REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES BUREAU OF COMMUNICATIONS AND COMPUTER SERVICES SERVICE ORGANIZATION CONTROL REPORT For the Year Ended: June 30, 2012 Release Date: July 2012 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov This Service Organization Control Report covers the Department of Central Management Services, Bureau of Communications and Computer Services’ State of Illinois Information Technology Environment throughout the period July 1, 2011 to June 30, 2012. We examined the Description of System and the suitability of the design and operating effectiveness of controls to meet the security, availability, and processing integrity principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, and Processing Integrity (AICPA, Technical Practice Aids). The Department of Central Management Services’ (Department) Bureau of Communications and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services. The Department provides data processing services to approximately 103 user agencies. The Department provides state government agencies, boards, and commissions an Information Technology infrastructure in which to host their applications. The system description herein only relates to the mainframe computing environment and excludes the midrange computing environment. The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the processing integrity, availability, and security of computerized data and functions. We identified one instance where the Department’s control was not sufficient. The change management process for the Accounting Information System, Central Inventory System, Central Payroll System and the Central Time and Attendance System did not provide reasonable assurance that only authorized, tested, and documented changes were made to the systems. In addition, we identified two control deficiencies. The approved process to control mainframe password resets was not being followed by the Department’s Coordinator resulting in a control deficiency over the process to make changes and updates to user profiles. Also, according to the security policies, the Department and security personnel were responsible for the monitoring, auditing, tracking, and validation of compliance with the policies and procedures. However, the security policies did not define who security personnel were and we were unable to determine who, within the Department was responsible, resulting in a control deficiency over procedures to provide that issues of noncompliance with security policies were promptly addressed and that corrective measures were taken on a timely basis. See pages 6 to 8 of the report for additional information. In our opinion, except for the matters referred to above, the description is fairly stated and the controls were suitably designed. WILLIAM G. HOLLAND Auditor General