REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES – BUREAU OF COMMUNICATIONS AND COMPUTER SERVICES SERVICE ORGANIZATION CONTROL REPORT For the Year Ended: June 30, 2014 Release Date: July 2014 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov This Service Organization Control Report covers the Department of Central Management Services, Bureau of Communications and Computer Services’ State of Illinois Mainframe Information Technology Environment throughout the period July 1, 2013 to June 30, 2014. We examined the Description of System and the suitability of the design and operating effectiveness of controls to meet the security, availability, and processing integrity principles set forth in the 2014 version of TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. (AICPA, Technical Practice Aids). The Department of Central Management Services’ (Department) Bureau of Communications and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services. The Department provides data processing services to approximately 107 agencies. The Department provides state government agencies, boards, and commissions an Information Technology mainframe infrastructure in which to host their applications and data. The system description herein only relates to the mainframe computing environment and excludes the midrange computing environment. The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the processing integrity, availability, and security of computerized data and functions. We identified three control deficiencies. First, the approved process to control mainframe password resets was not being followed by the Department, resulting in a control deficiency over the process to reset mainframe user passwords. Second, the Department’s Compliance Officer was responsible for monitoring and ensuring compliance with security policies. However, monitoring for compliance had not been conducted, resulting in a control deficiency over procedures to provide that issues of noncompliance with security policies are promptly addressed. Finally, risk assessments are to be performed periodically and, as security threats are identified, they are to be assessed. However, the Department had not conducted risk assessments to identify threats, vulnerabilities and assessed their impact, resulting in a control deficiency over the performance of risk assessments. See pages 5 to 9 of the report for additional information. In our opinion, except for the matters referred to above, the description is fairly stated and the controls were suitably designed.