control Objectives for Information and Related Technologies |
DR |
disaster recovery |
FTP |
File Transfer Protocol |
HR |
human resources |
ISP |
information security program |
IT |
information technology |
ITGC |
information technology general control |
MassDOT |
Massachusetts Department of Transportation |
MassIT |
Massachusetts Office of Information Technology |
MRB |
Merit Rating Board |
NIST |
National Institute of Standards and Technology |
PII |
personally identifiable information |
RMV |
Registry of Motor Vehicles |
OSA |
Office of the State Auditor |
Table of Contents
Contact
Phone
Online
Fax
Address
Room 230
Boston, MA 02133