The MRB had Inadequate Logical Access Controls for its Automated License and Registration System

The Merit Rating Board (MRB) did not have adequate logical access controls for its Automated License and Registration System (ALARS). Without such controls, there is a risk that data in the system may be corrupted or manipulated by former employees who did not have their access removed upon termination. Furthermore, without proper and regular review of access rights, MRB increases the risk that a terminated employee’s account could be compromised and used to manipulate data in ALARS.

Six of the nine employees terminated during our audit period did not have their access to ALARS revoked immediately upon termination of employment. One terminated employee did not have his access revoked for 140 days, and five others did not have their access revoked for more than 3 days. This increases the risk of terminated employees improperly accessing and/or altering personal information in ALARS such as names, addresses, driver’s license numbers, dates of birth, and driving records.

Authoritative Guidance

The Massachusetts Office of Information Technology (MassIT) requires all executive department agencies and any agency or third party that connects to the Commonwealth’s wide-area network, Massachusetts Access to Government Networks, to comply with its Enterprise Information Security Policy, which states,

Agencies are required to ensure that employees, contractors and third party users understand their security responsibilities and have the requisite skills and knowledge to ensure the effective execution of the roles they are assigned to reduce the risk of unauthorized access, use or modification of IT Resources (theft, fraud or misuse of facilities), including . . .

• Removal of access rights upon termination of employment. [Emphasis added.]

Reasons for Noncompliance

The Massachusetts Department of Transportation’s (MassDOT’s) information security program (ISP) establishes a timeframe to revoke access for terminated employees who handle electronic payments, but does not define a specific timeframe for the revocation of access for other employees, such as those who work at MRB. In addition, MRB did not have its own logical access security policies and procedures to supplement MassDOT’s ISP.

MRB did not establish a process for reviewing employee access rights quarterly, so there was no verification that the user accounts were limited to the fewest privileges necessary for employees’ job duties. This increases the risk of some employees having access to and/or altering personal information in ALARS beyond what their job duties require.

Authoritative Guidance

MassDOT’s ISP states,

A quarterly (every three [3] months) review of all accounts, including remote access accounts, will be conducted to ensure that the accounts are still necessary and access rights are limited to the least privileges to meet business need. [Emphasis added.]

Reasons for Noncompliance

Managers monitored ALARS users monthly but were not given reports at least quarterly that identified access rights granted to each user. Without this information, they could not properly review and approve access rights for all employees.

1. MRB should define a specific timeframe to revoke terminated employees’ access to ALARS. It should also develop its own logical access security policies and procedures to supplement MassDOT’s ISP.
2. MRB should develop and implement a process to review the access rights for all ALARS user accounts and work with the MassDOT Information Technology Division (MassDOT IT) to obtain the information necessary to perform this activity. MRB should include access rights in its monthly ALARS reports to managers, or MRB could establish a process of review at least quarterly to ensure that users’ access rights are limited to their individual job requirements

The Merit Rating Board does not have any control over who has access to ALARS. Merit Rating Board only makes requests for access. Merit Rating Board is totally dependent on MASSDOT IT for establishing and maintaining access to ALARS for the Merit Rating Board. . . .

The recommendation that the Merit Rating Board establish better review procedures for checking on ALARS for terminated employees is reasonable.

As noted above, MRB did not have policies and procedures in place to remove access rights from ALARS when employees were terminated. Although MassDOT IT may be responsible for actually initiating and removing these access rights, MRB is responsible for establishing the access rights for its employees, monitoring its accounts, and asking MassDOT IT to modify or terminate these rights in a timely manner as necessary. Without such controls, there is a risk that data in the system may be corrupted or manipulated by former employees and that a terminated employee’s account could be compromised and used to manipulate data in ALARS.