|
REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES BUREAU OF COMMUNICATION AND COMPUTER SERVICES THIRD PARTY REVIEW For the Year Ended: June 30, 2006 Release Date: July 12, 2006
State of Illinois Office of the Auditor General WILLIAM G. HOLLANDAUDITOR GENERAL
To obtain a copy of the Report contact: Office of the Auditor
General Iles Park Plaza 740 E. Ash Street Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full
Report are also available on the worldwide web at http://www.state.il.us/auditor |
INTRODUCTION
The Department of Central Management Services’ (Department)
Bureau of Communication and Computer Services carries out statutory
responsibilities relating to data processing and telecommunication services (20 ILCS 405/405-10; 20 ILCS 405/405-20; 20
ILCS 405/405-250; 20 ILCS 405/405-255; 20 ILCS 405/405-260; 20 ILCS
405/405-270 and 20 ILCS 405/405-410). To fulfill its responsibilities, the Department operates the Central
Computer Facility (CCF), the Communications Center, and branch
facilities. Through its
facilities, the Department provides data processing services to approximately
98 user entities. The Department is mandated to manage or delegate the
management of the procurement, retention, installation, maintenance, and
operation of all electronic data processing equipment used by State agencies
to achieve maximum economy consistent with development of adequate and timely
information in a form suitable for management analysis, in a manner that
provides for adequate security protection and back-up facilities for that
equipment. The CCF functions as a service organization providing
computing and telecommunication resources for State agencies’ use. The Department and the agencies that use
the Department’s computer resources share the responsibility for maintaining
the integrity and security of computerized data and functions. We reviewed data processing general controls at the
Department primarily during the period from January 3, 2006 to May 26,
2006. We performed tests to determine
compliance with policies and procedures, conducted interviews, performed
observations, and identified specific control objectives and procedures we
considered necessary to evaluate the controls. We also reviewed application controls for systems maintained
by the Department for State agencies’ use.
The systems reviewed were the Accounting Information, Central Payroll,
Central Inventory, and Central Time and Attendance Systems. |
ILLINOIS
DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
BUREAU
OF COMMUNICATION AND COMPUTER SERVICES
|
STATISTICS |
2006 |
||
|
Mainframes |
3 Units
Configured as 10 Production Systems and 4
Test Systems 1 Unit
Configured for Disaster Recovery |
||
|
Services/Workload
|
Impact Printing – 3.79
Million Lines per Month Laser Printing – 16 Million
Pages per Month |
||
|
State
Agency Users |
98 |
||
|
Bureau
Employees
|
2003
-- 307 2004
-- 303 2005
-- 775* 2006
-- 777 * Increase due to IT consolidation into
the Department per Public Act 93-25 |
||
|
Historical
Growth Trend** |
2003 -- 2004 --
2005 --2006
-- |
2,700 3,614 3,217 3,217 |
-- MIPS -- MIPS -- MIPS -- MIPS -- Million Instructions Per Second |
|
|
** In the month of
April for each year listed |
||
Information
provided by the Department - Unaudited
|
DEPARTMENT DIRECTOR AND
DEPUTY DIRECTOR/BUREAU MANAGER |
|
During Audit Period: Director:
Paul Campbell Deputy Director/Bureau Manager: Jay Carlson (7/1/2005 to 11/7/2005) Currently: Director: Paul Campbell
Deputy Director/Bureau Manager: Tony Daniels (11/8/2005 to present) |
|
Risk of unauthorized and not suitably tested changes to systems
Security framework not sufficiently developed or implemented
State lacks preparedness
|
REPORT
SUMMARY We identified two reportable conditions for
which we could not obtain reasonable assurance over the controls. Change
Management Process
The
Department did not follow the approved change management process it
implemented in 2004, has not updated its change management policies and
procedures, and has not developed a mechanism to ensure all changes follow
the approved process. In addition,
the approved change management process has not been implemented across all
platforms. As a result, the current
change management process lacks consistency and does not ensure all changes
are sufficiently controlled. The
lack of compliance with the approved change management process leaves the
Department exposed to the risk of unauthorized and not suitably tested
changes to systems. The Department
should update policies and procedures to govern the approved change management
process and ensure compliance. (page
6) The
Department concurred with our recommendation. Department officials stated the
Bureau is in the process of implementing a formal change management
framework. Security Framework The Department has the
primary responsibility for providing IT services to State Government. Thus, it is imperative the Department
implement a framework to promote and apply prudent, comprehensive, and
effective security practices. The
expanding use of information technology, increased sharing of sensitive
information, and emerging IT risks make it imperative that security be
appropriately addressed. The security framework has not been sufficiently developed or implemented to ensure security is adequately addressed from a Statewide or Departmental perspective. The Department had not updated the various security-related documents since at least February 2003. As a result, the documents do not reflect the current technological environment, and have not been updated to address current security concerns. The Department should thoroughly review and update security policies to address the current technological environment, consolidation issues, and present-day risks. In addition, the Department should formally approve and implement a comprehensive security administration framework, and ensure sufficient resources are allocated to support the framework. (pages 6-7) The Department concurred with our
recommendation. Department officials
stated a Policy Review Board will establish updated enterprise policies and
procedures that address the legacy and consolidated environments. Although not covered under audit standards as a reportable condition,
the deficiency outlined below may impact the Department’s ability to process
in the future. Disaster Contingency Planning
Although
the Department has developed some basic strategies to address the disaster
contingency needs of the State’s Central Computer Facility, the plans and
operational provisions need to be enhanced to provide assurance that all of
the State’s critical applications and network operations can be recovered
within required timeframes. The plans
are outdated, do not adequately address regional recovery facilities, and
have not been adequately tested to determine if the plans would effectively
guide recovery efforts in the event of a disaster. The
State is placing great reliance on the Department’s ability to provide data
processing and network services in the event of a disaster. As such, comprehensive and thoroughly
tested disaster contingency plans are an essential component of recovery
efforts. The Department should
ensure the necessary components (plans, equipment, and facilities) are
available to provide for continuation of critical computer operations in the
event of a disaster. In addition, the
Department should obtain a suitable regional alternate location for recovery services, and conduct comprehensive tests of the plans
on an annual basis. (pages 7-8) The Department concurred with our recommendation. Department officials
stated a comprehensive exercise of all Category One applications is scheduled
for July 2006. AUDITORS' OPINION With the exception of the two reportable
conditions described above, procedures were generally sufficient to provide
reasonable, but not absolute, assurance that relevant general and application
control objectives were achieved.
____________________________________ WILLIAM G. HOLLAND, Auditor General WGH:WJS:ap |
|
|
|