Other Matters: The Office of the Commissioner of Probation Needs To Strengthen Information Technology General Controls.

During our review of Attenti Event Monitor (EM) Manager and SCRAMNET information technology general controls, we identified a number of issues that warrant attention from the Office of the Commissioner of Probation (OCP). These issues concern (1) incomplete or missing system approval documentation (e.g., lack of an Access Request Form⁶ for SCRAMNET), (2) user access rights that were inconsistent with employees’ job functions, (3) employees not completing cybersecurity awareness training, (4) missing evidence of Criminal Offender Record Information (CORI) checks, and (5) terminated employees not having their system access removed in accordance with state or vendor policies. (See Appendix C for a summary of issues found.)

We selected 50 current active users and 5 new active users out of a population of 1,074 employees who used Attenti EM Manager, SCRAMNET, or both during the audit period. Current users are OCP employees hired before the audit period, and new users are OCP employees hired during the audit period. Because the auditee uses two systems, we chose two unique lists of 25 employees, one list for each system, who were identified in the system as active users throughout the entire audit period. For the new-user test, we chose 5 employees who had access to both systems during audit period.

To determine whether employees’ access rights were properly authorized, we requested the Access Request Forms for our sample of 55 employees. This constituted a request for 60 Access Request Forms, because 5 of the employees in our sample received access to both Attenti EM Manager and SCRAMNET. In our review, we found that in 54 of 60 instances, an Access Request Form was missing or did not contain the required OCP and/or vendor signatures authorizing the requested access.

Section 6.1.4.3 of the Executive Office of Technology Services and Security’s (EOTSS’s) “Access Management Standard” states, “User access requests shall be recorded (paper or tool-based) and approved by the requestor’s supervisor.” This standard applies to any Commonwealth entity that voluntarily uses, or participates in services provided by, EOTSS, such as mass.gov.

Section 1.5.7 of OCP’s internal control plan states, “Department heads must limit access to resources and records to authorized individuals.”

OCP management stated that Access Request Forms and signatures were missing for Attenti EM Manager because of a lack of management oversight and that the Attenti EM Manager Access Request Form was outdated and in the process of being replaced. They also stated that the reason there were missing Access Request Forms for SCRAMNET was that OCP had implemented SCRAMNET in November 2015 and no Access Request Form had been created for this system. Finally, OCP management told us they were considering a new combined Access Request Form for Attenti EM Manager and SCRAMNET.

Not having adequate access controls could compromise the security and integrity of sensitive OCP case data. OCP should update its forms and ensure that all necessary signatures and approvals from OCP and its vendor appear on these documents.

In 3 of the 60 instances we reviewed where employees were granted access to Attenti EM Manager, SCRAMNET, or both, user permission rights did not correspond with the system access level appropriate to the employees’ positions.

Section 6.1.5.1 of EOTSS’s “Access Management Standard” states,

The Information Owner or Information Custodian shall verify that the type of access requested is required for the user’s role and responsibilities.

This standard applies to any Commonwealth entity that voluntarily uses, or participates in services provided by, EOTSS, such as mass.gov.

The Attenti Group’s “Access Control Policies and Procedures” states,

Customers [in this case, OCP] submit an “Access Request Form.” Account representatives [at the Attenti Group] will approve these forms for the creation, modification, and [termination of customer user accounts]. Those forms are sent to the Monitoring Center, who will create/modify/[terminate] the [customer user accounts]. Only permissions requested are granted, based on the review by the account representative.

Section 3.1 of SCRAM Systems’ “Access Control Policy ([Information Security Management System, or ISMS])” states,

A request for access to the organization’s network and computer systems shall first be submitted to the [SCRAM Systems information technology] Service Desk for approval. All requests will be processed according to a formal procedure that ensures that appropriate security checks are carried out and correct authorisation is obtained prior to user account creation.

OCP management told us that the reason for two of these instances was poor internal communications and that in the third instance, management did not update an employee’s permission rights to reflect that person’s new positon at OCP.

Inappropriate permission rights could compromise the security and integrity of OCP data. OCP should ensure that user permission rights correspond to the system access level appropriate to each employee’s position.

OCP only began conducting cybersecurity awareness training in March 2020, and 7 of 55 users tested had not completed it as of the end of our audit period.

Section 6.2.4 of EOTSS’s “Information Security Risk Management Standard” states, “All personnel will be required to complete Annual Security Awareness Training.” This standard applies to any Commonwealth entity that voluntarily uses, or participates in services provided by, EOTSS, such as mass.gov.

OCP management told us that EOTSS training standards did not apply to OCP. However, OCP management told us that the Trial Court had implemented online security awareness courses that all judges and court staff members must complete. Based on training records provided by OCP, these courses were first provided to OCP employees on March 6, 2020.

Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information at OCP. OCP should ensure that all employees who use Attenti EM Manager and SCRAMNET take annual cybersecurity awareness training.

For 20 of 55 users tested, there was no evidence of a completed CORI check. The Trial Court Personnel Policies and Procedures Manual contains the following requirements:

1. General Requirements

1. The Human Resources Department will conduct a criminal record check on the final candidate(s) for appointment as a new hire to any Trial Court position. . . .

