EOEA’s APS System Controls Need Improvement.

Agency reports it is taking steps to improve the security of its APS system.

Table of Contents

Overview

EOEA has not established adequate access controls and other security controls over APS. These deficiencies place the sensitive data stored in APS at a high risk of unauthorized access and/or improper disclosure.

When assessing the controls that EOEA had established over APS, we found the following issues:

  • EOEA management does not have authorization controls to approve access to APS for new users when new accounts are created. Therefore, there is a high risk that the system can be accessed by people who are not authorized or approved to use the system or are not employed by EOEA.
  • EOEA does not have adequate logical access controls in place over APS that would lock a user out of APS after a number of failed login attempts. Failed login attempts do not lock users out of the system, irrespective of the number of login attempts.
  • EOEA does not have multifactor authentication procedures13 in place for logging into the system. Without access controls over login attempts, a person could conduct brute-force cracking14 to gain unauthorized access to APS. Without multifactor authentication, a user could log into APS without having to answer a set of security questions to validate that they are an authorized user.
  • EOEA does not have an effective system lockout feature that is implemented after a certain number of failed login attempts or periods of user inactivity. After a period of user inactivity in APS, users are locked out and have to log back in; however, the period is approximately five hours. If a user is away from their computer, a person who attempts to gain unauthorized access has enough time to obtain or manipulate data containing sensitive and personal information.
  • EOEA does not properly monitor intake and investigation event logs. EOEA performs as-needed reviews of event logs for intakes and investigations in APS that record user activity at a specific date and time; however, routine reviews would be more likely to uncover some of the deficiencies identified in Finding 2, such as abuse reports that are not linked to investigations.

Authoritative Guidance

The Executive Office of Technology Services and Security’s Enterprise Information Security Policy states,

Agencies are required to implement policies, associated procedures and controls that protect the agency’s information assets, including but not limited to personal information and IT Resources from all threats, whether internal or external, deliberate or accidental.

Section AC-2E of National Institute of Standards and Technology Special Publication 800-5315 states that organizations should “require approvals by [organization-defined personnel or roles] for requests to create system accounts.”

Section AC-7 of that publication states that information systems should “enforce a limit of . . . consecutive invalid logon attempts by a user.”

Section AC-11 states that information systems should “prevent further access to the system by initiating a device lock after [an organization-defined time period] of inactivity or upon receiving a request from a user.” A best practice for this criterion would be to implement a device lock on a user’s computer after 15–30 minutes of user inactivity, as opposed to the five hours currently allowed in APS.

Section AU-6 states that organizations should “review and analyze system audit records [at an organization-defined frequency] for indications of [organization-defined inappropriate or unusual activity].”

Finally, Section IA-1 states that organizations should do the following:

a. Develop, document, and disseminate . . .

  1. An identification and authentication policy that:
    (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and . . .
     
  2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification controls.

Reasons for Inadequate Controls

EOEA officials told us they had contracted with a vendor to develop and maintain APS and had depended on the vendor to establish the security of the system. However, EOEA did not manage the vendor to ensure that the system security expectations were met.

EOEA’s policies and procedures do not adequately address APS system identification and authentication risks and controls.

Recommendations

  1. EOEA should screen and approve new users’ access to APS.
  2. EOEA should establish and implement written system security access policies and procedures, within a control plan, that are specific to employees using APS and include, but are not limited to, the following:
    1. approval of access to APS for new users before new accounts are created and use of APS is granted
    2. access controls that address entry into the system via password login, as well as lockout of APS users after shorter periods of inactivity
    3. monitoring of user activity and oversight of intake and investigation logs

Auditee’s Response

Recommendation 1

Currently, the responsibility of screening and approving APS user access rests with the PSA’s, since they are the employers of the new users and are best positioned to determine the appropriateness of granting APS access. Once a PSA determines that a new user should access APS, a written request (utilizing a standardized form) is submitted to EOEA and the access to APS is established.

EOEA’s Protective Services Program Regional Managers will review APS new user access requests prior to APS access being granted. EOEA expects to implement this new process in the fall of 2018. 

Recommendation 2

On June 25, 2018, EOEA implemented and communicated to the PSA’s that individuals will be locked-out of the APS system after 3 failed log-in attempts (requiring contact with an APS System Administrator in order to have access restored), and that the APS system idle time will be reduced to 1 hour from the present 2 hour period for which re-logging-in will be required. As such, we believe no further corrective action is required.

Auditor’s Reply

Based on its response, EOEA is taking measures to address our concerns in this area.

13.    Under this type of procedure, a person is required to provide two or more pieces of evidence (e.g., password, fingerprint scan) to validate their identity and gain access to the system.

14.    Brute-force cracking is continual trial and error to try to log into a computer system to gain unauthorized access.

15.    This document provides practices and guidance for security and privacy controls to protect information and people from errors, security threats, and other threats.

Date published: October 9, 2018

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback