Commonwealth Corporation Had Inadequate Access Controls for Its YouthWorks Database

CommCorp did not have documented management approval for its employees’ access rights to its YouthWorks database and could not provide evidence that it promptly revoked former employees’ (e.g., those who resigned, who retired, or those whose employment was terminated) access rights to its YouthWorks database.

If CommCorp does not have adequate access controls, then the security and integrity of data within the YouthWorks database could be compromised.

CommCorp did not have documented management approval for its employees’ access rights to its YouthWorks database for any of the nine users who were active during the audit period. CommCorp provided us with system documentation showing when each of the nine active user accounts were created but could not provide evidence of management approval for the access rights of these accounts.

Without management approval, there is insufficient verification that the users were approved to use the database at all or that user accounts were limited to the fewest privileges necessary for employees’ job duties. This increases risks involved with letting some employees have unnecessary access to view and/or alter personal information in the YouthWorks database beyond what their job duties require.

Authoritative Guidance

Section 6.1 of EOTSS’s Access Management Standard IS.003 states,

6.1.5        Request access privileges: User requests for access privileges shall follow a formal process. . . .

                6.1.5.2     User registration and revocation procedures shall be implemented for all information systems and services.

                6.1.5.3     User access requests shall be recorded (paper or tool-based), include a business justification for access, and be approved by the requestor’s supervisor and the appropriate Information Owner or authorized delegate.

Although CommCorp is not required to follow this standard, since it is not an executive branch agency, EOTSS still recommends that non-executive branch agencies follow these standards. We also consider it a best practice.

Reasons for Issue

CommCorp did not have documented policies and procedures for obtaining and recording approvals of YouthWorks database user access requests.

CommCorp could not provide evidence that it promptly revoked access rights to its YouthWorks database for any of the nine former users whose employment ended during the audit period.

If CommCorp does not promptly revoke former employees’ access rights to its YouthWorks database, then this increases the risk that former employees could improperly access and/or alter personal information in YouthWorks.

Authoritative Guidance

Section 8 of the “Commonwealth Corporation Information Security Policy” states,

CommCorp shall ensure that employees understand their security responsibilities and have the requisite skills and knowledge to ensure the effective execution of the roles they are assigned to reduce the risk of unauthorized access, use or modification of Information Assets, including: . . .

     Security Access

     a)   Risk assessment to determine applicable level of employee screening prior to and upon change in responsibility during employment.

     b)   Disablement of access rights to data systems after an extended period of inactivity.

     c)   Return of agency issued equipment and/or devices upon termination or change of employment.

     d)   Removal of access rights upon termination of employment.

Section 6.1 of EOTSS’s Access Management Standard IS.003 states,

6.1.8.       Revoke access privileges: Upon a transfer, termination or other significant change to a user’s employment status or role, Commonwealth Executive Offices and Agencies must ensure that the user’s previous supervisor shall be responsible for informing                         security administration personnel to take appropriate action. . . .

                6.1.8.2     Privileges that are no longer required by a user to fulfill his or her job role shall be removed.

                6.1.8.3.    If the termination date of personnel is known in advance, the respective access privileges—specifically those with access to confidential information —shall be configured to terminate automatically.

                6.1.8.3.1.    If not, access must be manually removed within 24 business hours. . . .

6.1.10.     Review of user access rights: Commonwealth Executive Offices and Agencies must ensure that security administrators shall maintain and review account access (either tool-based or manual) to verify that inactive and unauthorized accounts are appropriately de-provisioned. . . .

                 6.1.10.2   A review of user’s access must be conducted, at a minimum, semiannually, and all unauthorized accounts and access must be removed.

Although CommCorp is not required to follow this standard, since it is not an executive branch agency, EOTSS still recommends that non-executive branch agencies follow these standards. We also consider it a best practice.

Reasons for Issue

CommCorp management told us that they could not provide evidence that CommCorp promptly revoked access rights for former employees, because an employee mistakenly deleted all user data related to former CommCorp employees from the YouthWorks database.

In addition, CommCorp did not have documented policies and procedures regarding the revocation of user access to the YouthWorks database upon termination of a user’s employment.

1. CommCorp should develop, document, and implement policies and procedures for YouthWorks database user access requests that include documented management approval.
2. CommCorp should develop, document, and implement policies and procedures for the revocation of user access to the YouthWorks database upon termination of a user’s employment. CommCorp should incorporate periodic access reviews (at least semiannually) to ensure that users’ access rights are limited to their individual job requirements.

CommCorp’s YouthWorks program experienced tremendous changes during the audit period, which coincided with the Governor’s Declared State of Emergency in response to the COVID-19 pandemic. These changes included a complete program overhaul, transitioning from primarily an in-person summer jobs program pre-pandemic, to a fully remote year-round program. In addition to the program re-design, there was staff turnover on the YouthWorks team during the audit period that presented further challenges with regard to consistent enforcement of established program protocols, policies, and procedures.

YouthWorks is in the final stages of developing a new secure database, which will be implemented on June 10, 2024. That database will have robust internal controls and safeguards to ensure that user access is carefully monitored in a manner consistent with CommCorp’s robust cybersecurity and information technology controls. In addition, CommCorp is implementing standard policies around all terminations or other separations for employment to ensure that revocation of access to systems is coterminous with employment.

The secure database in use during the audit period was maintained by the developer and employees were trained on its use. At all times material, including during the audit period, CommCorp had policies and a procedure manual for the database. The procedure manual contained a section entitled “About the Process for Managing Usernames” which covered access permissions, including guidance on reviewing user access permissions, the frequency of review, and restricting access when appropriate. During the audit period, a now-former employee failed to follow the procedures set forth in the database manual, rendering CommCorp unable to provide evidence of the fact that it limited access when employees separated from CommCorp or were no longer working in the YouthWorks Program. The new database has a comprehensive audit trail and additional security features to safeguard against any similar future oversights.

As noted above, CommCorp did not have documented management approval for its employees’ access rights to its YouthWorks database for any of the nine active users during the audit period. In addition, CommCorp could not provide evidence that it promptly revoked access rights to its YouthWorks database for any of the nine former users whose employment ended during the audit period.

In its response, CommCorp indicated that, during the audit period, it had “policies and a procedure manual” that “covered access permissions, including guidance on reviewing user access permissions, the frequency of review, and restricting access when appropriate.” We acknowledge that, during the audit period, CommCorp had a database guide documenting information regarding its YouthWorks database. However, this guide did not sufficiently detail how CommCorp justifies the levels of system access to the YouthWorks database for potential users, nor did it mention how to document the approval process (e.g., details regarding approvals from the requestor’s supervisor). This was the cause of our finding regarding CommCorp’s lack of evidence of documented management approval for the employees’ access rights to its YouthWorks database.

We reiterate our recommendation that CommCorp should develop, document, and implement policies and procedures for YouthWorks database user access requests that include documented management approval. As previously stated, CommCorp should also develop, document, and implement policies and procedures for the revocation of user access to the YouthWorks database upon termination of a user’s employment. CommCorp should incorporate periodic access reviews (at least semiannually) to ensure that users’ access rights are limited to their individual job requirements.