Institutional Federal Compliance Report 2021

2019-004

Finding: Untimely removal of logical access and deficiencies in user access reviews

Severity of Control Deficiency: Significant Deficiency (Unremediated as of March 31, 2019)

Background

The State of New York is comprised of multiple State Agencies (SFS, ERS, LATS. eMedNY, and Cafe) with some Entities (DTF, DOL, HESC, OTDA) that share responsibility for logical access to systems with a centralized Office of Information Technology Services (ITS). When employees or contractors no longer require access to a specific system or application, the State Agency/Entity generally has the responsibility to notify their IT department or ITS so that the specific user’s access is removed on a timely basis. In addition, the State Agency/Entity has the responsibility to perform a user access review on a periodic basis as an additional check to ensure users of certain systems and applications are appropriate. During the course of our audit over general information technology controls, we noted several instances related to de-provisioning of access, where user access was terminated more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. This finding was noted in twelve IT environments across the State of New York (eMedNY, Café, SFS, UI, ACS, ERS, ITS, DMCS, GSL, eMPIRE, CARTs and LATs). In general, the exception occurred because management at the State Agency/Entity did not notify their IT department or ITS in a timely manner. This notification may have only been a few days late, but in some instances, samples tested were several months late. As a result, the audit team examined systematic evidence to determine that none of the users accounts identified as exceptions were accessed subsequent to the individual’s termination date. During the course of our audit over general information technology controls, we noted several instances related to user access reviews, where user accounts were not reviewed in a timely manner, modified in a timely manner based on the review, and in some instances no review occurred during the period. This finding was noted in seven IT environments across the State of New York (PayServ, ERS, DTF, eMedNY, LATs, DMCS, and UI). When accounts are not disabledand/or removed in a timely manner, there is an increased risk that employees or contractors may obtain inappropriate access to applications and related infrastructure leading to an increased risk of error or fraud. When periodic reviews of user access rights, untimely removal or modification of user access rights that are determined to be inappropriate are not reviewed, modified or deleted in a timely manner, there is an increased risk that users may obtain inappropriate access to applications and related infrastructure leading to an increased risk of error or fraud. Observations Risk

Recommendations

The State should strengthen controls or add monitoring controls to ensure management personnel at the State Agencies/Entities are notifying their respective IT departments or ITS, as applicable, on a timely basis when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State.

State Agencies/Entities should ensure that the user access reviews are completed on a timely basis and that all changes in access resulting from the review and made on a timely basis.