Loading...
HomeMy WebLinkAbout2015-02 Performance Audit Report: County of Hawai'i Information Technology Asset ManagementCounty of Hawaii Information Technology Asset Management Report No. 2015-02 November 12, 2015 Jt1T ••�F; !4 Office of the Legislative Auditor County of Hawaii 'QrFOF.µASy Dru Mamo Kanuha Chair & Presiding Officer Council District 7 November 12, 2015 V�ti�dnu sr• r qrf OF�HP`� %L'ouUN of 'Pubiat`i Bonnie S. Nims, CGAP Legislative Auditor Business Address 1266 Kamehameha Avenue Suite A-8 Hilo, Hawai `i 96720 OFFICE OF THE LEGISLATIVE AUDITOR 25 Aupuni Street Hilo, Hawaii 96720 * (808) 961-8386 * Fax (808) 961-8905 website: hup://HawaVicounty.Qov e-mail: publiclao(aco.Hawai'i.hi.us The Honorable Dru Kanuha, Council Chairperson and Members of the Hawaii County Council Hawaii County Council 25 Aupuni Street Hilo, Hawaii 96720 Dear Chair Kanuha and Council Members, hi accordance with Hawaii County Charter Section 3-18(d)(2), attached is the Office of the Legislative Auditor's report of our audit of Information Technology (IT) Asset Management. The purpose of the audit was to evaluate the County of Hawai'i's management of IT assets including hardware lifecycle management and software licensing management. Accuity LLP conducted this audit in accordance with Generally Accepted Government Auditing Standards on our behalf. The Department of Information Technology (DIT) follows several IT asset management industry best practices. However, to fully meet industry best practices, the DIT should own all IT assets. hi addition, an IT asset management role should be established to manage the County's IT assets. These are key elements to successful management of IT assets and without these two elements, the County is at an increased risk of security concerns, system instability, helpdesk and County employee inefficiencies, as well as increased hardware and software costs. If you need any further information, please let me know. We would like to thank the Department of Information Technology and Finance Department staff for their assistance and cooperation during this audit. We greatly appreciate all of their valuable time and efforts spent on providing us information. Respectfully, Bonnie S. Nims, CGAP Legislative Auditor cc: William P. Kenoi, Mayor Stewart Maeda, County Clerk Donald Jacobs, Director, Department of Information Technology Deanna Sako, Finance Director Walter Lau, Managing Director Hawai `i County is an Equal Opportunity Provider and Employer In Brief Background Information Technology (IT) asset management is the management of IT assets, including all elements of software and hardware, from the identification of requirements to the disposal of the assets. The IT asset management process typically involves gathering a detailed inventory of an organization's hardware and software and then using that information to make informed decisions about IT - related purchases and redistribution. By avoiding unnecessary asset purchases and making the best use of current resources, IT asset managers can eliminate waste and improve efficiency. The Department of Information Technology (DIT) is primarily responsible for managing and operating the County's central computer system and telecommunications network. DIT also advises County agencies on computer-related matters, coordinates the purchase and use of computer equipment and software, and provides computer training and support for County employees. DIT is not responsible for managing or supporting the Department of Water Supply, Police Department, Office of Housing and Community Development, Office of the Prosecuting Attorney and the Office of Aging since these departments have their own internal information technology function. Why we did this audit This performance audit was undertaken to evaluate the County of HawaiTs management of IT assets. Specifically, this audit assessed if hardware lifecycle management policies and procedures followed industry best practices. We also evaluated whether the software licensing management system is adequate to ensure compliance with current applicable licensing agreement terms and conditions and follows industry best practices. On April 1, 2014, the Council approved Resolution No. 308-14 to authorize the payment of funds to replace County owned personal computers and laptops using an operating system that will no longer be supported by the manufacturer. We initiated this audit to determine if DIT is following IT asset management industry best practices. The DIT follows several IT asset management industry best practices as prescribed by the International Association of Information Technology Asset Managers. Two of the key elements of IT asset management are the centralization of the IT function and the use of an IT asset management role. However, at the County, the upgrade and replacement of computers is typically determined at the department level, not centrally at DIT. In addition, DIT has not established an IT asset management role. Without these two elements, the County is at an increased risk of security concerns, system instability, helpdesk and County employee inefficiencies, as well as increased hardware and software costs. Management complete response to this audit can be found on page 13: Management's Response. The recommendations identify improvements for management to follow industry best practices. Our audit report offers recommendations designed to address these issues. 1. The DIT should own all IT assets. Furthermore, an IT asset management role should be established to manage the County's IT assets including: • Developing a financial forecast of hardware and software upgrades and replacements; • Maintaining an approved software list for standardization; • Identifying re -deployable IT assets; • Continuing to evaluate leasing as an option; • Maintaining a listing of IT assets and the assigned users in a centralized database; • Centrally receiving and accepting all IT assets; • Reconciling IT assets in the IT asset management inventory; and • Ensuring the disposal of IT assets occurs in a secured manner. 