REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES FINANCIAL AUDIT For the Year Ended June 30, 2014 Release Date: February 19, 2015 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 1 -- 1 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This report covers our financial audit of the Department of Central Management Services for the year ended June 30, 2014. A State compliance examination covering the two years ended June 30, 2015 will be performed next year. SYNOPSIS • (14-01) The Department had not implemented effective security controls over all servers in the midrange environment. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE SECURITY AND CONTROL OVER THE MIDRANGE ENVIRONMENT The Department had not implemented adequate security and controls over the midrange environment. Although the Department had implemented standards to secure and control the midrange environment, the standards did not require widespread deployment to legacy systems. As such, the Department still had not implemented effective security controls over all servers in the midrange environment. Upon review, auditors noted standards had not been consistently applied on all servers. Specifically, we noted servers: • Running unsupported operating systems or service pack versions, • Without anti-virus software, • Not properly backed up, • With deficient password length and content requirements, and • With administrative and user accounts which did not require passwords. (Finding 1, pages 60-62) This finding was first reported in 2007. We recommended the Department should ensure the standards to secure and control the environment are implemented across the midrange environment. The auditors specifically recommended the Department: (1) ensure all administrative accounts meet password and security standards; (2) standardize password length and content requirements and ensure all accounts require a password; (3) update servers to current vendor recommended patch or service pack levels; (4) ensure all servers are running antivirus software; and (5) ensure all servers are routinely backed up. Department officials concurred with our recommendation and stated that they continue to work with other agencies toward standardization and maturity in the midrange environment. (For the previous Department response, see Digest Footnote #1) AUDITOR’S OPINION Our auditors stated the Department’s financial statements as of and for the year ended June 30, 2014 are fairly presented in all material respects. WILLIAM G. HOLLAND Auditor General WGH:skm SPECIAL ASSISTANT AUDITORS Our Special Assistant Auditors for this audit were Sikich LLP. DIGEST FOOTNOTES #1 – Inadequate Security and Control over the Midrange Environment 2013 - The Department concurs with the recommendation. The Department has implemented numerous policies, standards, tools, and procedures to help address these issues, including an ongoing review to ensure all servers are backed up and that there is sufficient documentation of the backups. We are working with agencies to update their older applications so that we can improve these environments.