The Massachusetts Rehabilitation Commission Is Not Properly Administering Its Contract Management Database.

We found problems with the manner in which the Massachusetts Rehabilitation Commission (MRC) administered the use of its contract management database (CMDB). The CMDB is maintained by MRC’s Contracts Unit Team and contains copies of all contracts and contract-related information, such as Requests for Responses. The agency uses it to manage the contracting process. As a result of the administrative problems, there is a higher-than-acceptable risk of unauthorized access and/or improper disclosure of information stored in the MRC network and the CMDB.

We found the following specific problems:

• Three out of 14 terminated employees we tested from the list of terminated employees retained access rights to the MRC network after their dates of termination, for periods ranging from three months to two years.
• Two out of 13 staff members we tested from the list of active employees should have had their access to the MRC network discontinued because they had been terminated.
• Screen locks, which should sign users out after a certain amount of inactive time, did not work.
• Users were allowed seven unsuccessful login attempts before being locked out.
• Nineteen out of 25 employees we reviewed had not received their annual security awareness training.
• MRC did not maintain audit logs to support after-the-fact investigations of security incidents.

In addition, MRC did not properly monitor Eastern Resource Group, the third-party administrator of the CMDB, to ensure compliance with the relevant information system policies and procedures.

Section 6.1.2 of the Executive Office of Health and Human Services (EOHHS) information technology (IT) Information Security Management Program Standards, dated November 2015, apply to all agencies within EOHHS, including MRC. Regarding access controls for terminated users, the standards state,

EOHHS manages information system accounts as follows . . .

(g)  User managers will notify the Help Desk and/or the system account manager when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;

(h)  The Help Desk will deactivate accounts of terminated or transferred users when a documented and approved request is completed.

Section 6.1.9 requires the following for screen locks:

EOHHS systems will:

• Prevent further access to the system by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user.

Regarding unsuccessful login attempts, Section 6.1.7 states,

EOHHS requires that each system or application:

• Enforces a limit of three (3) consecutive invalid login attempts by a user during a 60 minute period.

Section 6.2.2 discusses security awareness training:

EOHHS and its agencies will provide basic security awareness training to all users of EOHHS resources as a part of initial training for new users, as system changes occur and annually thereafter.

On audit logs, the standards state,

6.1.2.4 AC-2(4) Automated Audit Action

EOHHS requires the auditing/logging of user account activity to include: account creation, modification and disabling of accounts with proper notice sent to managers and other appropriate staff. . . .

6.3.10 AU-11 Audit Record Retention

EOHHS and its agencies will retain audit records for seven years to provide support for after-the-fact investigations of security incidents and to meet regulatory and agency information retention requirements.

Finally, regarding third-party compliance, Section 3.1 states,

EOHHS Department Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency. These include, but are not limited to, electronic data collection, storage, processing, disposal, dissemination and maintenance. Third parties that interact in any way with EOHHS IT Resources are required to comply with this policy.

Additionally, the Executive Office of Technology Services and Security (EOTSS) Enterprise Information Security Policy dated March 2014, with which all executive department agencies must comply, confirms these policies:

It is the responsibility of Agency Heads to have controls in place and in effect that provide reasonable assurance that security objectives are addressed. The Agency Head has the responsibility to exercise due diligence in the adoption of this framework. Agencies must achieve compliance with the overall information security goals of the Commonwealth including compliance with laws, regulations, policies and standards to which their technology resources and data, including but not limited to personal information, are subject.

MRC has not established monitoring controls to ensure that its staff members comply with EOHHS’s IT Information Security Management Program Standards.

1. MRC should immediately address the issues of noncompliance we identified during our audit and take the measures necessary to ensure that its staff members comply with all of EOHHS’s Information Security Management Program Standards, including establishing monitoring controls to monitor adherence to these standards.
2. MRC should implement a monitoring process for third-party vendors to ensure compliance with the Commonwealth’s information security control requirements as established by both EOHHS and EOTSS IT policies.

In response to this audit finding, MRC provided the comments below as well as timelines by which the indicated corrective measures would be completed.

MRC is creating policies and an implementation plan to be in compliance with Section 3.1 of the Executive Office of Health and Human Services (EOHHS) information technology (IT) Information Security Management Program Standards.

Program managers responsible for the contracts will be trained by the end of the second quarter of fiscal year 2019 on the policy and vendor reviews.

MRC will review the policies with all third party IT vendors and develop a monitoring process to ensure compliance with information security control requirements of EOHHS and EOTSS.

MRC, in collaboration with the EOHHS Information Technology Division, is strengthening its off boarding process to ensure that upon termination an employee’s access to systems and networks will be terminated. MRC will create and implement a policy that validates and communicates to responsible parties, when an employee is terminated and the system and network access that must be discontinued.

MRC is reviewing all profiles to ensure only active employees remain, and that active employees only have access to those systems they need to perform their function. This will be completed no later than July 27, 2018.

Training on these policies and forms will be completed by the end of the first quarter of fiscal year 2019 for all employees responsible in the off/on-boarding process.

MRC will review all network users quarterly to ensure compliance. . . .

MRC has reviewed findings with EOHHS Information Technology Division [and] submitted a request for the configurations of all computers to be updated. The configuration build is in process. . . .

The Executive Office of Technology Services and Security recently released a mandatory Security Training for all Commonwealth Employees. MRC required the training to be done no later than June 15. MRC will review records to ensure that all users have completed their annual training.