EXPECTATIONS FROM THE OFFICE OF STATE AUDITOR IN RELATION TO

COUNTY (COMPUTER) AUDITSEXCERPTS FROM STATE AUDITOR’S UPDATE

17 JUNE 2014

LANCE BISHOPADAMS COUNTY IT DIRECTOR

LANCEBISHOP@ADAMSCOUNTYMS.GOV(601)304-7853

WWW.MSCOUNTYTECH.COM

Due to the increased dependence of financial reporting, as well as daily operations, on information technology, auditing standards increasingly require the testing of controls related to computerized systems and applications.

Well known examples of government entities experiencing data breaches of information about individual citizens that might lead to identity theft include the state of South Carolina, NASA, and Clarksdale - Montgomery County school system in Tennessee. The largest cyber attack against a state government agency occurred in 2012 in South Carolina and put three quarters of the state's population at risk for identity fraud. A hacker stole a database from the South Carolina Department of Revenue that exposed 3.6 million Social Security numbers and 387,000 payment card records. Confidential information for more than 657,000 businesses was also compromised.

Single fines for State and local agencies from regulatory agencies such as the Department of Health and Human Services and the Office of Civil Rights have reached in the millions of dollars. ln addition, credit monitoring and notification of parties affected by breaches have costs states tens of millions of dollars as well as the possibility of legal action for years to come. In some instances individual personnel have been charged with crimes, including felonies.

The Mississippi Office the State Auditor has therefore increased the testing of controls around information technology in its audit of counties. The following information technology areas will be some of the areas in which the OSA will be testing to assure that counties are meeting standards associated with financial reporting.

1. Governance

2. Physical Protection of Computer Assets

3. Logical Access to Computer Assets (i.e. User accounts, etc.)

4. Protection of Data

5. Computer Operations

6. Backups

7. Disaster Recovery

8. Change Management

9. Compliance of Applicable Regulations such as HIPAA, state data breach laws, FERPER, etc.

The County should have policies and procedures that pertain to information technology. These policies and procedures should cover such areas as: IT governance, physical security, environmental controls, access controls, network perimeter security, backups, disaster recovery, and change management.

Policies and Procedures should be approved by the Board of Supervisors and employees should acknowledge that they have read and agree to follow these policies and procedures.

Governance

WHAT ADAMS COUNTY IS DOING…GOVERNANCE

We have created a computer usage policy and included it in our employee handbook, which all employee’s must adhere to.

Servers and network infrastructure should be located in a secure, locked room that has limited access and backup power (generator and UPS), backup air-conditioning, and fire suppression that is approved for electronic equipment.

Physical Protection of Computer Assets

WHAT ADAMS COUNTY IS DOING…PHYSICAL PROTECTION

We have moved our servers to a locked rack down to our EOC building. This provides a secure limited access location

Generator backup power

Small portable A/C unit for cooling

Couple of CO2 Fire extinguishers for fire suppression

APC Netbotz 300 (near future) for environmental monitoring

LOGICAL ACCESS TO COMPUTER ASSETS (I.E. USER ACCOUNTS, ETC.)

Counties should retain documentation of request for access to data assets.

All users are expected to have a unique user-id. In other words, user accounts should not be shared.

Passwords should be changed at least every 90 days.

Passwords should be at least 8 characters long and should contain a number or special character.

Users should not be able to repeatedly use the same password.

Users should not share passwords with other users.

Counties should delete or inactivate user accounts of terminated employees in an expeditious manner.

Access reviews of financial applications and supporting infrastructure should be performed at least once per year and documentation of such review should be retained for audit purposes.

WHAT ADAMS COUNTY IS DOING…LOGICAL ACCESS

We have implemented an Microsoft Active Directory (AD). Password policy's can be set to meet requirements

Setting up a Single Sign On (SSO) This allows Delta software (AS/400) to authenticate against the

AD.

PROTECTION OF DATA The county should use virus protection that is accepted as best business practices

and should update the software on at least a daily basis. The county should use a firewall (a device or software that protects the perimeter of a network or individual computers by watching traffic that enters and leaves the network) that is professionally managed and monitored. Logs of such activity should be kept and reviewed with documentation of such review retained for audit purposes.

The county should use encryption software to protect information that is on portable devices such as laptops and USB (thumb) drives.

Counties should have a penetration test/vulnerability scan at least every three years or whenever business processes change significantly. These tests are usually conducted by third party vendors that specialize in doing this.

The network of the County should be actively monitored for activity which might indicate unauthorized access to county information assets.

WHAT ADAMS COUNTY IS DOING…PROTECTION OF DATA

Virus Protection - Kaspersky Endpoint Security 10

USB Drives – we do not allow sensitive data to be removed from the county.

Firewall – Dell SonicWALL NSA 2600

Penetration Test – Scheduled

Actively monitored – Our SonicWALL has Intrusion Detection enabled.

COMPUTER OPERATIONS

Financial applications or applications that a should not be operated on hardware or with software that is obsolete (not supported by vendors). For example, support for Windows XP and Office 2003 ended on April 8,2014.

Operating systems should be updated with vendors frequently in order to avoid hackers taking advantage of vulnerabilities in operating systems.

WHAT ADAMS COUNTY IS DOING…COMPUTER OPERATIONS

We have updated all of our computers to Windows 7 professional.

Updated MS Office to Office 2013.

With the release of MS Windows 10 next month the county will receive the free upgrade to Windows 10.

Our IBM iSeries (AS/400) is running OS Version 7.1 which is current and supported by IBM.

BACKUPS

Backups should be made of the financial applications and the associated operating systems on appropriate cycles.

Backups should be carried offsite and left there for a period that is deemed appropriate so as to allow recovery in case of a disaster

WHAT ADAMS COUNTY IS DOING…BACKUPS

We have enough tapes to keep a months worth of daily backups. Recycled monthly – kept in Fire safe in another building

We have enough tapes to keep monthly Full System Saves for a year. Recycled yearly – kept at bank

Every Year at fiscal roll over, we perform another Full System Save. Never reused – kept at bank

DISASTER RECOVERY

The county should have a formal written disaster recovery plan that includes information necessary for recovery of access to computer assets as well as information that will allow business processes of the county to continue during the time that computer assets are not accessible.

WHAT ADAMS COUNTY IS DOING…DISASTER RECOVERY

Our primary focus for Disaster Recovery is Bookkeeping. We Utilize Nightshift to provide this solution.

We can roll over to our DR bookkeeping and perform all bookkeeping functions.

CHANGE MANAGEMENTDocumentation for the implementation of new systems or significant upgrades to existing systems should be retained for audit purposes. This would include documentation such as the following:

Data conversion balancing such as record counts and dollar amounts.

Testing.

User approval.

Management approval for go live.

WHAT ADAMS COUNTY IS DOING…CHANGE MANAGEMENT

I generally write a project outline plan to include scheduling, resources and test procedures.

Keeping all documentation for the project in a single folder.

COMPLIANCE OF APPLICABLE REGULATIONS SUCH AS HIPAA, STATE DATA BREACH LAWS, FERPER, ETC.

Compliance and federal related to electronic data will be reviewed in the testing of controls.

LANCE BISHOPADAMS COUNTY IT DIRECTOR

LANCEBISHOP@ADAMSCOUNTYMS.GOV(601)304-7853

WWW.MSCOUNTYTECH.COM

QUESTIONS?