Laserfiche WebLink
a <br />COUNTY OF HAWAII <br />STATE OF HAWAII <br />a Current Year Findings and Recommendations <br />Fiscal year ended June 30, 2008 <br />a <br />ACCESS TO PROGRAMS AND DATA <br />a We noted the following issues related to information technology (IT) general controls regarding access to <br />programs and data: <br />• Information Security Policy - A County-wide information security policy has not been documented, <br />approved by management, and communicated throughout the organization. As a result, IT procedures <br />may be performed inconsistently and users will be less likely to adhere to appropriate IT practices. <br />C • Passwords -Network password parameters for the IAS application do not require complexity. Ineffective <br />password settings increase the risk of unauthorized access to the system and could ultimately compromise <br />the integrity of the data, affecting the financial reporting and business decisions based on this data. <br />• User Access -Functional users of key IT applications were noted as also having administrator access. <br />Functional users that have the ability to perform security administration functions, such as provisioning of <br />user access, may be able to override segregation of duty controls within the application. <br />• Review of User Access - A periodic review of active users and user access rights to identify and remove <br />inappropriate system access for key IT applications is not performed. Further, a periodic review of <br />G functional roles within the County to identify process changes and potential segregation of duty conflicts <br />is not performed. User reviews should be performed periodically by the Department of Data Systems to <br />help ensure that all users in the system are appropriate and that job transfers and employee terminations <br />D have been appropriately updated in the system. <br />• Physical Access -Physical access to the server room hosting the IAS application is not restricted at all <br />times. The physical access control mechanisms currently in place do not enable the appropriate County <br />employees to monitor access to the server room. <br />Recommendation <br />We recommend that the Department of Data Systems take the following steps in addressing the issues noted <br />above, as follows: <br />a • Information Security Policy -Management should document, approve, and communicate a formal <br />information security policy. 'The policy should be reviewed by management on an annual basis and <br />evidenced via sign-off of the reviewer(s). <br />a • Passwords -The following password parameters should be implemented for the IAS application: <br />- Minimum password length of at least six chazacters <br />- Increased complexity of passwords, including the use ofalpha-numeric and special characters <br />- Mandatory password changes every 60 to 90 days <br />- Auto lock-out after three failed log-in attempts (system administrator intervention should be required <br />to unlock the account) <br />4 (Continued) <br />