FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS
INADEQUATE COMPUTER CONTROLS OVER LOCAL AREA NETWORKS (LANS)
The Department has not established adequate computer security controls over local
area networks. The Department has approximately a $2 million investment in LAN hardware
and software. LANs are used to process critical applications and provide access to the
Department's mainframe computer system. Recently the Department developed and implemented
written policies and procedures for the administration of LANs; however, the Department is
not ensuring these policies and procedures are being followed. We also noted two
application programmers possessed supervisor access to one of the Department's LANs
without the Department establishing compensating controls to allow for this inappropriate
segregation of duties. In addition, the Department does not utilize the various tools
available to it for monitoring security. (Finding 98-10, pages 24-25) This finding has
been repeated since 1992.
We recommended the Department implement monitoring procedures to ensure LAN
software security features are being properly utilized. Further, the Department should not
assign application programmers as LAN Administrator backup personnel or should institute
appropriate compensating controls.
The Department concurred and stated that it has corrected the specific items found not
to comply with current security procedures and will implement safeguards to ensure these
items do not occur in the future. In addition, the Department will budget for and purchase
security audit software to assist LAN administrators to identify instances of non
compliance. Lastly, written policies and procedures will be implemented to provide
accountability in regard to network administration access since segregating the duties of
the two backup network support individuals is not possible. (For previous agency
responses, see Digest Footnote 1.)
EXCESSIVE INVENTORY LEVELS
The Department of State Police maintains inventories at several locations which
consists of uniforms and various operating supplies. At June 30, 1998, the inventory value
was about $3 million. Although the Department decreased its inventories by approximately
13% from the prior audit period, these inventory levels represent an approximate one and
one-half year supply, which is not in compliance with the Illinois Procurement Code.
According to the Department, uniforms, which comprise a large portion of the inventory,
must be ordered in large quantities and carried in a variety of sizes. However, we noted
that the Department is susceptible to a higher level of risk of loss due to theft,
obsolescence or damage as inventory levels increase. Additionally, the existing inventory
system is not capable of establishing automated restocking points, thus the supply section
is required to assess inventory needs using a manual system. (Finding 98-3, page 16)
We recommended the Department continue to reduce existing inventory and establish
minimum restocking levels. Also, the Department should consider developing a more cost
effective approach for the inventory system.
The Department concurred in part and stated that the Central Supply Section is
legislatively charged with maintaining an inventory of uniforms, equipment, and hardware
for all Illinois State Police officers. An assortment of uniforms is required to be on
hand to properly fit officers.
INADEQUATE MONITORING AND ACCOUNTING FOR ACCOUNTS RECEIVABLE BALANCES
The Department has inadequate procedures for monitoring and accounting for accounts
receivable balances. We noted several deficiencies. For example, the Department's accounts
receivable subsidiary records for the State Police Services Fund totaled $48,500 greater
than the amount reported on the Department's financial statements. The Road Fund
receivables are maintained on two different systems, and not all supporting documentation
was maintained for both systems. The Department does not maintain formal documentation of
follow up attempts in regard to overweight fines, citations, and dispositions. The
subsidiary detail for overweight fines included a receivable from one individual for
approximately $97,000 which is not possible according to the fines schedule. This balance
was the result of a data-entry error. Lastly, the Road Fund receivables totaled
approximately $987,000 and $933,000 at June 30, 1998 and 1997. Of these balances,
receivables in excess of one year old totaled approximately $670,000 and $640,000 at June
30, 1998 and 1997. (Finding 98-7, page 20)
We recommend the Department develop and follow formal written procedures for the
monitoring, maintenance and accounting for accounts receivable balances.
The Department concurred and stated it will develop and follow written procedures for
monitoring accounts receivable balances and will maintain improved documentation for each
receivable.
LACK OF A DISASTER RECOVERY PLAN FOR LOCAL AREA NETWORKS (LANs) AND INSUFFICIENT
FIRE PROTECTION SYSTEM
The Department does not have a disaster recovery plan for LANs at locations
throughout the State. In addition, the fire extinguishing system for the Information
Services Bureau's (ISB) computer operations facility is insufficient. The fire
extinguishing system for the entire building is the same and is, likewise, insufficient.
The Department has LANs locations throughout the State. All of the LANs have the
capability to access the Department's mainframe computer at the Armory, and it is critical
that the integrity and security of information maintained on the Department's LANs be
protected and that the LANs can be restored in the event of a disaster.
