Laserfiche WebLink
CORRECTIVE ACTION PLAN <br />Financial Statement Findings: <br />2014-001 Logical Access & Access Security - Significant Deficiency <br />Recommendation: We recommend that the County: <br />1. Strengthen password controls for the IAS and ReCo systems that include a <br />combination of minimum length, complexity, expiration, history, and lockout <br />policy and duration. As a compensating control to mitigate the lack of <br />functionality in the IAS and ReCo systems, strengthen the domain password <br />parameters and security settings to increase the minimum password age and <br />lockout duration requirements. <br />2. Develop an information security policy, have the policy approved by the <br />appropriate level of management and communicate the policy to employees. <br />County's Comment: <br />1) Inadequate password parameters and security settings for IAS and ReCo, <br />password age and lockout parameters that could be further strengthened. <br />o To our knowledge the complexity restrictions are a limitation of the <br />existing IAS and ReCo software. However, ReCo is scheduled to get a <br />more complex password control in April 2015 and the County will be <br />upgrading to a cloud based system in June 2015 for IAS, which will <br />address this issue. <br />2) The County did not have any formally documented security administration <br />policies and procedures. <br />o The County's Department of Information Technology is sending staff for <br />training in the coming weeks on how to write and implement rules and <br />procedures to address the current limited written policies and procedures. <br />Anticipated Completion Date: Some items will be corrected by June 30, 2015 and <br />others will be an ongoing effort as we strive to improve our internal controls over <br />information technology. <br />Contact People: Don Jacobs, Director of Information Technology <br />Stan Sitko, Real Property Tax Administrator <br />34 <br />