REPORT DIGEST

DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
-- BUREAU OF COMMUNICATIONS AND COMPUTER
SERVICES

SERVICE ORGANIZATION CONTROL REPORT
FOR THE YEAR ENDED: JUNE 30, 2016

Release Date:  August 18, 2016

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

This Service Organization Control Report
covers the Department of Central
Management Services, Bureau of
Communications and Computer Services’
State of Illinois Mainframe Information
Technology Environment throughout the
period July 1, 2015 to June 30, 2016. We
examined the Description of System and the
suitability of the design and operating
effectiveness of controls to meet the
security, availability, and processing
integrity principles set forth in the TSP
Section 100, Trust Services Principles,
Criteria, and Illustrations for Security,
Availability, Processing Integrity,
Confidentiality, or Privacy (AICPA, Trust
Services Principles and Criteria).

The Department of Central Management
Services’ (Department) Bureau of
Communications and Computer Services
carries out statutory responsibilities
relating to data processing and
telecommunication services. The Department
provides data processing services to
approximately 103 agencies.

The Department provides state government
agencies, boards, and commissions an
Information Technology mainframe
infrastructure in which to host their
applications and data. The system
description herein only relates to the
mainframe computing environment and
excludes the midrange computing
environment. The Department and the
agencies that use the Department’s
computer resources share the
responsibility for maintaining the
processing integrity, availability, and
security of computerized data and
functions.

During the examination the Service Auditor
noted:

• The Department had not conducted
periodic risk assessments, in order to
identify threats and vulnerabilities, and
assess the impact.

• The approved process to control Active
Directory password resets was not being
followed.

• The Department was unable to provide the
auditors a universe of Active Directory ID
modifications.

• The approved process to control
mainframe password resets was not being
followed by the Department.

• The Department was unable to provide the
auditors a universe of mainframe security
software ID modifications.

• The Department’s Compliance Officer was
responsible for monitoring and ensuring
compliance with security policies.
However, monitoring for compliance had not
been conducted. See pages 5 to 11 of the
report for additional information.

In our opinion, in all material respects
because of the matters referred to in the
preceding paragraphs, based on the
criteria identified in the Department of
Central Management Services, Bureau of
Communications and Computer Services’
assertion:

a. the description does not fairly present
the system that was designed and
implemented throughout the period July 1,
2015 to June 30, 2016.

b. the controls stated in the description
were not suitably designed to provide
reasonable assurance that the applicable
trust services criteria would be met if
the controls operated effectively
throughout the period July 1, 2015 to June
30, 2016, user entities applied the
complementary user entity control
contemplated in the design of the
Department’s controls throughout the
period July 1, 2015 to June 30, 2016, and
the subservice organization applied the
types of controls expected to be
implemented at the subservice organization
throughout the period July 1, 2015 to June
30, 2016.

c. the controls tested, which were those
necessary to provide reasonable assurance
that the applicable trust services
criteria were met, did not operate
effectively throughout the period July 1,
2015 to June 30, 2016, if the user
entities applied the complementary user
entity control contemplated in the design
of the Department’s controls throughout
the period July 1, 2015 to June 30, 2016,
and if the controls expected to be
implemented at the subservice organization
were also operating effectively throughout
the period July 1, 2015 to June 30, 2016.

FRANK J. MAUTINO
Auditor General