My WebLink
|
Help
|
About
|
Sign Out
Home
COM 0939.000 2008-2010
ClerkCouncil
>
Council Records
>
Communications
>
2008-2010
>
COM 0939.000 2008-2010
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
9/23/2010 9:43:22 AM
Creation date
9/10/2010 11:40:31 AM
Metadata
Fields
Template:
Communications
Communications - Type
COM
Communications - Council Term
2008-2010
Communication
0939
Point
000
Author
Colleen Schrandt, Legislative Auditor
Communications - Referred To
FC
Comments
FC: Close file - 9/20/10
Document Relationships
AGE FC 09/20/2010 2008-2010
(Related)
Path:
\Council Records\Agendas\2008-2010\Finance Committee (FC)
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
151
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
COUNTY OF HAWAII <br /> STATE OF HAWAII <br /> Status of Prior Year Findings and Recommendations <br /> Fiscal year ended June 30, 2009 <br /> ACCESS TO PROGRAMS AND DATA <br /> We noted the following issues related to information technology (IT) general controls regarding access to <br /> programs and data: <br /> • Information Security Policy — A County -wide information security policy has not been documented, <br /> approved by management, and communicated throughout the organization. As a result, IT procedures <br /> may be performed inconsistently and users will be less likely to adhere to appropriate IT practices. <br /> • Passwords — Network password parameters for the IAS application do not require complexity. Ineffective <br /> password settings increase the risk of unauthorized access to the system and could ultimately compromise <br /> the integrity of the data, affecting the financial reporting and business decisions based on this data. <br /> • User Access — Functional users of key IT applications were noted as also having administrator access. <br /> Functional users that have the ability to perform security administration functions, such as provisioning of <br /> user access, may be able to override segregation of duty controls within the application. <br /> • Review of User Access — A periodic review of active users and user access rights to identify and remove <br /> inappropriate system access for key IT applications is not performed. Further, a periodic review of <br /> functional roles within the County to identify process changes and potential segregation of duty conflicts <br /> is not performed. User reviews should be performed periodically by the Department of Data Systems to <br /> help ensure that all users in the system are appropriate and that job transfers and employee terminations <br /> have been appropriately updated in the system. <br /> • Physical Access — Physical access to the server room hosting the IAS application is not restricted at all <br /> times. The physical access control mechanisms currently in place do not enable the appropriate County <br /> employees to monitor access to the server room. <br /> Recommendation <br /> We recommend that the Department of Data Systems take the following steps in addressing the issues noted <br /> above, as follows: <br /> • Information Security Policy — Management should document, approve, and communicate a formal <br /> information security policy. The policy should be reviewed by management on an annual basis and <br /> evidenced via sign -off of the reviewer(s). <br /> 4 (Continued) <br />
The URL can be used to link to this page
Your browser does not support the video tag.