HomeMy WebLinkAbout2015-02 Performance Audit Report: County of Hawai'i Information Technology Asset ManagementCounty of Hawaii
Information Technology
Asset Management
Report No. 2015-02
November 12, 2015
Jt1T ••�F; !4
Office of the Legislative Auditor
County of Hawaii
'QrFOF.µASy
Dru Mamo Kanuha
Chair & Presiding Officer
Council District 7
November 12, 2015
V�ti�dnu
sr• r
qrf OF�HP`�
%L'ouUN of 'Pubiat`i
Bonnie S. Nims, CGAP
Legislative Auditor
Business Address
1266 Kamehameha Avenue
Suite A-8
Hilo, Hawai `i 96720
OFFICE OF THE LEGISLATIVE AUDITOR
25 Aupuni Street Hilo, Hawaii 96720 * (808) 961-8386 * Fax (808) 961-8905
website: hup://HawaVicounty.Qov e-mail: publiclao(aco.Hawai'i.hi.us
The Honorable Dru Kanuha, Council Chairperson and
Members of the Hawaii County Council
Hawaii County Council
25 Aupuni Street
Hilo, Hawaii 96720
Dear Chair Kanuha and Council Members,
hi accordance with Hawaii County Charter Section 3-18(d)(2), attached is the Office of the Legislative Auditor's
report of our audit of Information Technology (IT) Asset Management. The purpose of the audit was to evaluate
the County of Hawai'i's management of IT assets including hardware lifecycle management and software licensing
management. Accuity LLP conducted this audit in accordance with Generally Accepted Government Auditing
Standards on our behalf.
The Department of Information Technology (DIT) follows several IT asset management industry best practices.
However, to fully meet industry best practices, the DIT should own all IT assets. hi addition, an IT asset
management role should be established to manage the County's IT assets. These are key elements to successful
management of IT assets and without these two elements, the County is at an increased risk of security concerns,
system instability, helpdesk and County employee inefficiencies, as well as increased hardware and software costs.
If you need any further information, please let me know. We would like to thank the Department of Information
Technology and Finance Department staff for their assistance and cooperation during this audit. We greatly
appreciate all of their valuable time and efforts spent on providing us information.
Respectfully,
Bonnie S. Nims, CGAP
Legislative Auditor
cc: William P. Kenoi, Mayor
Stewart Maeda, County Clerk
Donald Jacobs, Director, Department of Information Technology
Deanna Sako, Finance Director
Walter Lau, Managing Director
Hawai `i County is an Equal Opportunity Provider and Employer
In Brief
Background
Information Technology (IT) asset management is
the management of IT assets, including all elements
of software and hardware, from the identification of
requirements to the disposal of the assets. The IT
asset management process typically involves
gathering a detailed inventory of an organization's
hardware and software and then using that
information to make informed decisions about IT -
related purchases and redistribution. By avoiding
unnecessary asset purchases and making the best
use of current resources, IT asset managers can
eliminate waste and improve efficiency.
The Department of Information Technology (DIT) is
primarily responsible for managing and operating the
County's central computer system and
telecommunications network. DIT also advises
County agencies on computer-related matters,
coordinates the purchase and use of computer
equipment and software, and provides computer
training and support for County employees. DIT is
not responsible for managing or supporting the
Department of Water Supply, Police Department,
Office of Housing and Community Development,
Office of the Prosecuting Attorney and the Office of
Aging since these departments have their own
internal information technology function.
Why we did this audit
This performance audit was undertaken to evaluate
the County of HawaiTs management of IT assets.
Specifically, this audit assessed if hardware lifecycle
management policies and procedures followed
industry best practices. We also evaluated whether
the software licensing management system is
adequate to ensure compliance with current
applicable licensing agreement terms and conditions
and follows industry best practices.
On April 1, 2014, the Council approved Resolution
No. 308-14 to authorize the payment of funds to
replace County owned personal computers and
laptops using an operating system that will no longer
be supported by the manufacturer. We initiated this
audit to determine if DIT is following IT asset
management industry best practices.
The DIT follows several IT asset management
industry best practices as prescribed by the
International Association of Information Technology
Asset Managers. Two of the key elements of IT asset
management are the centralization of the IT function
and the use of an IT asset management role.
However, at the County, the upgrade and
replacement of computers is typically determined at
the department level, not centrally at DIT. In addition,
DIT has not established an IT asset management
role. Without these two elements, the County is at an
increased risk of security concerns, system instability,
helpdesk and County employee inefficiencies, as well
as increased hardware and software costs.
Management complete response to this audit can be
found on page 13: Management's Response.
The recommendations identify improvements for
management to follow industry best practices. Our
audit report offers recommendations designed to
address these issues.
1. The DIT should own all IT assets. Furthermore,
an IT asset management role should be
established to manage the County's IT assets
including:
• Developing a financial forecast of hardware
and software upgrades and replacements;
• Maintaining an approved software list for
standardization;
• Identifying re -deployable IT assets;
• Continuing to evaluate leasing as an option;
• Maintaining a listing of IT assets and the
assigned users in a centralized database;
• Centrally receiving and accepting all IT
assets;
• Reconciling IT assets in the IT asset
management inventory; and
• Ensuring the disposal of IT assets occurs in a
secured manner.
2. The County should address gaps in formal
written policies and procedures over IT practices.
This page intentionally left blank.
ACcuityLP
CERTIFIED PUBLIC ACCOUNTANTS
County of Hawaii
Information Technology Asset Management
Performance Audit Report
November 6, 2015
Quality Integrity Insight
ACcuityl_P
CERTIFIED PUBLIC ACCOUNTANTS
Report of Independent Auditors
To the Office of the Legislative Auditor
County of Hawaii
As directed by the County of Hawaii, Office of the Legislative Auditor, contract dated March 12,
2015; we have conducted a performance audit of the County of Hawaii Department of
Information Technology. We conducted this performance audit in accordance with generally
accepted government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings
and conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit objectives.
The purpose of our audit was to provide an independent assessment of the management of
information technology assets by the County of Hawaii Department of Information Technology.
The sub -objectives were to determine whether hardware lifecycle management policies and
procedures follow industry best practices and whether software licensing management system
is adequate to ensure compliance with current applicable licensing agreement terms and
conditions and follows industry best practices. This report is current as of the date of the report.
We performed no procedures or analysis of the contracts, policies or procedures after the date
of the report. A significant portion of the information we used in our analysis was based on
interviews with the Department of Information Technology personnel.
This report is the result of our evaluation of the information noted above and is intended solely
for the information of the Office of the Legislative Auditor. This restriction is not intended to
limit the distribution of this report, which upon acceptance by the Office of the Legislative Auditor
is a matter of public record.
Actw�C.�f'
0
Honolulu, Hawaii
November 6, 2015
999 BISHOP STREET, SUITE 1900
an independent member of
HONOLULU, HAWAII 96813
BAKER TI LLY TELEPHONE: 808 5313400 FAcSIMILE: 808 5313433
INTERNATIONAL
County of Hawaii
Index
Page(s)
Introduction
Background........................................................................................................................... 1
Objectiveand Scope......................................................................................................... 1-2
Methodology...................................................................................................................... 2-3
Criteria.................................................................................................................................. 4
Commendations and Noteworthy Achievements....................................................................4
Observations and Recommendations
Summary of Audit Results............................................................................................... 5-12
Management's Response
County of Hawaii
Introduction
Background
The County of Hawaii (the "County") Department of Information Technology ("DIT") is
responsible for managing and supporting the County's approximately 1,200 computers
in their central computer system and telecommunications network. DIT is also responsible
for coordinating the purchase and use of computer equipment and software and for providing
technology support and user training to County employees. DIT is not responsible for
managing or supporting the Department of Water Supply, Police Department, Office of Housing
and Community Development, Office of the Prosecuting Attorney and the Office of Aging since
these departments have their own internal information technology ("IT") function. DIT conducts
quarterly meetings with these departments for information sharing and collaboration.
DIT does not have a dedicated IT Asset Management position that manages the IT asset
management budget at the County level; individual departments manage their own IT asset
management budgets. The County's Department of Finance tracks IT assets in its fixed
assets inventory system. IT asset procurement follows the Department of Finance
Purchasing Manual that allows individual departments to process purchases up to $1,000.
The Purchasing Division, under the Department of Finance, processes purchases greater
than $1,000.
DIT consists of twenty employees and includes a user support and systems support function.
A strategic goal for DIT is to standardize and secure the County's computing environment
by restricting County employees from installing software without DIT involvement and by
implementing an automated network and software inventory system and an automated
software deployment tool.
Objective and Scope
The objectives of the audit were to:
1. Determine whether the DIT's hardware lifecycle management policies and procedures
follow industry best practices, including but not limited to:
• Hardware lifecycle management
• Hardware inventory management
• Hardware security management
2. Determine whether DIT's software licensing management system is adequate to ensure
compliance with current applicable licensing agreement terms and conditions. In
addition, to determine if the software licensing management system follows industry
best practices, including, but not limited to:
• Software lifecycle management
• Software inventory management
• Software security management
County of Hawaii
Introduction
The scope of the audit was limited to the departments that DIT supports. The audit excluded
the Department of Water Supply, Police Department, Office of Housing and Community
Development, Office of the Prosecuting Attorney and the Office of Aging. These departments
have their own internal IT support group that only rely on DIT for common services such as
e-mail security and messaging and Microsoft Active Directory Domain Services.
The audit also focused on the County of Hawaii Resolution No. 308-14, which authorized
the payment of funds to replace County -owned personal computers and laptops using an
unsupported operating system. The resolution provided the opportunity for DIT to initiate and
manage the Windows XP upgrade project and to purchase approximately 600 computers.
The scope of the audit also included Resolution 256-13, which authorized the payment of
funds to upgrade Active Directory Domain Services and the County's Microsoft e-mail
messaging system.
Methodology
The audit team requested and reviewed the policies and procedures of the Department of
Information Technology and Department of Finance, including:
• Internet and E-mail Policy, dated July 1, 2003
• County -Issued Technology Device Policy
• Computer Inventory Procedure
• PC/Laptop Quote Spec Sheet
• Electronic Records Destruction Policy for Computer and Electronic Media
Since the Department of Finance manages procurement and fixed asset inventory, the following
policies and procedures were requested and reviewed:
• Inventory Additions Worksheet Procedures
• Procedures Manual for Inventory, dated January 1, 1983
• Purchasing Manual, v09.02.14
To understand the roles and functions DIT provides to the County, the following DIT internal
documents were requested and reviewed:
• DIT Three -Year Plan
• County Resolutions
• DIT Organization Chart
• The Cost of Government Commission report
• Documents related to the physical audit of DIT equipment conducted by the Department of
Finance
• Various inventory schedules
2
County of Hawaii
Introduction
To better understand the standards and procedures in place related to the management
of IT assets, questionnaires were requested and completed by key DIT personnel. The
questionnaires covered the following topics:
• Hardware Lifecycle
• Hardware Inventory
• Hardware Security
• Software Lifecycle
• Software Inventory
• Software Security
We reviewed and discussed the responses from the questionnaires through interviews with
the Director of Information Technology, Information Systems Program Managers, Information
Systems Analysts with the Help Desk and Network Divisions, and the Director of Finance.
On-site inspections of DIT facilities were performed to observe the physical security controls
in place to safeguard IT assets.
We performed walkthroughs of the automated network and software inventory system and the
automated software deployment tool used by DIT and reviewed output reports. A review of the
County's Microsoft Volume Licensing portals was also performed to validate software
entitlements.
To review DIT's management of the Windows XP upgrade project, we interviewed the Director
of IT to understand the project scope, project governance, and the extent of DIT's involvement.
We also interviewed the designated project manager to understand how DIT communicated
the project to the departments and other stakeholders. The designated project manager also
described the physical inventory process and results, details on price negotiation, the method
to determine purchase counts, and any issues that were raised throughout the upgrade project.
An interview with the helpdesk personnel was conducted to understand the process of how
computers are physically received, tracked, configured, deployed, and added to the fixed assets
inventory. We obtained the agendas for the meetings DIT conducted with the department
liaisons, related e-mail correspondences, inventory schedules that were distributed and
collected from the department liaisons, physical inventory results, official Request for Quotes
and Response Details Report Bids from vendors, and the signed Notices to Proceed.
To gain an understanding of industry best practices related to the management of IT assets,
we reviewed the Best Practices Library published by the International Association of Information
Technology Asset Managers ("IAITAM"). The volumes we reviewed included Acquisition
Management, Asset Identification, Disposal Management, Documentation Management,
Financial Management, and Policy Management.
3
County of Hawaii
Introduction
Criteria
We compared the Department of Information Technology's management of hardware and
software lifecycle, inventory, financial and security procedures with the Best Practices Library
published by the International Association of Information Technology Asset Managers. In
addition, the audit team conducted a risk assessment during the planning phase of the audit to
identify potential areas of risk. The risk assessment was reported to the Office of the Legislative
Auditor.
Commendations and Noteworthy Achievements
The Department of Information Technology followed several industry best practices related to
the management of IT assets. DIT uses an automated network and software inventory system
allowing the County to track and manage devices connected to the County network and
installed software. Near the start of the audit, we identified security concerns related to the
management of software and security updates, and DIT responded by implementing an
automated software deployment system before the audit's completion.
DIT complied with the County's "Electronic Records Destruction Policy for Computer and
Electronic Media" by implementing a method to appropriately demagnetize and physically
destroy hard drives during the Windows XP upgrade project. During the replacement of
computers, DIT proactively removed administrative permissions from users. This helped
prevent the installation of unapproved software. DIT also took advantage of Price Term
Agreements to purchase approximately 600 computers and laptops. Unlike a quote that may
expire or be changed at any time, a Price Term Agreement provides fixed pricing for a specified
period of time. This also helped to standardize computer models and improve support.
