Overview
The Plymouth County Sheriff’s Department (PCSD) has not established adequate internal controls over its information technology (IT) systems: the Offender Management System and the Correctional Electronic Medical Records System. Specifically, PCSD has no written policies and procedures for administering critical aspects of these systems, such as the following:
- IT system access
- IT system cybersecurity awareness training
- IT system audit and accountability
- IT system identification and authentication
- IT system user rights
Further, PCSD does not have an IT continuity of operations plan or disaster recovery plan that provides a framework to ensure the continuity of its IT operations systems if an emergency affects them. In comparison, standards established by the National Institute of Standards and Technology’s Special Publication 800-53r5 include developing IT policies and procedures that contain IT continuity of operations and disaster recovery plans.
In addition to not having the aforementioned policies and procedures, PCSD does not conduct certain critical IT system control activities. Specifically, PCSD does not provide cybersecurity awareness training to any of its employees who have access to its IT systems and does not periodically review employees’ system user rights. In comparison, standards established by National Institute of Standards and Technology Special Publication 800-53r5 include conducting IT system control activities, such as regular cybersecurity awareness training for all employees and periodic review of IT system user rights for employees.
In the opinion of the Office of the State Auditor, PCSD should take immediate measures to improve the internal controls over its IT systems. Inadequate or nonexistent controls make the information in PCSD’s IT systems more vulnerable to unauthorized access and use by employees and to cyberattacks that could result in financial and/or reputational losses.
| Date published: | March 15, 2024 |
|---|