Merrimack Valley Transit - Other Matters 2

MeVa has still not established an account management policy, nor has it implemented adequate access controls over the use of its information systems, as we recommended in our prior audit (Audit No. 2022-0496-3A). Specifically, we noted the following:

• MeVa does not maintain records to support user account creation, modification, review, or removal.
• MeVa does not perform periodic reviews of user access privileges.

Without a documented account management policy and adequate access controls, MeVa faces an increased risk that employees or contractors could have access to systems and information that they do not need. Accounts may remain active after an employee leaves or changes roles, and access levels may not reflect current job responsibilities. Additionally, the lack of periodic access reviews increases the likelihood that excessive or outdated privileges may go undetected. These weaknesses heighten the risk of data breaches, system misuse, accidental data alteration or deletion, or disruption of critical operations.

The Commonwealth’s Executive Office of Technology Services and Security’s Enterprise Access Management Policy IS.003 establishes the minimum requirements that should be in place to grant, manage, and revoke access to system user accounts. As a best practice, MeVa should follow the Executive Office of Technology Services and Security’s Enterprise Access Management Policy IS.003, which the Massachusetts Department of Transportation is required to follow. This policy states,

6.1.3.    Access to information assets must be controlled through a defined process, which includes a periodic review of information system privileges. . . .

6.1.10.  Annual review: Managers will review the user access of their direct reports to applications and/or technology infrastructure, on an annual basis, to ensure each user’s access is appropriate to perform the user’s job responsibilities. . . .

6.2.1.    Commonwealth Agencies and Offices must establish a documented procedure to grant access to the Commonwealth’s information assets for new hires. 

6.2.2.    Commonwealth Agencies and Offices must establish a documented procedure to grant and/or revoke access in the event of a role change. 

6.2.3.    All access requests for both new hires and role changes must be recorded (paper or tool-based) and include both a business justification and management approval.

We strongly recommend that MeVa develop and implement a documented account management policy that defines procedures for creating, modifying, reviewing, and removing user accounts. MeVa should maintain documentation of all account activities and perform periodic reviews, at least annually, of user access privileges to ensure that employees and contractors only have the proper permissions necessary for their current roles.

MVATC during the review period only had a 1 person [Information Technology] Department. The matter was a recommendation in the last audit, as it is a recommendation now. However, MeVa Compliance agrees with the need to implement these practices, as well as other best practices not mentioned, now that we have two people with access to user management privileges. A number of policies are already being created and implemented now.

Based on its response, MeVa is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.