2. The County should address gaps in formal written policies and procedures over IT practices. This page intentionally left blank. ACcuityLP CERTIFIED PUBLIC ACCOUNTANTS County of Hawaii Information Technology Asset Management Performance Audit Report November 6, 2015 Quality Integrity Insight ACcuityl_P CERTIFIED PUBLIC ACCOUNTANTS Report of Independent Auditors To the Office of the Legislative Auditor County of Hawaii As directed by the County of Hawaii, Office of the Legislative Auditor, contract dated March 12, 2015; we have conducted a performance audit of the County of Hawaii Department of Information Technology. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The purpose of our audit was to provide an independent assessment of the management of information technology assets by the County of Hawaii Department of Information Technology. The sub -objectives were to determine whether hardware lifecycle management policies and procedures follow industry best practices and whether software licensing management system is adequate to ensure compliance with current applicable licensing agreement terms and conditions and follows industry best practices. This report is current as of the date of the report. We performed no procedures or analysis of the contracts, policies or procedures after the date of the report. A significant portion of the information we used in our analysis was based on interviews with the Department of Information Technology personnel. This report is the result of our evaluation of the information noted above and is intended solely for the information of the Office of the Legislative Auditor. This restriction is not intended to limit the distribution of this report, which upon acceptance by the Office of the Legislative Auditor is a matter of public record. Actw�C.�f' 0 Honolulu, Hawaii November 6, 2015 999 BISHOP STREET, SUITE 1900 an independent member of HONOLULU, HAWAII 96813 BAKER TI LLY TELEPHONE: 808 5313400 FAcSIMILE: 808 5313433 INTERNATIONAL County of Hawaii Index Page(s) Introduction Background........................................................................................................................... 1 Objectiveand Scope......................................................................................................... 1-2 Methodology...................................................................................................................... 2-3 Criteria.................................................................................................................................. 4 Commendations and Noteworthy Achievements....................................................................4 Observations and Recommendations Summary of Audit Results............................................................................................... 5-12 Management's Response County of Hawaii Introduction Background The County of Hawaii (the "County") Department of Information Technology ("DIT") is responsible for managing and supporting the County's approximately 1,200 computers in their central computer system and telecommunications network. DIT is also responsible for coordinating the purchase and use of computer equipment and software and for providing technology support and user training to County employees. DIT is not responsible for managing or supporting the Department of Water Supply, Police Department, Office of Housing and Community Development, Office of the Prosecuting Attorney and the Office of Aging since these departments have their own internal information technology ("IT") function. DIT conducts quarterly meetings with these departments for information sharing and collaboration. DIT does not have a dedicated IT Asset Management position that manages the IT asset management budget at the County level; individual departments manage their own IT asset management budgets. The County's Department of Finance tracks IT assets in its fixed assets inventory system. IT asset procurement follows the Department of Finance Purchasing Manual that allows individual departments to process purchases up to $1,000. The Purchasing Division, under the Department of Finance, processes purchases greater than $1,000. DIT consists of twenty employees and includes a user support and systems support function. A strategic goal for DIT is to standardize and secure the County's computing environment by restricting County employees from installing software without DIT involvement and by implementing an automated network and software inventory system and an automated software deployment tool. Objective and Scope The objectives of the audit were to: 1. Determine whether the DIT's hardware lifecycle management policies and procedures follow industry best practices, including but not limited to: • Hardware lifecycle management • Hardware inventory management • Hardware security management 2. Determine whether DIT's software licensing management system is adequate to ensure compliance with current applicable licensing agreement terms and conditions. In addition, to determine if the software licensing management system follows industry best practices, including, but not limited to: • Software lifecycle management • Software inventory management • Software security management County of Hawaii Introduction The scope of the audit was limited to the departments that DIT supports. The audit excluded the Department of Water Supply, Police Department, Office of Housing and Community Development, Office of the Prosecuting Attorney and the Office of Aging. These departments have their own internal IT support group that only rely on DIT for common services such as e-mail security and messaging and Microsoft Active Directory Domain Services. The audit also focused on the County of Hawaii Resolution No. 308-14, which authorized the payment of funds to replace County -owned personal computers and laptops using an unsupported operating system. The resolution provided the opportunity for DIT to initiate and manage the Windows XP upgrade project and to purchase approximately 600 computers. The scope of the audit also included Resolution 256-13, which authorized the payment of funds to upgrade Active Directory Domain Services and the County's Microsoft e-mail messaging system. Methodology The audit team requested and reviewed the policies and procedures of the Department of Information Technology and Department of Finance, including: • Internet and E-mail Policy, dated July 1, 2003 • County -Issued Technology Device Policy • Computer Inventory Procedure • PC/Laptop Quote Spec Sheet • Electronic Records Destruction Policy for Computer and Electronic Media Since the Department of Finance manages procurement and fixed asset inventory, the following policies and procedures were requested and reviewed: • Inventory Additions Worksheet Procedures • Procedures Manual for Inventory, dated January 1, 1983 • Purchasing Manual, v09.02.14 To understand the roles and functions DIT provides to the County, the following DIT internal documents were requested and reviewed: • DIT Three -Year Plan • County Resolutions • DIT Organization Chart • The Cost of Government Commission report • Documents related to the physical audit of DIT equipment conducted by the Department of Finance • Various inventory schedules 2 County of Hawaii Introduction To better understand the standards and procedures in place related to the management of IT assets, questionnaires were requested and completed by key DIT personnel. The questionnaires covered the following topics: • Hardware Lifecycle • Hardware Inventory • Hardware Security • Software Lifecycle • Software Inventory • Software Security We reviewed and discussed the responses from the questionnaires through interviews with the Director of Information Technology, Information Systems Program Managers, Information Systems Analysts with the Help Desk and Network Divisions, and the Director of Finance. On-site inspections of DIT facilities were performed to observe the physical security controls in place to safeguard IT assets. We performed walkthroughs of the automated network and software inventory system and the automated software deployment tool used by DIT and reviewed output reports. A review of the County's Microsoft Volume Licensing portals was also performed to validate software entitlements. To review DIT's management of the Windows XP upgrade project, we interviewed the Director of IT to understand the project scope, project governance, and the extent of DIT's involvement. We also interviewed the designated project manager to understand how DIT communicated the project to the departments and other stakeholders. The designated project manager also described the physical inventory process and results, details on price negotiation, the method to determine purchase counts, and any issues that were raised throughout the upgrade project. An interview with the helpdesk personnel was conducted to understand the process of how computers are physically received, tracked, configured, deployed, and added to the fixed assets inventory. We obtained the agendas for the meetings DIT conducted with the department liaisons, related e-mail correspondences, inventory schedules that were distributed and collected from the department liaisons, physical inventory results, official Request for Quotes and Response Details Report Bids from vendors, and the signed Notices to Proceed. To gain an understanding of industry best practices related to the management of IT assets, we reviewed the Best Practices Library published by the International Association of Information Technology Asset Managers ("IAITAM"). The volumes we reviewed included Acquisition Management, Asset Identification, Disposal Management, Documentation Management, Financial Management, and Policy Management. 3 County of Hawaii Introduction Criteria We compared the Department of Information Technology's management of hardware and software lifecycle, inventory, financial and security procedures with the Best Practices Library published by the International Association of Information Technology Asset Managers. In addition, the audit team conducted a risk assessment during the planning phase of the audit to identify potential areas of risk. The risk assessment was reported to the Office of the Legislative Auditor. Commendations and Noteworthy Achievements The Department of Information Technology followed several industry best practices related to the management of IT assets. DIT uses an automated network and software inventory system allowing the County to track and manage devices connected to the County network and installed software. Near the start of the audit, we identified security concerns related to the management of software and security updates, and DIT responded by implementing an automated software deployment system before the audit's completion. DIT complied with the County's "Electronic Records Destruction Policy for Computer and Electronic Media" by implementing a method to appropriately demagnetize and physically destroy hard drives during the Windows XP upgrade project. During the replacement of computers, DIT proactively removed administrative permissions from users. This helped prevent the installation of unapproved software. DIT also took advantage of Price Term Agreements to purchase approximately 600 computers and laptops. Unlike a quote that may expire or be changed at any time, a Price Term Agreement provides fixed pricing for a specified period of time. This also helped to standardize computer models and improve support. During the Exchange and Active Directory upgrade project, DIT leveraged volume license agreements, a more cost-effective model than the previous Original Equipment Manufacturer ("OEM") licenses, which are not upgradable or easily redeployed. Il County of Hawaii Observations and Recommendations Summary of Audit Results Based on the audit performed, the following are the key observations and recommendations related to the County's information technology asset management: 1. The DIT should own all IT assets. Furthermore, an IT asset management role should be established to manage the County's IT assets. Some of the duties of the IT asset manager role should include: • Develop a one through five-year financial forecast of hardware and software upgrades and replacements for each of the departments; • Maintain an approved software list for standardization; • Identify redeployable IT assets; • Continue to evaluate leasing as an option; • Maintain a listing of IT assets and the assigned users in a centralized database; • Centrally receive and accept all IT assets; and • Reconcile IT assets in the IT asset management inventory to the Department of Finance fixed assets inventory. • Ensure that the disposal of IT assets occurs in a secured manner to protect against the unauthorized access of data during or subsequent to the disposal process. 2. The County lacks formal written procedures over the IT practices. Therefore, DIT was often restricted from consistently participating in IT asset management activities to ensure the procurement of IT assets follow best practices. Hardware and Software Lifecycle Management 1. Upgrades and Replacements There is no County -wide centralized formal written process in place for the upgrade or replacement of computers and software. DIT is not responsible on a daily basis for the upgrade or replacement of computers since this is determined at the department level. Departments can purchase assets valued up to $1,000 but may not understand the potential risks associated with end -of -life hardware and software that is no longer supported by the vendor or manufacturer. Not effectively planning for the upgrade of end -of -life hardware and software could lead to security concerns. Resolution No. 308-14 was a reaction to known security vulnerabilities and was driven by the necessity to upgrade end -of -life hardware and software. Not maintaining effective computing processing levels can cause performance concerns and inefficiencies for County employees. Planning for upgrades promotes bulk purchases and leverages vendor negotiations, which typically leads to cost savings. 5 County of Hawaii Observations and Recommendations The formal Request for Bids process was performed by DIT to purchase Microsoft Office and Exchange and Windows Server Client Access Licenses ("CAL"). Prior to this upgrade project, most Microsoft products were purchased as OEM (Original Equipment Manufacturer) or off-the-shelf software and tied to the original hardware. This OEM software is not upgradable and needs to be replaced with the hardware. As part of the Resolution, DIT leveraged volume licensing which is upgradable and redeployable. Volume licensing also improves software compliance by providing an online portal that shows the number of licenses purchased by the County. Only authorized DIT employees can use the portal to protect software licenses and installation codes from unauthorized or personal use. With the completion of the Windows XP upgrade project, the purchasing and receiving of software up to $1,000 will revert back to the department level. Therefore, there are no assurances that departments will not purchase OEM software. In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, when assets are purchased and brought into the organization without the knowledge of the IT asset manager, it is difficult to support those assets and to preserve software compliance. Per Volume 7, Financial Management, the IT asset manager should own all IT assets. This is a cornerstone for IT asset management best practices. Recommendation We recommend that DIT establish an IT asset manager position to manage the County's IT assets and implement a plan to develop a one through five-year financial forecast of hardware and software upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends and future needs. While the County has implemented several procedures to better manage IT assets, to fully meet industry best practices, and improve the process of upgrading and replacing computers and laptops, the IT asset manager should implement a plan to take ownership of all IT assets. 2. Purchase Request and Approval Based on the PC/Laptop Quote Spec Sheet Instructions, DIT electronically receives and approves standard and exception requests for new computer or laptop purchases. Based on the Department of Finance Purchasing Manual, purchases up to $1,000 can be purchased at the department level while small purchases greater than $1,000 are processed by the Department of Finance, Purchasing Division. The Purchasing Division requires DIT to approve the PC /Laptop Quote Spec Sheet. There is no requirement for the PC/Laptop Quote Spec Sheet to be completed and approved for computer and laptop purchases up to $1,000. Software up to $1,000 can be purchased at the department level with little or no involvement from DIT. After the purchasing department receives the software purchases, DIT is often requested to install and support third party software. This can lead to system instability, helpdesk inefficiencies, and security concerns. County of Hawaii Observations and Recommendations DIT stated that they are planning to issue a memo to Department heads and managers that explain the Price Term Agreement and provides guidance on working with DIT for purchasing hardware and software. Unlike a quote that may expire or be changed at any time, a Price Term Agreement is a fixed price for a specified period of time. The Windows XP upgrade project provided an opportunity for DIT to start restricting County employees from installing software without DIT involvement. To reduce the likelihood of accidental installations of malware or other concealed harmful programs, DIT was made aware of new installations and had the ability to prohibit software that posed a software compliance or security concern for the County. However, this process will not prevent the departments from continuing to purchase software without DIT's knowledge and may lead to unused software if DIT prohibits the installation. DIT is using an automated network and software inventory system to maintain a listing of software installations and is internally managing an "approved" and "unauthorized" software listing. No formal written, County -wide policy is in place to maintain an approved software listing. The County -Issued Technology Device (IT acceptable use) policy does not prohibit the installation of unsupported software on the County's computing property and connection of unauthorized devices on the County network. In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, an effective request and approval process is an important step in reaching asset management goals and should be the only method to purchase IT assets. In accordance with the IAITAM Best Practices Library, Volume 1, Program Management Process, "the IT asset manager must ensure that standards for software are defined and maintained in a way that standards are reviewed frequently, published and explained, and meets the needs of end users." Recommendation DIT stated that they are planning to issue a memo to Department heads with guidance on working with DIT for purchasing hardware and software. Once the IT asset manager position is established, DIT should implement a plan to take ownership of all IT assets to ensure DIT is aware of all computer and software purchases and the standard request and approval process is followed. Installation of unapproved software is a potential security concern if the software is at the end -of -life or a method for installing security or software updates is not implemented. Unapproved software can cause conflicts with other supported software and could lead to system instability. We recommend DIT implement a policy to maintain an approved software listing and communicate the risks to the departments. The policy should include an annual review of the listing to ensure that software listed is still relevant and does not pose a security concern to the County. A review process should be implemented to respond to requests for software titles that are not currently in the supported software listing. We also recommend DIT update the County -Issued Technology Device policy to include prohibiting users from installing non -supported software and adding unapproved devices to the County network. 7 County of Hawaii Observations and Recommendations 3. Redeployment of Assets The County has formal written procedures to transfer computers between agencies. However, there is currently no process in place to identify IT assets that are no longer in use but may be re -used prior to purchasing new computers or software licenses. In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, the advantages of redeployment are cost savings and return on investment by using already owned or leased assets and reducing unnecessary purchases. Recommendation We recommend that once the IT asset manager position has been established, DIT should implement a process to identify redeployable assets and to establish County -wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time. The redeployment of computers and software licenses is often cost-effective, minimizes unnecessary purchases, reduces over purchasing of assets, and reduces data security risks. 4. Leasing Leasing assets is typically not considered by the County when purchasing new computers or Microsoft Office software. Resolution No. 308-14 authorized the payment of funds for personal computers and Microsoft Office licenses for DIT to replace computers using an unsupported or end -of -life operating system. Lease -to -own IT assets were leveraged by DIT to procure these computers and licenses. In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, leasing is a strategic decision that can enable the organization to gain additional flexibility to handle unpredictable growth, allow for rapid technical refresh, reduce capital expense, and avoid disposal and recycling issues. Recommendation DIT should continue to evaluate leasing as an option to procure computers and software licenses for the County. Hardware and Software Inventory Management 1. Centralized Management System Based on the Department of Finance Procedures Manual for Inventory, equipment costing $1,000 or more shall be added to the fixed assets inventory using the Inventory Additions Worksheet with the exception of controlled assets. The Procedures Manual states, "Controlled assets are items costing more than $250 but less than $1,000 and are controlled as if they were capital assets because of their sensitive, portable and theft -prone nature. Departments shall tag controlled assets in chronological order with inventory tags provided by the Department of Finance." As noted on the Inventory Additions Worksheet, the department and division or location are required information and tracked in the fixed assets inventory. :3 County of Hawaii Observations and Recommendations IT assets are currently assigned to departments in the fixed assets inventory system rather than individuals. DIT does not have access to query the fixed assets inventory system. Therefore, DIT implemented an automated network and software inventory system that discovers and tracks computers connected to the County network or added to the County directory services. DIT investigates any new, unknown computers or software installations and performs remediation procedures if necessary. The system tracks specific details on the computers