REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES – BUREAU OF COMMUNICATIONS AND COMPUTER SERVICES SERVICE ORGANIZATION CONTROL REPORT For the Year Ended: June 30, 2015 Release Date: August 4, 2015 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov This Service Organization Control Report covers the Department of Central Management Services, Bureau of Communications and Computer Services’ State of Illinois Mainframe Information Technology Environment throughout the period July 1, 2014 to June 30, 2015. We examined the Description of System and the suitability of the design and operating effectiveness of controls to meet the security, availability, and processing integrity principles set forth in the TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. (AICPA, Technical Practice Aids). The Department of Central Management Services’ (Department) Bureau of Communications and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services. The Department provides data processing services to approximately 106 agencies. The Department provides state government agencies, boards, and commissions an Information Technology mainframe infrastructure in which to host their applications and data. The system description herein only relates to the mainframe computing environment and excludes the midrange computing environment. The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the processing integrity, availability, and security of computerized data and functions. We identified six control deficiencies. First, the approved process to control Active Directory password resets was not being followed by the Department, resulting in a control deficiency over the process to reset Active Directory user passwords. Second, the approved process to control mainframe password resets was not being followed by the Department, resulting in a control deficiency over the process to reset mainframe user passwords. Third, the Department’s Compliance Officer was responsible for monitoring and ensuring compliance with security policies. However, monitoring for compliance had not been conducted, resulting in a control deficiency over procedures to provide that issues of noncompliance with security policies are promptly addressed. Fourth, risk assessments are to be performed periodically and, as security threats are identified, they are to be assessed. A limited scope risk assessment related to the availability of specific applications in the event of an unplanned outage had been conducted by a third party vendor; however, the Department had not completed any other risk assessments. In addition, the Department had not developed a corrective action plan related to the risks identified by the vendor. Thus, the control over risk assessments was not operating effectively resulting in a control deficiency over the performance of risk assessments and implementation of mitigation strategies. Fifth, documentation to support the approved process for staff to notify the Help Desk and supervisors of security, availability, and processing issues was not provided, resulting in a control deficiency over incident response. Finally, information on the tools to monitor the network was not provided, resulting in a control deficiency in the monitoring of network resources. See pages 5 to 11 of the report for additional information. In our opinion, except for the matters referred to above, the description is fairly stated and the controls were suitably designed. WILLIAM G. HOLLAND Auditor General