DIA Had Inadequate Logical Access Controls for Its CMS.

DIA did not have adequate logical access controls for its CMS. Specifically, DIA did not retain employees’ security awareness training certificates, did not have documented management approval for certain employees’ access rights in the CMS, did not always immediately revoke terminated employees’ access rights to the CMS, and did not have a business continuity plan (BCP). Inadequate logical access controls could compromise the security and integrity of DIA’s data.

During our audit period, 232 employees were active CMS users. We randomly selected a nonstatistical sample of 41 employees and determined that there were no security awareness training certificates in 25 employees’ personnel files to show that they had completed either initial or annual training. Insufficient security awareness training may lead to user error and compromise the integrity and security of protected information in DIA’s CMS.

Authoritative Guidance

Section 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) “Information Security Risk Management Standard,” which was put into effect October 18, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”

Section 6 of Executive Order 504, which was effective from January 1, 2009 through October 25, 2019, states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

Reasons for Noncompliance

DIA did not have a formal process to ensure that security awareness training certificates were collected and retained in each employee personnel file.

Auditee’s Response

Each staff member is required to review and acknowledge in writing receipt of a range of policy documents annually, including a security awareness policy, and the documents are retained by the Executive Office of Labor and Workforce Development Office of Human Resources (EOLWD HR) in the staff member’s personnel file. The Department of Industrial Accidents (DIA) will work with EOLWD HR to ensure the security awareness training certificate is included in the personnel file and will retain a copy of the certificate in the DIA’s internal document management system.

We randomly selected a nonstatistical sample of 41 of the active CMS users from the audit period and determined that 25 did not have management approval for access to the CMS in their employee personnel files. Without management approval, there was insufficient verification that the user accounts were limited to the fewest privileges necessary for employees’ job duties. This increases the risk of some employees having access to and/or altering personal information in the CMS beyond what their job duties require.

Authoritative Guidance

Section 2.1 of EOTSS’s “Enterprise Access Control Security Standards,” which were in effect from May 14, 2012 through October 15, 2018, state,

Access control procedures for user registration and de-registration must include . . .

• Validation of user’s authorization for the use of the information system or service from the system or service owner.

Section 6.1.4.3 of EOTSS’s “Access Management Standard,” effective October 15, 2018, states, “User access requests shall be recorded (paper or tool-based) and approved by the requestor’s supervisor.”

Reasons for Noncompliance

DIA did not have a formal process for recording and maintaining approvals of CMS user access requests.

Auditee’s Response

The historical practice of the Department of Industrial Accidents (DIA) has been to assign CMS access at the written request of a supervisor or manager. The request is submitted the Sr. Software Developer with the specific role(s) and security level(s) identified for the employee. The Sr. Software Developer is then responsible for creating CMS accounts with unique login credentials and the appropriate security level(s).

The supervisor or manager’s written request to the Sr. Software Developer serves as documented approval for access. An employee’s access will only change in cases of separation, promotion, or change of job function. Access changes are also made at the written request of a supervisor or manager.

The DIA will not change this practice, as it has been effective in ensuring that employees have only the necessary access required to perform their job functions. However, the DIA will create a policy document that details the described process and update the DIA’s Internal Control Plan document. The process document is expected to be completed by April 30, 2021 and the Internal Control Plan will be completed by the end of the current fiscal year as required by the Office of the Comptroller.

Of the 23 employees terminated during our audit period, 2 did not have their access to the CMS revoked immediately upon termination. This increases the risk of terminated employees improperly accessing CMS information, including claimants’ personal health information and personally identifiable information.

Authoritative Guidance

EOTSS’s “Enterprise Access Control Security Standards,” effective May 14, 2012, state, “A terminated employment status must be reflected in the users’ access privileges immediately upon termination being carried out.”

Reasons for Noncompliance

DIA management stated that it was an oversight that the two terminated employees still had access to its CMS. Management immediately revoked access when we notified them.

Auditee’s Response

The Department of Industrial Accidents’ (DIA) current practice is for a supervisor or manager to submit a written request to the Sr. Software Developer to revoke access immediately upon an employee’s separation. During the audit period this practice was 92% effective and a change in process to revoke access is not warranted.

For an additional check on this process, the DIA is implementing monitoring procedures that include partnering with the EOLWD Office of Internal Control and Security to implement a quarterly review of access and appropriate access levels. This review process will be implemented [by] April 30, 2021.

Although DIA had a draft BCP, it had not been formally developed. A BCP, in conjunction with EOTSS policies, provides for the timely restoration of mission-critical and essential business functions. It is important that DIA have a BCP in place, because a BCP ensures that staff members are sufficiently trained in recovery efforts for mission-critical applications such as DIA’s CMS.

Authoritative Guidance

Section 14 of EOTSS’s “Enterprise Information Security Policy,” effective March 7, 2014, states,

Agencies are required to document, implement and annually test plans including the testing of all appropriate security provisions to minimize impact to systems or processes from the effects of major failures of IT Resources or disasters.

EOTSS’s “Business Continuity and Disaster Recovery Standard,” effective October 15, 2018, states, “[Commonwealth executive offices and agencies] shall develop BCPs for critical business processes.”

Reason for Noncompliance

DIA stated that it would not formally develop a BCP until it finished moving its main office to another location.

Auditee’s Response

The Department of Industrial Accidents (DIA) has recently implemented a complete Business Continuity Plan (BCP). During the audit period, the DIA had a fully developed draft BCP that was formulated in accordance with the EOTSS Business Continuity and Disaster Recovery Standard, and the relevant state and federal guidelines. However, the document required updates to include the DIA’s migration of operations to the cloud. The DIA will review the BCP annually to ensure it remains current and accurately reflects risks and planned responses.

1. DIA should keep security awareness training certificates in employee personnel files.
2. DIA should develop a formal process to ensure that security awareness training certificates are collected and retained in each employee’s personnel file.
3. DIA should develop a formal process for recording and maintaining approvals of CMS user access requests.
4. DIA should revoke employees’ access to its CMS immediately upon termination.
5. DIA should formally develop a BCP.