Laserfiche WebLink
COUNTY OF HAWAII <br /> STATE OF HAWAII <br /> Status of Prior Year Findings and Recommendations <br /> Fiscal year ended June 30, 2009 <br /> • Passwords — The following password parameters should be implemented for the IAS application: <br /> _ Minimum password length of at least six characters <br /> Increased complexity of passwords, including the use of alphanumeric and special characters <br /> Mandatory password changes every 60 to 90 days <br /> Auto lock -out after three failed log -in attempts (system administrator intervention should be required <br /> to unlock the account) <br /> • User Access — Segregation of duty controls should be implemented so that functional users also do not <br /> have administrator access. <br /> • Review of User Access — Management should conduct periodic reviews of user profiles and templates, as <br /> well as user access to key IT applications. <br /> • Physical Access — The server room hosting the IAS application should remain locked at all times and only <br /> be unlocked when access to the server room is necessary. Also, management may consider implementing <br /> a physical access mechanism that requires a log -on to enhance monitoring and detective controls. <br /> We did not identify a material impact to the financial reporting process as a result of these issues; however, the <br /> County and the Department of Data Systems can take steps toward enhancing and improving their IT general <br /> controls by incorporating the recommendations listed above. <br /> Status <br /> In response to the issues noted above, the Department of Data Systems has responded as follows: <br /> • Information Security Policy — An Information Security Policy Committee has been created to develop <br /> guidelines that will ultimately be used for preparing an information security policy for the County. <br /> • Passwords — The IAS application does not currently have a feature that would make the recommended <br /> changes to the password requirements. The Department of Data Systems will continue to work with their <br /> vendor to determine if it would be possible to add this functionality to their software. <br /> • User Access — Access is inherently limited due to the small number of personnel. However, access will be <br /> monitored to ensure that proper segregation of duties is maintained. <br /> • Review of User Access — Management is currently conducting periodic reviews of user profiles and <br /> templates on a limited basis. The Department of Data Systems will work on implementing these reviews <br /> on a wider scale. <br /> • Physical Access — The server was moved and is now locked in a server room. <br /> 5 <br />