The Department of Transitional Assistance (DTA) Did Not Revoke Terminated Employees’ Access to One of Its Systems in a Timely Manner.

Four out of 25 employees in our nonstatistical sample of employees who were terminated by the Department of Transitional Assistance (DTA) between July 1, 2018 and June 30, 2019 did not have their access to DTA’s Benefit Eligibility and Control Online Network (BEACON) system revoked within 24 business hours (three business days) after their termination date. These employees had active accounts in BEACON for 6 to 23 days after their termination dates. This increases the risk that terminated employees could extract personally identifiable information (PII) from the system.

The American Institute of Certified Public Accountants’ document Trust Services Criteria establishes the following best practice: “User system credentials are removed when user access is no longer authorized.”

Section 6.1.6.2.1 of Executive Office of Technology Services and Security (EOTSS) information security standard IS.003, “Access Management,” effective October 15, 2018, states that upon termination, users’ access to information systems must be “removed within 24 business hours.” Therefore, we used an allowable error of 24 business hours (three business days) in our test.

DTA relies on managers to manually notify DTA’s information technology (IT) security team of employee terminations, and this was not always done in a timely manner. DTA uses the Commonwealth’s Human Resource Compensation Management System, which does not have automated controls to notify BEACON or the security team when an employee is terminated.

1. DTA should implement additional controls to ensure that access is terminated in a timely manner after an employee is terminated.
2. DTA should consider controls to automatically notify the security team when employees are terminated.

The Executive Office of Health and Human Services (EOHHS) provided the following response on DTA’s behalf.

To meet the needs of the FY2018 Single State Audit remediation plan, the following additional measures were undertaken:

• DTA’s Human Resource Department notify the DTA Security Team of terminations or lack thereof, on a weekly basis.
• A quarterly review of terminations is conducted by DTA Application Security Management.
• A further review on any user terminations that were not completed within the agreed upon time frame is conducted to ensure that the user did not access the system after their termination date.
• DTA’s Security Officer and Internal Controls Officer meet to review the results of the quarterly termination review and any terminations that were not completed within the agreed upon time frame are reported to DTA’s Commissioner, Chief Operating Officer, Assistant Chief Information Officer and the EOHHS Chief Security Officer.

Because of these additional controls, in the most recent Quarterly Termination Review, DTA was in full compliance with Section 6.1.6.2.1 of the EOTSS information security standard IS.003 “Access Management.” DTA had no users who were not inactivated within 3 business days (24 working hours).

DTA and EOHHS IT agree with your recommendation that automatic notification to the security team should occur when employees are terminated and believes that DTA would benefit greatly if the State’s Human Resource Division updated the HRCMS System to provide this additional functionality.

Based on its response, DTA has taken measures to address our concerns in this area. The Office of the State Auditor (OSA) has not examined the results of the most recent quarterly review and therefore cannot conclude on the sufficiency of controls implemented after our audit.