The Massachusetts Water Resources Authority Did Not Revoke Employees’ and Contractors’ Access to Its Administrative Computer Network After Their Employment or Contracted Work Ended.

During the audit period, MWRA did not revoke access to its administrative computer network within 24 business hours for 11 out of 35 employees upon the end of their employment. Additionally, the SPOC did not inform the MIS Department about eight out of eight contractors whose contracts had ended (and that, therefore, their access should be revoked).

As a result, MWRA’s administrative computer network is potentially vulnerable to inappropriate use or misuse by employees whose employment has ended and contractors whose contracts have ended.

According to MWRA’s Policy ADM.31,

MWRA shall ensure that all of its employees, contractors, and third party users understand their security responsibilities and have the requisite skills and knowledge to perform effectively in the roles they are assigned, and to reduce the risk of unauthorized access, use, or modification of [information technology] resources (theft, fraud or misuse of facilities).

According to Executive Office of Technology Services and Security’s Access Management Standard IS.003,

6.1.8.3  If the termination date of personnel is known in advance, the respective access privileges — specifically those with access to confidential information — shall be configured to terminate automatically.

            6.1.8.3.1  If not, access must be manually removed within 24 business hours.

Although MWRA is not required to follow this standard, we consider it a best practice.

MWRA officials told us in an email, dated September 19, 2022, that a SPOC requests the type of user access needed and updates the MIS Department on contractors’ user access statuses.

MWRA did not have a written policy that includes monitoring controls and a specific timeframe to ensure that the SPOC informed the MIS Department about MWRA employees whose employment had ended and contractors whose contracts had ended.

MWRA should develop a written policy that includes monitoring controls and a 24–business hour timeframe to ensure that the SPOC informs the MIS Department about MWRA employees whose employment has ended and contractors whose contracts have ended. MWRA should also train its employees on how to implement and follow this policy.

MWRA formalized MWRA Information Security Policy for Access Control – Administrator, ADM.35 on August 25, 2022 that addresses this finding. An additional Contractor Policy is also in draft that will specifically provide additional detail to address contractor physical access to MWRA facilities and access to the MWRA network as necessary. Appropriate staff will be trained on both policies to ensure that access is revoked in a timely manner for both employees and contractors.

Based on its response, MWRA is taking measures to address our concerns on this matter.