The Department has approximately $10 million of computer equipment at a single
centralized site utilized for the processing of certain accounting applications as well as
the Law Enforcement Agencies Data System (LEADS). However, the Department relies on
hand-held Halon fire extinguishers as the means of fire suppression in ISB's computer
facility, and the Armory building's fire detection system is comprised mainly of stand
alone smoke detectors.
Proper physical controls are necessary to ensure that sensitive programs, operating
procedures, and valuable computer hardware are safeguarded from hazards. Improper
disclosure or destruction of data, or destruction of hardware, would have a devastating
effect on the operations of the Department as well as other local and national law
enforcement agencies. (Finding 98-9, pages 22-23) This finding has been repeated since
1986.
We recommended the Department upgrade the fire protection system for the computer
facility and the entire Armory building to provide adequate security against potential
loss due to fire damage and develop a written LANs disaster recovery plan.
The Department concurred and plans to make necessary changes and additions to the
disaster recovery plan. The Department also stated funding and other extenuating
circumstances have prohibited the realization of upgrading the fire protection system at
the Armory building. (For previous agency responses, see Digest Footnote 2.)
OTHER FINDINGS
The remaining findings were less significant and are being given appropriate
attention by the Department. We will review its progress toward implementing these
recommendations in our next audit.
AUDITORS' OPINION
Our auditors state that the Department's financial statements for the two years
ending June 30, 1998 are fairly presented.
____________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:JSC:pp
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors for this audit were Olive LLP.
DIGEST FOOTNOTES
#1: INADEQUATE CONTROL OVER LOCAL AREA NETWORKS (LANS) - Previous
Department Responses.
1996: "We concur. Due to the pending plan to renovate the Armory, improved
fire protection will be included in this effort, contingent upon adequate funding."
1994: "We concur in part. More work needs to be done on LAN security and control.
However, the recommendations made by the audit are contrary to those implemented on the
mainframe. The LAN and mainframe require similar controls and should be consistent with
each other. The need for disaster recovery for LANs is recognized and will be addressed.
While ISB (Information Services Bureau) does not currently have a separate security
awareness class, security is emphasized in all of the Information Center training
classes." (The response then goes on to address the recommendations made in more
detail.)
1992: "We concur. ISB will coordinate and manage local area networks (LANs) for
ISP. The responsibility will include controlling, installing and supporting LANs as well
as security functions." (The response provides further details on plans to implement
the recommendations.)
#2: LACK OF DISASTER RECOVERY PLAN FOR LOCAL AREA NETWORKS AND INSUFFICIENT FIRE
PROTECTION SYSTEM - Previous Department Responses
1996: "We concur. Due to the pending plan to renovate the
Armory, improved fire protection will be included in this effort, contingent upon adequate
funding."
1994: "We concur. A written disaster recovery plan is in
process. ISP will continue to work toward a more complete Armory fire suppression system
as funds allow."
1992: "ISP concurs that an alternate processing site should
be established. To this end, ISP and CMS are in the process of implementing the capability
for ISP to use CMS facilities in the event of a disaster. This capability will include the
ability to switch critical communications lines so that processing of officer safety
functions will be protected. ISP anticipates conducting a test of this capability by the
beginning of FY 94.
The intent of ISP is to address the inadequacies of fire
protection in three phases as funding becomes available. The first phase will encompass an
Armory-wide fire detection system that will alert the fire department when a fire is
detected. The second phase will provide for fire suppression in areas that are unmanned in
off-hours. The third phase will provide for fire suppression in critical areas that are
manned twenty-four hours per day. The greatest risk to the computer facility is a fire
that ignites in the Armory and is not detected until too late. In areas that are manned,
the risk is less and staff would be able to call for the fire department in a timely
fashion. To minimize total risk, fire detection and suppression is needed in all areas of
the Armory to protect critical functions."
1990: "We concur with the findings concerning lack of a
backup site and inadequate fire suppression in the Data Center. We will continue to seek
funding to correct these deficiencies."
1988: "We concur."
1986: "We concur. A formal recovery plan is under
development. A Failure Impact Analysis has been completed and recommendations are being
prepared, for the Director's approval, on priority for restoring all applications. Funds
have been requested in FY90 from the Capital Development Board for FY90 to build a primary
data center which would then allow the Armory as a backup site.
A complete fire protection system has not been installed due to
lack of adequate funds. However, some alternative fire suppression efforts have been made.
Since 1984, we have utilized very limited funds to expand heat sensors/fire detectors in
the data center, which are monitored by the ISP Command Center. We have also obtained
fire-retardant trash containers, and plastic covers to prevent water damage to equipment
due to burst pipes." |
