Institutional Federal Compliance Report 2021

Division of the Budget

WYORI( JEOF !)RTUNITY,

ANDREW M. CUOMO Governor

ROBERT F. MUJICA JR. Director of the Budget

SANDRA L BEATTIE Deputy Director

- 2 -

Observation 1: For seven new users who gained access to the SFS application, formal request and approval documentation was not provided.

Recommendation: SFS management should take the necessary steps (including re­ education of user provisioning procedures to system administrators) to ensure that for any instance of new or modification of access, a formalized access security request form is approved, documented, and retained. This process should be followed for all agencies and accounts, including internal and external employees, vendors/contractors, and system/generic IDs. Action Taken: Recommendation Implemented. SFS management continues to re­ educate SFS system administrators on SFS user provisioning protocols to ensure that for any instance of new or modification of access, a formalized access security request form is approved, documented, and retained. This process is followed for all agencies and accounts, including internal and external employees, vendors/contractors, and system/generic IDs. To facilitate that agencies have a consistent security process, SFS provided a sample provisioning process to agencies in August 2017. Agency responsibilities for SFS security were discussed with agency staff in August and October 2017, and remain a regular topic of communication with the agencies. Recommendation: SFS management should reeducate and emphasize to respective agency security administrators (ASAs) the procedures to be followed upon termination of employment. Additionally, SFS management should implement a control to periodically review a list of employees with a termination status out of PayServ to determine whether access to _SFS has been revoked. For any noted terminated employee with active access, SFS management should follow-up with respective agencies for resolution. Action Taken: Recommendation Implemented. SFS continues to communicate with agency SFS administrators that accounts should be locked on the day of termination or retirement, but no later than one week. In addition, SFS is working with the Office of the State Comptroller (OSC) to receive more timely and complete PayServ data that will facilitate SFS taking action if agencies have not locked terminated or retired user accounts. Since April 2017, based upon the PayServ data, SFS has been locking the accounts of terminated or retired user accounts, notifying agencies of such and reminding them of their responsibilities in this area. Observation 2: For 8 of 25 terminated employees sampled, access to the SFS application was not removed timely (generally, greater than one week after termination).

State Cap!'!:ol 1 Albany, NY 12224[ ,vvvw.budget.ny.gov