During the Exchange and Active Directory upgrade project, DIT leveraged volume license
agreements, a more cost-effective model than the previous Original Equipment Manufacturer
("OEM") licenses, which are not upgradable or easily redeployed.
Il
County of Hawaii
Observations and Recommendations
Summary of Audit Results
Based on the audit performed, the following are the key observations and recommendations
related to the County's information technology asset management:
1. The DIT should own all IT assets. Furthermore, an IT asset management role should be
established to manage the County's IT assets. Some of the duties of the IT asset manager
role should include:
• Develop a one through five-year financial forecast of hardware and software upgrades
and replacements for each of the departments;
• Maintain an approved software list for standardization;
• Identify redeployable IT assets;
• Continue to evaluate leasing as an option;
• Maintain a listing of IT assets and the assigned users in a centralized database;
• Centrally receive and accept all IT assets; and
• Reconcile IT assets in the IT asset management inventory to the Department of Finance
fixed assets inventory.
• Ensure that the disposal of IT assets occurs in a secured manner to protect against
the unauthorized access of data during or subsequent to the disposal process.
2. The County lacks formal written procedures over the IT practices. Therefore, DIT was often
restricted from consistently participating in IT asset management activities to ensure the
procurement of IT assets follow best practices.
Hardware and Software Lifecycle Management
1. Upgrades and Replacements
There is no County -wide centralized formal written process in place for the upgrade
or replacement of computers and software. DIT is not responsible on a daily basis for
the upgrade or replacement of computers since this is determined at the department level.
Departments can purchase assets valued up to $1,000 but may not understand the potential
risks associated with end -of -life hardware and software that is no longer supported by the
vendor or manufacturer.
Not effectively planning for the upgrade of end -of -life hardware and software could lead to
security concerns. Resolution No. 308-14 was a reaction to known security vulnerabilities
and was driven by the necessity to upgrade end -of -life hardware and software. Not
maintaining effective computing processing levels can cause performance concerns and
inefficiencies for County employees. Planning for upgrades promotes bulk purchases
and leverages vendor negotiations, which typically leads to cost savings.
5
County of Hawaii
Observations and Recommendations
The formal Request for Bids process was performed by DIT to purchase Microsoft Office
and Exchange and Windows Server Client Access Licenses ("CAL"). Prior to this upgrade
project, most Microsoft products were purchased as OEM (Original Equipment
Manufacturer) or off-the-shelf software and tied to the original hardware. This OEM software
is not upgradable and needs to be replaced with the hardware. As part of the Resolution,
DIT leveraged volume licensing which is upgradable and redeployable. Volume licensing
also improves software compliance by providing an online portal that shows the number of
licenses purchased by the County. Only authorized DIT employees can use the portal to
protect software licenses and installation codes from unauthorized or personal use.
With the completion of the Windows XP upgrade project, the purchasing and receiving
of software up to $1,000 will revert back to the department level. Therefore, there are
no assurances that departments will not purchase OEM software.
In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, when assets
are purchased and brought into the organization without the knowledge of the IT asset
manager, it is difficult to support those assets and to preserve software compliance.
Per Volume 7, Financial Management, the IT asset manager should own all IT assets.
This is a cornerstone for IT asset management best practices.
Recommendation
We recommend that DIT establish an IT asset manager position to manage the County's
IT assets and implement a plan to develop a one through five-year financial forecast
of hardware and software upgrades and replacements for each of the departments
by analyzing the historical information on the County's IT environment, current trends
and future needs.
While the County has implemented several procedures to better manage IT assets, to
fully meet industry best practices, and improve the process of upgrading and replacing
computers and laptops, the IT asset manager should implement a plan to take ownership
of all IT assets.
2. Purchase Request and Approval
Based on the PC/Laptop Quote Spec Sheet Instructions, DIT electronically receives
and approves standard and exception requests for new computer or laptop purchases.
Based on the Department of Finance Purchasing Manual, purchases up to $1,000 can be
purchased at the department level while small purchases greater than $1,000 are processed
by the Department of Finance, Purchasing Division. The Purchasing Division requires DIT
to approve the PC /Laptop Quote Spec Sheet. There is no requirement for the PC/Laptop
Quote Spec Sheet to be completed and approved for computer and laptop purchases up to
$1,000.
Software up to $1,000 can be purchased at the department level with little or no involvement
from DIT. After the purchasing department receives the software purchases, DIT is often
requested to install and support third party software. This can lead to system instability,
helpdesk inefficiencies, and security concerns.
