Audit

Audit  Audit of the Merit Rating Board

This audit of the Merit Rating Board examines the activities of the board and its control over selected information technology operations. The audit examines the period of July 1, 2014 through June 30, 2016.

Organization: Office of the State Auditor
Date published: February 1, 2018

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit to review and evaluate controls over selected information technology (IT) operations and activities of the Merit Rating Board (MRB) for the period July 1, 2014 through June 30, 2016.

In this performance audit, we reviewed certain IT controls over MRB mission-critical applications related to logical access security; change management (monitoring, documenting, and approving modifications to an agency’s IT system); personally identifiable information (PII); and business continuity planning and disaster recovery (DR).

Our audit of MRB identified an issue that has been omitted from this report in accordance with Exemption (n) of the Commonwealth’s public-records law (Section 7[26] of Chapter 4 of the General Laws), which allows for the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.

In accordance with Sections 7.39–7.43 of the Government Accountability Office’s Government Auditing Standards, as well as OSA policies, for reporting confidential and sensitive information, we have given a separate, full report to MRB, which will be responsible for acting on our recommendations.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1a
 

MRB did not have policies and procedures in place to remove access rights to its Automated License and Registration System (ALARS) when employees were terminated.

Finding 1b
 

MRB did not review employee access rights to ALARS quarterly.

Recommendations
 

  1. MRB should define a specific timeframe to revoke terminated employees’ access to ALARS. It should also develop its own logical access security policies and procedures to supplement the Massachusetts Department of Transportation’s (MassDOT’s) information security program.
  2. MRB should develop and implement a process to review the access rights for all ALARS user accounts and work with the Information Technology Division of MassDOT (MassDOT IT) to obtain the information necessary to perform this activity. MRB should include access rights in its monthly ALARS reports to managers, or MRB could establish a process of review at least quarterly to ensure that users’ access rights are limited to their individual job requirements.

Finding 2a
 

MRB did not have policies and procedures to classify data and maintain a data inventory.

Finding 2b
 

Employees did not receive IT security training before they received access to ALARS.

Recommendations
 

  1. MRB should consult with MassDOT to develop policies and procedures to classify and inventory its data in case of loss or corruption. In addition, a periodic review should be put in place to ensure that this procedure occurs regularly.
  2. MRB should ensure that all new employees receive security awareness training during the onboarding process, before they receive access to MRB systems.

Finding 3a
 

MRB did not have a business continuity plan (BCP).

Finding 3b
 

MRB did not test a DR plan for fiscal years 2015 and 2016.

Finding 3c
 

MRB did not have backup policies and procedures for its internal FTP server.

Recommendations
 

  1. MRB should work with MassDOT IT to develop, document, and implement a BCP that includes MRB operations.
  2. MRB should consult with MassDOT to perform a DR test for all critical IT assets (such as data, equipment, IT services, and IT personnel) to ensure that suitable alternative procedures exist in case disruptions occur. The DR test should be performed annually to minimize the duration of any disruption to MRB operations.
  3. MRB should consult with MassDOT to document, develop, and implement backup procedures for its servers. These procedures should ensure that full offsite backups are performed and maintained regularly.

A PDF copy of the audit of the Merit Rating Board is available here.

List of Abbreviations

ALARS

Automated License and Registration System

BCP

business continuity plan

COBIT

Control Objectives for Information and Related Technologies

DR

disaster recovery

FTP

File Transfer Protocol

HR

human resources

ISP

information security program

IT

information technology

ITGC

information technology general control

MassDOT

Massachusetts Department of Transportation

MassIT

Massachusetts Office of Information Technology

MRB

Merit Rating Board

NIST

National Institute of Standards and Technology

PII

personally identifiable information

RMV

Registry of Motor Vehicles

OSA

Office of the State Auditor

Contact

Phone

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback