Laserfiche WebLink
COUNTY OF HAWAII <br /> STATE OF HAWAII <br /> Status of Prior Year Findings and Recommendations <br /> Fiscal year ended June 30, 2009 <br /> ACCESS TO PROGRAMS AND DATA <br /> We noted the following issues related to information technology (IT) general controls regarding access to <br /> programs and data: <br /> • Information Security Policy — A County -wide information security policy has not been documented, <br /> approved by management, and communicated throughout the organization. As a result, IT procedures <br /> may be performed inconsistently and users will be less likely to adhere to appropriate IT practices. <br /> • Passwords — Network password parameters for the IAS application do not require complexity. Ineffective <br /> password settings increase the risk of unauthorized access to the system and could ultimately compromise <br /> the integrity of the data, affecting the financial reporting and business decisions based on this data. <br /> • User Access — Functional users of key IT applications were noted as also having administrator access. <br /> Functional users that have the ability to perform security administration functions, such as provisioning of <br /> user access, may be able to override segregation of duty controls within the application. <br /> • Review of User Access — A periodic review of active users and user access rights to identify and remove <br /> inappropriate system access for key IT applications is not performed. Further, a periodic review of <br /> functional roles within the County to identify process changes and potential segregation of duty conflicts <br /> is not performed. User reviews should be performed periodically by the Department of Data Systems to <br /> help ensure that all users in the system are appropriate and that job transfers and employee terminations <br /> have been appropriately updated in the system. <br /> • Physical Access — Physical access to the server room hosting the IAS application is not restricted at all <br /> times. The physical access control mechanisms currently in place do not enable the appropriate County <br /> employees to monitor access to the server room. <br /> Recommendation <br /> We recommend that the Department of Data Systems take the following steps in addressing the issues noted <br /> above, as follows: <br /> • Information Security Policy — Management should document, approve, and communicate a formal <br /> information security policy. The policy should be reviewed by management on an annual basis and <br /> evidenced via sign -off of the reviewer(s). <br /> 4 (Continued) <br />