County of Hawaii
Observations and Recommendations
DIT stated that they are planning to issue a memo to Department heads and managers
that explain the Price Term Agreement and provides guidance on working with DIT for
purchasing hardware and software. Unlike a quote that may expire or be changed at
any time, a Price Term Agreement is a fixed price for a specified period of time.
The Windows XP upgrade project provided an opportunity for DIT to start restricting County
employees from installing software without DIT involvement. To reduce the likelihood of
accidental installations of malware or other concealed harmful programs, DIT was made
aware of new installations and had the ability to prohibit software that posed a software
compliance or security concern for the County. However, this process will not prevent the
departments from continuing to purchase software without DIT's knowledge and may lead
to unused software if DIT prohibits the installation.
DIT is using an automated network and software inventory system to maintain a listing of
software installations and is internally managing an "approved" and "unauthorized" software
listing. No formal written, County -wide policy is in place to maintain an approved software
listing. The County -Issued Technology Device (IT acceptable use) policy does not prohibit
the installation of unsupported software on the County's computing property and connection
of unauthorized devices on the County network.
In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, an effective
request and approval process is an important step in reaching asset management goals
and should be the only method to purchase IT assets.
In accordance with the IAITAM Best Practices Library, Volume 1, Program Management
Process, "the IT asset manager must ensure that standards for software are defined and
maintained in a way that standards are reviewed frequently, published and explained, and
meets the needs of end users."
Recommendation
DIT stated that they are planning to issue a memo to Department heads with guidance
on working with DIT for purchasing hardware and software. Once the IT asset manager
position is established, DIT should implement a plan to take ownership of all IT assets to
ensure DIT is aware of all computer and software purchases and the standard request
and approval process is followed.
Installation of unapproved software is a potential security concern if the software is at
the end -of -life or a method for installing security or software updates is not implemented.
Unapproved software can cause conflicts with other supported software and could lead to
system instability.
We recommend DIT implement a policy to maintain an approved software listing and
communicate the risks to the departments. The policy should include an annual review of
the listing to ensure that software listed is still relevant and does not pose a security concern
to the County. A review process should be implemented to respond to requests for software
titles that are not currently in the supported software listing.
We also recommend DIT update the County -Issued Technology Device policy to include
prohibiting users from installing non -supported software and adding unapproved devices
to the County network.
7
County of Hawaii
Observations and Recommendations
3. Redeployment of Assets
The County has formal written procedures to transfer computers between agencies.
However, there is currently no process in place to identify IT assets that are no longer
in use but may be re -used prior to purchasing new computers or software licenses.
In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, the
advantages of redeployment are cost savings and return on investment by using
already owned or leased assets and reducing unnecessary purchases.
Recommendation
We recommend that once the IT asset manager position has been established, DIT should
implement a process to identify redeployable assets and to establish County -wide formal
written redeployment procedures to retrieve computers and software licenses that were
installed on computers that were replaced or idle for an extended period of time. The
redeployment of computers and software licenses is often cost-effective, minimizes
unnecessary purchases, reduces over purchasing of assets, and reduces data security
risks.
4. Leasing
Leasing assets is typically not considered by the County when purchasing new computers
or Microsoft Office software. Resolution No. 308-14 authorized the payment of funds for
personal computers and Microsoft Office licenses for DIT to replace computers using an
unsupported or end -of -life operating system. Lease -to -own IT assets were leveraged by
DIT to procure these computers and licenses.
In accordance with the IAITAM Best Practice Library, Volume 10, Acquisition, leasing is
a strategic decision that can enable the organization to gain additional flexibility to handle
unpredictable growth, allow for rapid technical refresh, reduce capital expense, and avoid
disposal and recycling issues.
Recommendation
DIT should continue to evaluate leasing as an option to procure computers and software
licenses for the County.
Hardware and Software Inventory Management
1. Centralized Management System
Based on the Department of Finance Procedures Manual for Inventory, equipment costing
$1,000 or more shall be added to the fixed assets inventory using the Inventory Additions
Worksheet with the exception of controlled assets. The Procedures Manual states,
"Controlled assets are items costing more than $250 but less than $1,000 and are controlled
as if they were capital assets because of their sensitive, portable and theft -prone nature.
Departments shall tag controlled assets in chronological order with inventory tags provided
by the Department of Finance." As noted on the Inventory Additions Worksheet, the
department and division or location are required information and tracked in the fixed assets
inventory.
:3
County of Hawaii
Observations and Recommendations
IT assets are currently assigned to departments in the fixed assets inventory system rather
than individuals. DIT does not have access to query the fixed assets inventory system.
Therefore, DIT implemented an automated network and software inventory system that
discovers and tracks computers connected to the County network or added to the County
directory services. DIT investigates any new, unknown computers or software installations
and performs remediation procedures if necessary.
The system tracks specific details on the computers including the last user who logged in.
Based on a report from the automated network and software inventory system received
on April 24, 2015, nearly one quarter of computers (356 out of 1,116 or 23 percent) had
duplicate logged -in last users. Since users are allowed to login to multiple computers, the
last user who logged in may not always be the user. For example, if a user logged into their
primary computer in the morning to check e-mail then logged into a shared kiosk to enter
transactions, both computers will show the user as the last user who logged into both
computers. As such, DIT may find it difficult to determine if the user is responsible for
both computers.
There are no County -wide formal written procedures in place to assign a user to IT assets in
a centralized database. A user is an individual who mutually agrees to be held accountable
for the safeguarding of the assigned IT asset. Currently, the departments maintain their own
IT asset inventory listing. Therefore, users assigned to specific IT assets are managed at
the department level and are not tracked in the centralized fixed assets inventory system.
In accordance with the IAITAM Best Practice Library, Volume 6, Documentation
Management, IT assets should be maintained in a centralized database and linked
to contracts, locations, users and licenses.
The IAITAM Best Practice Library, Volume 11, Asset Identification, states that the IT asset
manager should be responsible for tracking the location and status of IT assets from the
moment they enter the organization until the time that they are disposed of. Additionally,
the IT asset manager should be responsible for automating the asset tracking system to
facilitate speed, reduce physical labor costs, and provide a real-time view of assets.
Recommendation
We recommend DIT track users in a centralized database. Not tracking users in a
centralized database may increase the County's security exposure since DIT may not
be able to determine if computers are in use or locate assets. In addition, DIT may have
difficulty holding employees accountable for the protection of assets and inappropriate
activities. Unused computers are candidates for redeployment and may unnecessarily
consume software licenses. From a software compliance perspective, software end-user
licensing agreements can be tied to users instead of computers, and DIT may not be able
to determine the appropriate license counts without knowing the assigned users.
County of Hawaii
Observations and Recommendations
The fixed assets inventory system is not accessible to DIT and the automated network and
software inventory system is not used to track the user. Therefore, we recommend that
once the IT asset manager position is established, DIT should implement a plan to identify
a centralized database that has the ability to track users whether it is the fixed assets
inventory system, the automated network and software inventory system, or another IT
asset management inventory system. After a product has been identified, the IT asset
manager should implement County -wide written procedures to centrally track users for
all IT assets.
2. Receiving and Accepting
The Director of IT and Information Systems Program Manager stated that computers and
software are typically not received and accepted centrally by DIT; instead, they are shipped
to the department requesting the purchase. Therefore, the automated network and software
inventory system was implemented to discover and track computers connected to the
County network or added to the County directory services.
In accordance with the IAITAM Best Practice Library, Volume 11, Asset Identification, the
IT asset manager should be aware of any new IT asset before it is implemented into the
environment and the asset should be easily tracked by a discovery tool.
The IAITAM Best Practice Library, Volume 10, Acquisition, states that when assets are
purchased and brought into the organization without the knowledge of the IT asset manager,
it is difficult to support those assets and to preserve software compliance.
Recommendation
We recommend DIT implement a plan to centrally receive and accept all IT assets to
ensure DIT is aware of new computers or software before they are introduced into the
County environment.
3. Annual Physical Inventory
The Department of Finance Procedures Manual for Inventory requires each department
and agency to conduct an annual inventory. This inventory consists of making physical
checks of items on hand and comparing these items with the proper records to verify the
accuracy.
At year-end, the Department of Finance, Property Management Division, sends the "Fixed
Asset Detail Report — By Fund" to the various departments. The department heads then
certify that the reports are accurate on the "Certificate of Custodian" form.
DIT does not reconcile the inventory of computers and software maintained in the
automated network and software inventory system with the IT assets listed on the
Fixed Asset Detail Report to ensure both listings are accurate and complete.
In accordance with the IAITAM Best Practice Library, Volume 11, Asset Identification,
organizations should commit to a physical audit strategy that is appropriate for the size
of the company, the geographical issues and the critical nature of the asset type.
10
County of Hawaii
Observations and Recommendations
Recommendation
We recommend DIT periodically reconcile IT assets listed on the Fixed Asset Detail Report
with the automated network and software inventory system to ensure all IT assets are
properly recorded and included in the annual physical inventory. Any discrepancies should
be investigated and resolved immediately.
Hardware and Software Security
1. Secured Disposal
Effective January 1, 2007, Chapter 487R, Hawaii Revised Statues required "government
units in the State of Hawaii to take reasonable measures to protect against unauthorized
access to personal information after the government unit has disposed of it." To comply
with HRS Chapter 487R, the County's Committee on the Destruction of Records issued the
"Electronic Records Destruction Policy for Computer and Electronic Media" on October 1,
2007 that requires all electronic records including hard drives containing personal
information to be transferred to DIT for proper destruction.
The Director of IT was not aware of the policy since it was implemented prior to his
appointed position in 2013. Furthermore, the policy was not stored centrally with other
IT policies on the County's internal website. The policy has since been added to the
County's internal website.
The "Electronic Records Destruction Policy for Computer and Electronic Media" states
that DIT is responsible for maintaining a record of destruction of electronic records and
to ensure compliance with the policy when any computer hard drives or electronic media
are transferred or disposed of. In July 2015, DIT implemented a procedure to maintain a
"Master Hard Drive Destruction Log" to record the destruction date, method of destruction,
computer and hard drive serial number, department, last user, and date the hard drive was
retrieved by DIT. The Director of IT affirmed the standard operating procedure for computer
replacements during the Windows XP upgrade project was to remove hard drives from
obsolete computers or retrieve computers that could be upgraded and redeployed. Hard
drives would be stored with DIT, and later demagnetized and physically destroyed using a
MediaVise Compact. These procedures comply with the "Electronic Records Destruction
Policy for Computer and Electronic Media" requirements.
Since approximately 600 computers were purchased for the Windows XP upgrade project,
DIT was provided a temporary computer deployment location for the storage of IT assets.
The facility is a shared location with other departments and is used to store certain records
and files. Therefore, the area provided to DIT is not a dedicated space and is accessible by
five other departments. Although we observed that the entrance and exit doors are locked,
the facility is not protected by an alarm system or electronic locks, and there are no closed
circuit television or video recording devices. Hard drives identified for disposal are not
separately secured in a locked area and are only tracked and logged after destruction.
Hence, IT equipment and media with possible confidential or sensitive data is not
appropriately safeguarded from loss or theft.
11
County of Hawaii
Observations and Recommendations
In accordance with the IAITAM Best Practice Library, Volume 12, Disposal Management,
the organization should dispose of assets securely and disposal requirements are identified
and understood. Data should be extracted and wiped or destroyed from hardware prior to
disposal. Disposed assets should be accurately tracked at the serial number or asset tag
level and certificates of disposition and data destruction should be maintained.
In addition, the IAITAM Best Practice Library, Volume 11, Asset Identification, states that
the IT asset manager should be responsible for tracking IT assets from the moment they
enter the organization until the time that they are disposed of.
Recommendation
We understand that the Director of IT plans to issue a memo with the "Electronic Records
Destruction Policy for Computer and Electronic Media" to the Department heads and
managers requiring the transfer of all obsolete hard drives to DIT for destruction. We
recommend the County review this policy at least annually and update accordingly.
We also understand that the current computer deployment location is temporary. However,
if DIT continues to use the facility, we recommend that additional physical security controls
be implemented to safeguard IT assets and media from loss or theft.
12
Management's Response
William P. Kenoi
Mayor
Walter K. M. Lau
Managing Director
October 30, 2015
County of Hawaii
DEPARTMENT OF INFORMATION TECHNOLOGY
25 Aupuni Street + Hilo, Hawaii 96720-4252
(808) 932-2960 • Fax (808) 981-2037
Donald F. Jacobs, Jr.
Director
TO: Bonnie Nims, Legislative Auditor
FROM: Don Jacobs, Director of Information Technology
RE: Response to County of Hawaii's Information Technology Asset Management Performance
Audit Report
Thank you for the opportunity to provide our response to the audit recommendations.
Hardware and Software Lifecycle Management
1. L bQ ades and Replacements
Recommendation: We recommend that DIT establish an IT asset manager position to manage the
County's IT assets and implement a plan to develop a one through five-year financial forecast of
hardware and software upgrades and replacements for each of the departments by analyzing the
historical information on the County's IT environment, current trends and future needs.
While the County has implemented several procedures to better manage IT assets, to fully meet
industry best practices and improve the process of upgrading and replacing computers and
laptops, the IT asset manager should implement a plan to take ownership of all IT assets.
Response: The department of Information Technology (Department of IT) will consider
establishing an IT asset manager position as it works on preparing the fiscal year 2017 budget.
We will continue to evaluate the County's needs based on the age of PCs and continue to work on
solutions to plan our software needs. In general the County of Hawaii owns all assets, but
departments are responsible for assets. There are several factors that will need to be evaluated
before this can fully be implemented, for example who will be responsible for missing assets.
