My WebLink
|
Help
|
About
|
Sign Out
Home
COM 0520.000 2008-2010
ClerkCouncil
>
Council Records
>
Communications
>
2008-2010
>
COM 0520.000 2008-2010
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
10/13/2009 10:37:20 AM
Creation date
9/8/2009 2:27:04 PM
Metadata
Fields
Template:
Communications
Communications - Type
COM
Communications - Council Term
2008-2010
Communication
0520
Point
000
Author
Colleen M. Schrandt
Communications - Referred To
FC
Comments
FC-91: Recommends acceptance of the Financial Audit and Management Letter for FY 08-09 prepared by KPMG, LLP - 09/15/09; Council: Adopts FC-92 - 10/07/09
Document Relationships
AGE COUNCIL 10/07/2009 2008-2010
(Related To)
Path:
\Council Records\Agendas\2008-2010\Council
AGE FC 09/15/2009 2008-2010
(Related)
Path:
\Council Records\Agendas\2008-2010\Finance Committee (FC)
REP FC 092 09/15/2009 2008-2010
(Related)
Path:
\Council Records\Reports\2008-2010\Finance Committee (FC)
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
154
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
a <br />COUNTY OF HAWAII <br />STATE OF HAWAII <br />a Current Year Findings and Recommendations <br />Fiscal year ended June 30, 2008 <br />a <br />ACCESS TO PROGRAMS AND DATA <br />a We noted the following issues related to information technology (IT) general controls regarding access to <br />programs and data: <br />• Information Security Policy - A County-wide information security policy has not been documented, <br />approved by management, and communicated throughout the organization. As a result, IT procedures <br />may be performed inconsistently and users will be less likely to adhere to appropriate IT practices. <br />C • Passwords -Network password parameters for the IAS application do not require complexity. Ineffective <br />password settings increase the risk of unauthorized access to the system and could ultimately compromise <br />the integrity of the data, affecting the financial reporting and business decisions based on this data. <br />• User Access -Functional users of key IT applications were noted as also having administrator access. <br />Functional users that have the ability to perform security administration functions, such as provisioning of <br />user access, may be able to override segregation of duty controls within the application. <br />• Review of User Access - A periodic review of active users and user access rights to identify and remove <br />inappropriate system access for key IT applications is not performed. Further, a periodic review of <br />G functional roles within the County to identify process changes and potential segregation of duty conflicts <br />is not performed. User reviews should be performed periodically by the Department of Data Systems to <br />help ensure that all users in the system are appropriate and that job transfers and employee terminations <br />D have been appropriately updated in the system. <br />• Physical Access -Physical access to the server room hosting the IAS application is not restricted at all <br />times. The physical access control mechanisms currently in place do not enable the appropriate County <br />employees to monitor access to the server room. <br />Recommendation <br />We recommend that the Department of Data Systems take the following steps in addressing the issues noted <br />above, as follows: <br />a • Information Security Policy -Management should document, approve, and communicate a formal <br />information security policy. 'The policy should be reviewed by management on an annual basis and <br />evidenced via sign-off of the reviewer(s). <br />a • Passwords -The following password parameters should be implemented for the IAS application: <br />- Minimum password length of at least six chazacters <br />- Increased complexity of passwords, including the use ofalpha-numeric and special characters <br />- Mandatory password changes every 60 to 90 days <br />- Auto lock-out after three failed log-in attempts (system administrator intervention should be required <br />to unlock the account) <br />4 (Continued) <br />
The URL can be used to link to this page
Your browser does not support the video tag.