including the last user who logged in. Based on a report from the automated network and software inventory system received on April 24, 2015, nearly one quarter of computers (356 out of 1,116 or 23 percent) had duplicate logged -in last users. Since users are allowed to login to multiple computers, the last user who logged in may not always be the user. For example, if a user logged into their primary computer in the morning to check e-mail then logged into a shared kiosk to enter transactions, both computers will show the user as the last user who logged into both computers. As such, DIT may find it difficult to determine if the user is responsible for both computers. There are no County -wide formal written procedures in place to assign a user to IT assets in a centralized database. A user is an individual who mutually agrees to be held accountable for the safeguarding of the assigned IT asset. Currently, the departments maintain their own IT asset inventory listing. Therefore, users assigned to specific IT assets are managed at the department level and are not tracked in the centralized fixed assets inventory system. In accordance with the IAITAM Best Practice Library, Volume 6, Documentation Management, IT assets should be maintained in a centralized database and linked to contracts, locations, users and licenses. The IAITAM Best Practice Library, Volume 11, Asset Identification, states that the IT asset manager should be responsible for tracking the location and status of IT assets from the moment they enter the organization until the time that they are disposed of. Additionally, the IT asset manager should be responsible for automating the asset tracking system to facilitate speed, reduce physical labor costs, and provide a real-time view of assets. Recommendation We recommend DIT track users in a centralized database. Not tracking users in a centralized database may increase the County's security exposure since DIT may not be able to determine if computers are in use or locate assets. In addition, DIT may have difficulty holding employees accountable for the protection of assets and inappropriate activities. Unused computers are candidates for redeployment and may unnecessarily consume software licenses. From a software compliance perspective, software end-user licensing agreements can be tied to users instead of computers, and DIT may not be able to determine the appropriate license counts without knowing the assigned users. County of Hawaii Observations and Recommendations The fixed assets inventory system is not accessible to DIT and the automated network and software inventory system is not used to track the user. Therefore, we recommend that once the IT asset manager position is established, DIT should implement a plan to identify a centralized database that has the ability to track users whether it is the fixed assets inventory system, the automated network and software inventory system, or another IT asset management inventory system. After a product has been identified, the IT asset manager should implement County -wide written procedures to centrally track users for all IT assets. 2. Receiving and Accepting The Director of IT and Information Systems Program Manager stated that computers and software are typically not received and accepted centrally by DIT; instead, they are shipped to the department requesting the purchase. Therefore, the automated network and software inventory system was implemented to discover and track computers connected to the County network or added to the County directory services. In accordance with the IAITAM Best Practice Library, Volume 11, Asset Identification, the IT asset manager should be aware of any new IT asset before it is implemented into the environment and the asset should be easily tracked by a discovery tool. The IAITAM Best Practice Library, Volume 10, Acquisition, states that when assets are purchased and brought into the organization without the knowledge of the IT asset manager, it is difficult to support those assets and to preserve software compliance. Recommendation We recommend DIT implement a plan to centrally receive and accept all IT assets to ensure DIT is aware of new computers or software before they are introduced into the County environment. 3. Annual Physical Inventory The Department of Finance Procedures Manual for Inventory requires each department and agency to conduct an annual inventory. This inventory consists of making physical checks of items on hand and comparing these items with the proper records to verify the accuracy. At year-end, the Department of Finance, Property Management Division, sends the "Fixed Asset Detail Report — By Fund" to the various departments. The department heads then certify that the reports are accurate on the "Certificate of Custodian" form. DIT does not reconcile the inventory of computers and software maintained in the automated network and software inventory system with the IT assets listed on the Fixed Asset Detail Report to ensure both listings are accurate and complete. In accordance with the IAITAM Best Practice Library, Volume 11, Asset Identification, organizations should commit to a physical audit strategy that is appropriate for the size of the company, the geographical issues and the critical nature of the asset type. 10 County of Hawaii Observations and Recommendations Recommendation We recommend DIT periodically reconcile IT assets listed on the Fixed Asset Detail Report with the automated network and software inventory system to ensure all IT assets are properly recorded and included in the annual physical inventory. Any discrepancies should be investigated and resolved immediately. Hardware and Software Security 1. Secured Disposal Effective January 1, 2007, Chapter 487R, Hawaii Revised Statues required "government units in the State of Hawaii to take reasonable measures to protect against unauthorized access to personal