2. Purchase Request and Approval
Recommendation: DIT stated that they are planning to issue a memo to Department heads with
guidance on working with DIT for purchasing hardware and software. Once the IT asset manager
position is established, DIT should implement a plan to take ownership of all IT assets to ensure
DIT is aware of all computer and software purchases and the standard request and approval
process is followed.
Hawaii County is an Equal Opportunity Provider and Employer
Installation of unapproved software is a potential security concern if the software is at the end -of -
life or a method for installing security or software updates is not implemented. Unapproved
software can cause conflicts with other supported software and could lead to system instability.
We recommend DIT implement a policy to maintain an approved software listing and
communicate the risks to the departments. The policy should include an annual review of the
listing to ensure that software listed is still relevant and does not pose a security concern to the
County. A review process should be implemented to respond to requests for software titles that
are not currently in the supported software listing.
We also recommend DIT update the County -Issued Technology Device policy to include
prohibiting users from installing non -supported software and adding un -approved devices to the
County network.
Response: We have issued the memo with guidance on the purchase of hardware and software.
We do not believe that we have a high risk of the installation of unapproved software since our
users do not have administrative rights to do this. Our department does maintain a list of
approved software. This list will be posted on our Intranet for users to review. We will review
and update our County -Issued Technology Device policy as needed.
3. Redeployment of Assets
Recommendation: We recommend that once the IT asset manager position has been established,
DIT should implement a process to identify re -deployable assets and to establish County -wide
formal written redeployment procedures to retrieve computers and software licenses that were
installed on computers that were replaced or idle for an extended period of time. The
redeployment of computers and software licenses is often cost-effective, minimizes unnecessary
purchases, reduces over purchasing of assets and reduces data security risks.
Response: The Department of IT has identified re -deployable assets during our recent mass
upgrade. We also have tools in place to identify these assets that are connected to the network.
We will work on formalizing our processes and procedures. We have already modified our
software licensing terms so that the licenses for standard software packages no longer reside on
PCs.
4. Leasing
Recommendation: DIT should continue to evaluate leasing as an option to procure computers and
software licenses for the County.
Response: The County currently does financing leases for many of its assets including our PCs
and large applications.
Hardware and Software Inventory Management
Centralized Management System+
Recommendation: We recommend DIT track users in a centralized database. Not tracking users
in a centralized database may increase the County's security exposure since DIT may not be able
to determine if computers are in use or locate assets. In addition, DIT may have difficulty holding
employees accountable for the protection of assets and inappropriate activities. Unused computers
are candidates for redeployment and may unnecessarily consume software licenses. From a
software compliance perspective, software end-user licensing agreements can be tied to users
instead of computers, and DIT may not be able to determine the appropriate license counts
without knowing the assigned users.
The fixed assets inventory system is not accessible to DIT and the automated network and
software inventory system is not used to track the user. Therefore, we recommend that once the
IT asset manager position is established, DIT should implement a plan to identify a centralized
database that has the ability to track users whether it is the fixed assets inventory system, the
automated network and software inventory system, or another IT asset management inventory
system. After a product has been identified, the IT asset manager should implement County -wide
written procedures to centrally track users for all IT assets.
Response: Each department maintains listings of users and associated PCs and other assets.
Currently the departments are tasked with the responsibility of ensuring asset security. We will
work towards integrating the primary user name into our network inventory system to assist both
IT and the departments.
1. Receiving and Accepting
Recommendation: We recommend DIT implement a plan to centrally receive and accept all IT
assets to ensure DIT is aware of new computers or software before they are introduced into the
County environment.
Response: No IT assets can be introduced into the County IT environment without coordinating
this with IT because of established network security procedures.
2. Annual Physical Inventory
Recommendation: We recommend DIT periodically reconcile IT assets listed on the Fixed Asset
Detail Report with the automated network and software inventory system to ensure all IT assets
are property recorded and included in the annual physical inventory. Any discrepancies should
be investigated and resolved immediately.
Response: We will work on implementing this recommendation as staffing and time permits.
Hardware and Software Security
1. Secured Dis osal
Recommendation: We understand that the Director of IT plans to issue a memo with the
"Electronic Records Destruction Policy for Computer and Electronic Media" to the Department
heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction. We
recommend the County review this policy at least annually and updated accordingly.
We also understand that the current computer deployment location is temporary. However, if DIT
continues to use the facility, we recommend that additional physical security controls be
implemented to safeguard IT assets and media from loss or theft.
Response: We are currently in the process of issuing the memo as recommended. We will be
acquiring media secured locked cabinets to ensure protection from loss or theft.
you have any questions, please feel free to contact me at 932-2975.
— rl-�' -
Donald F. Jacobs, Jr.
Director