2. Record Keeping Requirements . . .

2. CORI check results and CORI request forms shall be kept for the duration of employment and no more than seven years from the last date of employment.

OCP told us that it had no control over the CORI check process performed by the Trial Court’s Human Resources (HR) Department. Although the HR Department could not locate the CORI checks, OCP management did state that only employees who pass required CORI checks are hired.

Not completing CORI checks could cause OCP to give individuals with serious convictions access to personally identifiable information as well as probation monitoring information that is crucial to public safety. OCP management should work with the Trial Court to ensure that all completed CORI checks are filed accurately and are easily accessible if needed.

Nine user accounts, out of a total of 125 accounts belonging to employees who were terminated during the audit period, were still coded as “enabled” in Attenti EM Manager and/or “active” in SCRAMNET. OCP could not explain specifically why the accounts were not deactivated or provide exact dates when they were deactivated. EOTSS’s document “Enterprise Access Control Security Standards” states, “Terminated employment status must be reflected in the users’ access privileges immediately upon termination being carried out.” It also states,

This standard applies to . . . any entity that uses [EOTSS]-controlled resources to access the Commonwealth’s wide area network ([Massachusetts Access to Government Network]). . . . Other Commonwealth entities are encouraged to adopt this or a similar standard.

OCP’s vendors, the Attenti Group and SCRAM Systems, also have standards for termination of user access privileges. According to the Attenti Group’s “Access Control Policies and Procedures,”

Customers [in this case, OCP] are trained to inform Attenti for the removal of terminated users immediately, or within 5 business days for voluntary termination or change of responsibilities. . . .

For departing users [at OCP], HR creates a ticket with the date of the end of employment. This is done within 5 business days for voluntary end of employment, or on the same day for termination.

SCRAM Systems’ “Access Control Policy (ISMS)” states,

When an employee leaves the organization under normal circumstances, their access to computer systems and data shall be suspended at the close of business on the employee’s last working day.

Not deactivating terminated employees’ access rights in a timely manner increases the risk of terminated employees improperly accessing offender and victim information, including personal and location information. This could lead to public safety risk if information is passed to unauthorized parties. OCP should revoke employees’ access to its systems in accordance with the timelines in Attenti Group’s and SCRAM Systems’ access control policies.

Additionally, OCP should update its internal control plan to incorporate an information system control section to reduce the risk of these issues occurring.

The following addresses the information technology control issues identified in the “Other Matters” section of the report and provides detail as to how the Office of the Commissioner of Probation / [Electronic Monitoring, or ELMO] has since strengthened its information technology general controls.

To address the issues of (1) incomplete or missing system approval documentation and (2) user access rights that were inconsistent with employees’ job functions, we created and now use the [Global Positioning System, or GPS] and Remote Alcohol Monitoring Software Access Form. This form must accompany the ELMO System Access User Agreement and is an updated form that is used to request electronic access to the Massachusetts Probation Service’s [MPS’s] GPS and Remote Alcohol Monitoring case management platforms or to request a change in one’s current access level. These forms are located within the Courtyard, the Trial Court’s intranet site, which is used to share news, updates, memos, transmittals, resources, and other information. Completed forms are submitted via e-mail attachment. . . . The form is then reviewed by the ELMO Systems Manager and the Attenti Account Representative. This updated form and process helps ensure sensitive case data is secure and user access rights are consistent with employees’ job functions.

To further ensure user access rights are consistent with employees’ job functions, ELMO receives a termination list from the Office of the Commissioner of Probation’s Personnel Department on a weekly basis. This list contains the names and positions of all terminated employees and we cross-reference it and update the ELMO Terminated Account Access Log to ensure employees that are no longer working for the MPS have their ELMO software accounts deactivated, which resolves the issue of (5) terminated employees not having their system access removed in accordance with state or vendor policies. This process is conducted by the Statewide Manager of ELMO, the Attenti Account Representatives, and the ELMO Administrative Coordinator. In addition, the Office of the Commissioner of Probation devised the Massachusetts Probation Service Personnel Security Policy, which consists of steps Department Heads shall take to ensure employees’ access to confidential information, available through a variety of sources, is promptly suspended or terminated when appropriate.

To address the issue of (3) employees not completing cybersecurity awareness training, MPS employees had to complete the mandatory online security awareness courses that were introduced by the Trial Court in March 2020. In June 2021, the Judiciary implemented a policy requiring annual information security training that included suspension of digital access for those that did not comply within the allotted training window.

Last, to address the issue of (4) missing evidence of Criminal Offender Record Information (CORI) checks, the Office of the Commissioner of Probation is now creating and filing its own copies of the CORI completion/compliance forms, which are typically kept at the Office of Court Management. This will help ensure all completed CORI checks are filed accurately and are easily accessible.

In sum, the Office of the Commissioner of Probation / ELMO has since strengthened its information technology general controls.

Based on its response, OCP is taking measures to address our concerns on this matter. OCP should also update its internal control plan to incorporate an information system control section to reduce the risk of issues associated with access controls and permission rights, ensure that cybersecurity training is conducted, and ensure that CORI checks are completed in accordance with its policies and procedures.