information after the government unit has disposed of it." To comply with HRS Chapter 487R, the County's Committee on the Destruction of Records issued the "Electronic Records Destruction Policy for Computer and Electronic Media" on October 1, 2007 that requires all electronic records including hard drives containing personal information to be transferred to DIT for proper destruction. The Director of IT was not aware of the policy since it was implemented prior to his appointed position in 2013. Furthermore, the policy was not stored centrally with other IT policies on the County's internal website. The policy has since been added to the County's internal website. The "Electronic Records Destruction Policy for Computer and Electronic Media" states that DIT is responsible for maintaining a record of destruction of electronic records and to ensure compliance with the policy when any computer hard drives or electronic media are transferred or disposed of. In July 2015, DIT implemented a procedure to maintain a "Master Hard Drive Destruction Log" to record the destruction date, method of destruction, computer and hard drive serial number, department, last user, and date the hard drive was retrieved by DIT. The Director of IT affirmed the standard operating procedure for computer replacements during the Windows XP upgrade project was to remove hard drives from obsolete computers or retrieve computers that could be upgraded and redeployed. Hard drives would be stored with DIT, and later demagnetized and physically destroyed using a MediaVise Compact. These procedures comply with the "Electronic Records Destruction Policy for Computer and Electronic Media" requirements. Since approximately 600 computers were purchased for the Windows XP upgrade project, DIT was provided a temporary computer deployment location for the storage of IT assets. The facility is a shared location with other departments and is used to store certain records and files. Therefore, the area provided to DIT is not a dedicated space and is accessible by five other departments. Although we observed that the entrance and exit doors are locked, the facility is not protected by an alarm system or electronic locks, and there are no closed circuit television or video recording devices. Hard drives identified for disposal are not separately secured in a locked area and are only tracked and logged after destruction. Hence, IT equipment and media with possible confidential or sensitive data is not appropriately safeguarded from loss or theft. 11 County of Hawaii Observations and Recommendations In accordance with the IAITAM Best Practice Library, Volume 12, Disposal Management, the organization should dispose of assets securely and disposal requirements are identified and understood. Data should be extracted and wiped or destroyed from hardware prior to disposal. Disposed assets should be accurately tracked at the serial number or asset tag level and certificates of disposition and data destruction should be maintained. In addition, the IAITAM Best Practice Library, Volume 11, Asset Identification, states that the IT asset manager should be responsible for tracking IT assets from the moment they enter the organization until the time that they are disposed of. Recommendation We understand that the Director of IT plans to issue a memo with the "Electronic Records Destruction Policy for Computer and Electronic Media" to the Department heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction. We recommend the County review this policy at least annually and update accordingly. We also understand that the current computer deployment location is temporary. However, if DIT continues to use the facility, we recommend that additional physical security controls be implemented to safeguard IT assets and media from loss or theft. 12 Management's Response William P. Kenoi Mayor Walter K. M. Lau Managing Director October 30, 2015 County of Hawaii DEPARTMENT OF INFORMATION TECHNOLOGY 25 Aupuni Street + Hilo, Hawaii 96720-4252 (808) 932-2960 • Fax (808) 981-2037 Donald F. Jacobs, Jr. Director TO: Bonnie Nims, Legislative Auditor FROM: Don Jacobs, Director of Information Technology RE: Response to County of Hawaii's Information Technology Asset Management Performance Audit Report Thank you for the opportunity to provide our response to the audit recommendations. Hardware and Software Lifecycle Management 1. L bQ ades and Replacements Recommendation: We recommend that DIT establish an IT asset manager position to manage the County's IT assets and implement a plan to develop a one through five-year financial forecast of hardware and software upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends and future needs. While the County has implemented several procedures to better manage IT assets, to fully meet industry best practices and improve the process of upgrading and replacing computers and laptops, the IT asset manager should implement a plan to take ownership of all IT assets. Response: The department of Information Technology (Department of IT) will consider establishing an IT asset manager position as it works on preparing the fiscal year 2017 budget. We will continue to evaluate the County's needs based on the age of PCs and continue to work on solutions to plan our software needs. In general the County of Hawaii owns all assets, but departments are responsible for assets. There are several factors that will need to be evaluated before this can fully be implemented, for example who will be responsible for missing assets. 