Physical Security Vulnerabilities Exist at the Massachusetts Bay Transportation Authority’s Bus and Rail Maintenance Facilities.

During our audit period, the MBTA did not consistently maintain documentation to substantiate that it physically retrieved and destroyed the employee access ID cards of separated employees. Specifically, of the 65 former employees’ files we reviewed, only 19 (29%) contained documentation indicating that the card had been returned to the MBTA. None of the 65 employees’ files contained any documentation indicating that the card had been physically destroyed.

Former MBTA employees or other unauthorized individuals in possession of MBTA employee access ID cards could have access to secured areas of the MBTA. Unauthorized individuals using these cards would significantly increase the MBTA’s vulnerability to unauthorized access and potentially a wide variety of criminal acts. For instance, although a card may be deactivated (not allowing access to doors and gates), it could still be presented at security checkpoints, including at MBTA stations or on vehicles not equipped with automated fare gates, potentially allowing a person to avoid screening and/or be admitted for free. 

Authoritative Guidance

MBTA’s “Employment Separations” policy states,

Whenever practicable, employees who separate from the Authority should complete the Exit Interview Process as established by the Authority. As part of this process or otherwise, employees are required to promptly return any Authority property (e.g., vehicles, tools, electronics, badges, cards, etc.) that may be in their control, possession or custody.

The MBTA Employee Policy Manual requires employees to return all property, including their employee IDs, upon leaving the agency and states that the MBTA reserves the right to withhold any final payment due an employee until the property is returned. Through discussions with MBTA management, we determined that the MBTA had established a practice of retrieving and destroying the employee access ID cards of separating employees. Recognizing the importance of collecting cards upon separation, the MBTA has developed an “Inventory Reclamation Sheet” that is supposed to be used to document whether a separating employee’s card has been collected. Although MBTA policies do not specifically require the MBTA to document the destruction of collected cards, we believe it is important that this part of the separation process be completed in every case.

Reasons for Issue

The MBTA does not have adequate policies, procedures, and monitoring controls to ensure that employee access ID cards are returned and destroyed when employees leave the agency. Although employees are encouraged to participate in an exit interview on or before their last day of employment, MBTA officials told us that this interview is not mandatory and is not consistently conducted.

Based on our discussions with MBTA officials and review of policies, there was inconsistency regarding when exit interviews are conducted. MBTA’s Human Resources Department (HR) told us that exit interviews are not conducted for retirees, discharged employees, or interns. However, the MBTA’s documented “Exit Interview Package Guidelines” state that the interview is “mandatory” and “must be conducted prior to or on the employee’s last day.” These guidelines also state that even if an employee does not show up for an exit interview, a supervisor should still fill out and process the exit interview paperwork for the employee. There is even a page of the exit interview paperwork that asks employees to specify whether their reason for separation is “resignation,” “retirement,” or “other,” indicating that the process is in fact completed for retirees.

In addition, there is no documented guidance available to employees that specifies procedures to be followed when an employee is separated from the MBTA.

The MBTA was significantly delayed in terminating former employees’ security access by deactivating their employee access ID cards. The delays gave individuals continued access to MBTA facilities and properties for months and even years after separation.

Specifically, the MBTA did not disable the security access of 47 employees who left the agency during our audit period. These former employees retained unauthorized general perimeter access⁵ to MBTA facilities for periods ranging from 108 to 717 days after separation.

In cases where the MBTA did disable the security access of terminated employees, we found significant lag time between employees’ termination dates and the dates their security access was disabled. We reviewed security access control system data and found that it took as long as 626 days after separation for these employees’ access to be disabled. On average, it took 136 days.

The table below summarizes the lag times between employees’ termination dates and the dates their security access was disabled.

Security Access Removal Lag Time

Former employees with unauthorized access to secure areas of MBTA facilities could put MBTA facilities and property, and the safety of its workers, at risk. As a result of this issue and the issue discussed in Finding 1a, we found 85 instances (involving 35 individuals) where former MBTA employees physically accessed MBTA facilities after their effective termination dates.

