Audit of the Executive Office for Administration and Finance Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain information technology (IT) activities of the Executive Office for Administration and Finance (EOAF) for the period October 1, 2017 through March 31, 2018.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.

We conducted this performance audit using criteria from policies issued by the Executive Office of Technology Services and Security (EOTSS) as well as industry standards established in the Center for Internet Security Critical Security Controls (CIS Controls) 1 and 3, which are based on the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53r4. Although EOTSS is not required to follow these industry standards, we believe they represent IT industry best practices for cybersecurity. The EOTSS policies we used as criteria are also derived from NIST Special Publication 800-53r4.

CIS Control 1 states that IT organizations should do the following:

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS Control 3 states that IT organizations should do the following:

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. 

EOAF and its agencies use a variety of systems and applications to carry out day-to-day tasks. Our audit focused primarily on the following applications that were relevant to our audit objectives:

1. ServiceNow, a cloud-based Web application that is used to manage and administer computing devices such as laptops, desktops, and servers from a central application interface
2. Employee Access Management System (EAMS), an application that is used to keep track of the Commonwealth’s IT hardware inventory
3. Nessus, an application that scans all computers and devices connected to a common network for known software vulnerabilities
4. ZENworks, an application that is used to keep all software (such as Adobe Flash and Adobe Acrobat Reader) that is installed on laptops and desktops up to date from one point of management through a central application interface

o achieve our audit objectives, we gained an understanding of the internal control environment related to our audit objectives by reviewing applicable EOAF and EOTSS policies and procedures, reviewing relevant laws and regulations, and interviewing various EOAF staff members and outside contractors. Additionally, we performed the following procedures:

• We surveyed EOAF regarding the activities it performs to adhere to the various subcontrols² outlined in CIS Controls 1 and 3 to determine whether EOAF adhered to these CIS Controls.
• We performed a walkthrough of ServiceNow and EAMS and obtained screenshots of the process undertaken to keep track of EOAF’s IT hardware inventory to confirm that this process existed.
• We requested and examined a list of all EOAF IT hardware listed in ServiceNow and EAMS to determine whether EOAF had a clear understanding of what devices were connected to its network.
• We performed a walkthrough of the patching process for Windows and Linux servers and obtained screenshots from our observation of the process to confirm that EOAF had a process to keep its vital systems up to date.
• We performed a walkthrough of the ZENworks patching process and obtained screenshots from our observation thereof to confirm that EOAF had a process to keep the applications on its systems up to date.
• We observed a walkthrough of Nessus conducted by EOAF and EOTSS staff members. We observed scans of the network for system vulnerabilities and obtained screenshots of the process to confirm that EOAF had a process in place to scan its network regularly for known vulnerabilities.