DYS Did Not Always Revoke Terminated Employees’ User Access to Its Case Management System in a Timely Manner.

During the audit period, DYS did not ensure that user access to its case management system, the Juvenile Justice Enterprise Management System (JJEMS), was revoked immediately, or within 24 business hours, when DYS’s or its vendors’ employees were terminated. Specifically, 311 terminated JJEMS users did not have their user access revoked in a timely manner. The time it took to revoke terminated users’ access to JJEMS ranged from 3 to 2,341 business days after their termination dates. As a result, JJEMS information could have been vulnerable to unauthorized access, including youths’ personal health information and personally identifiable information.

Sections 6.1.6 through 6.1.6.2.1 of the Executive Office of Technology Services and Security’s Enterprise Security Office Access Management Standard IS.003 state that all Commonwealth executive offices and agencies must ensure that security administration personnel (in this case, the Information Technology [IT] Department of the Executive Office of Health and Human Services [EOHHS]) are informed when an employee is terminated so they can revoke user access within 24 business hours.

To terminate a system user’s access to JJEMS, DYS’s Human Resources (HR) Department must notify EOHHS’s IT Department when the user’s employment has been terminated so that EOHHS, which supports JJEMS for DYS, can update its system information to reflect this change. However, DYS’s policies and procedures do not establish a timeframe by which its HR Department must notify EOHHS of any changes in an employee’s status that would warrant the revocation of the employee’s JJEMS access.

DYS should amend its policies and procedures to require that its HR Department notify EOHHS’s IT Department immediately when an employee has been terminated.

In 2016, the Department of Youth Services (DYS), together with the Executive Office of Health and Human Services (EOHHS), undertook to deactivate the Juvenile Justice Enterprise Management System (JJEMS) [DYS’s electronic case management system of youth in its care and custody] accounts of all users who no longer worked for DYS or a DYS contracted provider agency. This effort required assistance from EOHHS because it manages the Virtual Gateway (VG) and access to JJEMS is only available to individuals who have access to the VG. The completion of this effort, which occurred during the audit period, culminated in the deactivation of dormant accounts but as noted by the state audit team, not within the 24 business hours contemplated by Sections 6.1.6–6.1.6.21 of the Executive Office of Technology Services and Security’s “Enterprise Security Office Access Management Standard.” [DYS notes that the Executive Office of Technology Services and Security was established on August 7, 2017 and published its handbook of Enterprise Information Security Policies Standards on October 5, 2018, during the audit period.] The comprehensive process DYS undertook with EOHHS, however, allowed it [to] close all user accounts for individuals whose employment had ceased as well as identify isolated cases where significantly more time had elapsed and remove those former employees.

At the same time, the Department also recognized the need for stronger internal controls to better manage the timely deactivation of former employee JJEMS accounts particularly when more than 50% of the JJEMS users are contracted provider employees. This was accomplished by the Department implementing the following ongoing processes for tracking and modifying access to JJEMS accounts:

1. In 2016, DYS added a review component to the URF (User Request Form) process used to create and disable JJEMS accounts. For state employees, the Department’s human resources staff and JJEMS staff (JJEMS Regional Administrators or JRAs) are working with state managers, at the time of hire or separation of employment, to ensure that URFs are timely and accurately completed before sending them to the VG team at the EOHHS to process. For contracted provider employees, the provider’s employee designated VG Access Administrator is responsible for ensuring the URF is timely and accurately completed before forwarding it to a shared mailbox for a second review by a JRA who then sends it to the VG team to process.
2. In 2020, DYS added to its contracts with providers a requirement that the contracted provider notify DYS and the EOHHS VG team within one business day of any change in the employment status of its employees.
3. Since 2017, the JRAs have been sending a monthly list of JJEMS users to state and provider program managers to review and report back any changes to the list due to new hires or terminations.
4. DYS is implementing a formal quarterly quality assurance process established in 2021 that includes the review of personnel and staffing changes.

All four of these measures are improving the Department’s ability to get the JJEMS accounts of terminated state and provider employees deactivated in a timely manner.

Based on its response, DYS is taking measures to address our concerns on this matter.