2. Purchase Request and Approval Recommendation: DIT stated that they are planning to issue a memo to Department heads with guidance on working with DIT for purchasing hardware and software. Once the IT asset manager position is established, DIT should implement a plan to take ownership of all IT assets to ensure DIT is aware of all computer and software purchases and the standard request and approval process is followed. Hawaii County is an Equal Opportunity Provider and Employer Installation of unapproved software is a potential security concern if the software is at the end -of - life or a method for installing security or software updates is not implemented. Unapproved software can cause conflicts with other supported software and could lead to system instability. We recommend DIT implement a policy to maintain an approved software listing and communicate the risks to the departments. The policy should include an annual review of the listing to ensure that software listed is still relevant and does not pose a security concern to the County. A review process should be implemented to respond to requests for software titles that are not currently in the supported software listing. We also recommend DIT update the County -Issued Technology Device policy to include prohibiting users from installing non -supported software and adding un -approved devices to the County network. Response: We have issued the memo with guidance on the purchase of hardware and software. We do not believe that we have a high risk of the installation of unapproved software since our users do not have administrative rights to do this. Our department does maintain a list of approved software. This list will be posted on our Intranet for users to review. We will review and update our County -Issued Technology Device policy as needed. 3. Redeployment of Assets Recommendation: We recommend that once the IT asset manager position has been established, DIT should implement a process to identify re -deployable assets and to establish County -wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time. The redeployment of computers and software licenses is often cost-effective, minimizes unnecessary purchases, reduces over purchasing of assets and reduces data security risks. Response: The Department of IT has identified re -deployable assets during our recent mass upgrade. We also have tools in place to identify these assets that are connected to the network. We will work on formalizing our processes and procedures. We have already modified our software licensing terms so that the licenses for standard software packages no longer reside on PCs. 4. Leasing Recommendation: DIT should continue to evaluate leasing as an option to procure computers and software licenses for the County. Response: The County currently does financing leases for many of its assets including our PCs and large applications. Hardware and Software Inventory Management Centralized Management System+ Recommendation: We recommend DIT track users in a centralized database. Not tracking users in a centralized database may increase the County's security exposure since DIT may not be able to determine if computers are in use or locate assets. In addition, DIT may have difficulty holding employees accountable for the protection of assets and inappropriate activities. Unused computers are candidates for redeployment and may unnecessarily consume software licenses. From a software compliance perspective, software end-user licensing agreements can be tied to users instead of computers, and DIT may not be able to determine the appropriate license counts without knowing the assigned users. The fixed assets inventory system is not accessible to DIT and the automated network and software inventory system is not used to track the user. Therefore, we recommend that once the IT asset manager position is established, DIT should implement a plan to identify a centralized database that has the ability to track users whether it is the fixed assets inventory system, the automated network and software inventory system, or another IT asset management inventory system. After a product has been identified, the IT asset manager should implement County -wide written procedures to centrally track users for all IT assets. Response: Each department maintains listings of users and associated PCs and other assets. Currently the departments are tasked with the responsibility of ensuring asset security. We will work towards integrating the primary user name into our network inventory system to assist both IT and the departments. 1. Receiving and Accepting Recommendation: We recommend DIT implement a plan to centrally receive and accept all IT assets to ensure DIT is aware of new computers or software before they are introduced into the County environment. Response: No IT assets can be introduced into the County IT environment without coordinating this with IT because of established network security procedures. 2. Annual Physical Inventory Recommendation: We recommend DIT periodically reconcile IT assets listed on the Fixed Asset Detail Report with the automated network and software inventory system to ensure all IT assets are property recorded and included in the annual physical inventory. Any discrepancies should be investigated and resolved immediately. Response: We will work on implementing this recommendation as staffing and time permits. Hardware and Software Security 1. Secured Dis osal Recommendation: We understand that the Director of IT plans to issue a memo with the "Electronic Records Destruction Policy for Computer and Electronic Media" to the Department heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction. We recommend the County review this policy at least annually and updated accordingly. We also understand that the current computer deployment location is temporary. However, if DIT continues to use the facility, we recommend that additional physical security controls be implemented to safeguard IT assets and media from loss or theft. Response: We are currently in the process of issuing the memo as recommended. We will be acquiring media secured locked cabinets to ensure protection from loss or theft. you have any questions, please feel free to contact me at 932-2975. — rl-�' - Donald F. Jacobs, Jr. Director