Authoritative Guidance

As a best practice to prevent unauthorized access, it is critical that security access be promptly disabled upon an employee’s termination. Many organizations endorse such a practice; for instance, the National Institute of Standards and Technology’s Special Publication 800-53r4 states that upon termination of a person’s employment, organizations should “[terminate/revoke] any authenticators/credentials associated with the individual.”

Reasons for Issues

The MBTA has not established authority-wide policies and procedures for the processing of terminated employees.

The MBTA also has not established adequate monitoring controls to ensure that security access for separated employees is promptly disabled. Further, the MBTA has not established a specific timeframe for the revocation of security access for separating employees.

MBTA officials told us that there was a breakdown in communication between HR and the Security and Emergency Management Department. Before October 2018, notifications of employee terminations from HR to the Security and Emergency Management Department were sporadic and inconsistent. Starting in October 2018, HR began communicating employee terminations to the Security and Emergency Management Department daily.

Upon receiving separation information from department heads, HR enters it in the Human Resource / Compensation Management System, processing the employee termination. At this point, the employee’s name will appear on a termination report that is distributed to the Security and Emergency Management Department, which is responsible for disabling terminated employees’ physical access. However, MBTA officials also told us that separation documentation that is necessary to finalize an employee separation is not always submitted to HR promptly and that this delays the process.

1. The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.
   
   This has already been done via an internal audit: in addition, the in-progress . . . identity management initiative will ensure consistency going forward for employees.
    
2. The MBTA should develop and implement an authority-wide policy and detailed procedure for the processing of terminated employees. At a minimum, it should address the frequency of exit interviews; individual department roles; the processing of required separation documentation; and the retrieval, disabling, and destruction of employee access ID cards within a defined timeframe. Supporting documentation should be kept on file for returned and destroyed cards.
   
   The MBTA agrees with the recommendation and will assess the best means to expediently implement a solution.
    
3. The MBTA should develop and implement monitoring controls to ensure that security access for separated employees is promptly disabled.
   
   [The identity management solution] integration with [the electronic access control system] will fully address this concern and is expected to be operational in February of 2020.

In addition to the comments above, the MBTA provided specific comments about some of the issues identified.

Finding 1b

During the audited period, a separate internal audit was conducted which resulted in a large number of cardholder deactivations; this severely skews the data on average time to disable a card. The internal review period was from October 2017 to October 2018. Since that review, the MBTA has changed the request and tracking processes to an online ticketing system. . . . The audit results do not account for these changes, which occurred after October 2018.

Cardholder deactivations depend on timely flow of information between departments, which can vary due to a variety of factors.

Some of the 47 employees referenced as having not been disabled despite leaving the Authority may have transitioned from employee to contractor, or to MassDOT / Shared Service roles, which would leave their original employee ID in the system, even if their card type changed (which it typically would).

Since the MBTA’s use of [an online ticketing system] for security related requests began, the turnaround time is an average of 1–2 days for access-related requests, with termination reports being a priority ticket. . . .

[The identity management solution] will automate and create a 24-hour process. High risk terminations are, and will continue to be, processed immediately by manual request.

Finding 1b

The results of our audit testing in this area are based on information that we obtained from the MBTA and the systems that were used to administer the employee termination process during our audit period. Whether or not the average time to deactivate a card was somehow skewed, a problem exists in this area that needs to be addressed by the MBTA.

As noted in our report, the MBTA did not disable the security access of 47 employees who left the agency during our audit period. In their response, MBTA officials indicated that some of these 47 employees may have transitioned from employee to contractor or to MassDOT / Shared Service roles. However, upon identifying this issue, we provided a list of the 47 employees to HR, which confirmed that each person had been terminated and was no longer working in any capacity at the MBTA. Thus there was no indication that these individuals should have had access to MBTA facilities at the time of our audit work.

Based on its response, the MBTA is taking appropriate measures to address our concerns.