INTRODUCTION
These reports represent the results of our financial and compliance audit for
the year ending December 31, 1998.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INCOMPLETE DISASTER CONTINGENCY PLAN
The Authority’s Computer Disaster Recovery Plan (Plan) continued to be
incomplete and did not insure that its data processing functions could be reasonably
performed if an emergency occurred that rendered its computer center inoperable. The
Authority relies on its computer operations to perform accounting and public safety
functions.
The Authority contracted with a computer-consulting firm to develop an updated disaster
recovery plan. The Authority indicated it intends to use the plan as a guide to develop
its own plan. According to Authority personnel, progress on the plan has been limited due
to other priorities and limited resources.
An adequate Plan should minimize the interruption of operations and loss of critical
information in the event of a disaster. Without a detailed Plan, it would be difficult for
the Authority to insure that it can perform the Authority’s vital operations in the
event of an emergency. (Finding 98-1, pages 12-13)
We recommended the Authority management promptly complete the details of the Plan. Once
the Plan is completed, responsibilities to test and update the Plan on a periodic basis
should be assigned to Authority personnel to insure that the Plan is effective. An
on-going commitment to test and update the Plan will be essential to its success. This
finding has been repeated since 1987.
The Authority responded that it is in agreement and fully recognizes the need for
Disaster Recovery Planning. Officials said supplemental contingency plans are currently
being developed internally and are expected to be complete by October 31, 1999. (For
previous Agency responses, see Digest Footnote #1.)
INADEQUATE COMPUTER SECURITY
The Authority’s security over its local area network (LAN) and its’
mainframe computer system continues to have weaknesses that require improvement.
Virtually all information, whether it was confidential or not, was accessible through
the Authority’s LAN. The LAN also provides the entry path to the mainframe system.
Some common security deficiencies that exist are:
·
Passwords were allowed to be the same as the user
initials or the login ID.
·
Passwords are only changed every 90 days. (Findings 98-2
and 98-3, pages 14 – 17)
We recommended the Authority develop standards which minimize security risk through
preventive measures, limit loss from unauthorized access, identify irregularities in a
timely fashion and define and implement disciplinary action for violating security
procedures. Inadequate securities over its LAN has been a repeated finding since 1994.
The Authority accepted our recommendation and stated it will develop and implement
standards, controls, procedures and monitoring in connection with its Y2K compliance
initiatives. (For previous Agency responses, see Digest Footnote #2.)
INTERNAL AUDIT PROCEDURES NOT FOLLOWED
The Authority did not follow the established procedures of obtaining responses to
findings for internal audit Report #271, Operational and Contract Compliance Evaluation of
Self Indemnity (Fee for Service) Health Benefits Program.
During this audit, findings were noted; however, responses were not obtained because
the audit scope was not completed after access to records of the Third Party Administrator
were denied. Authority Management stated it was satisfied that no financial loss occurred.
State statute requires the chief internal auditor to submit to the chief executive
officer a written report detailing how the audit plan for the year was carried out, the
significant findings, and the extent to which recommended changes were implemented. This
audit was included in the annual report and contains 17 findings and recommendations. A
number of the findings pertain to weaknesses in procedures and controls.
The internal audit findings may not be corrected if responses are not obtained and exit
conferences are not conducted. (Finding 98-5, page 19)
The Authority responded that the findings were addressed when a contract was executed
with the new third party administrator. They also said internal control changes would be
reviewed in a follow-up audit.
LOST INTEREST ON I-PASS DEPOSITS
The Authority was not investing the I-Pass deposits and prepayments in interest
yielding accounts until July 1998. From November 1993 to December 31, 1997, the Authority
lost an estimated $142,010 in interest income. In 1998, the Authority lost an estimated
$83,878 in interest income.
The Authority stated that it did not invest the deposits and prepayments based on the
belief that interest on the security deposit for the transponder would have to be paid to
the consumer. The costs to monitor the interest due to consumers would therefore more than
offset the interest income.(Finding 98-6, pages 20 - 21)
The Authority did not provide any specific cite to support its belief and ultimately
agreed to invest the deposits. We recommended continuing to invest the I-pass deposits and
prepayments in interest yielding accounts.
OTHER FINDINGS
The remaining findings are of lesser significance and are being given attention by
the Authority. We will review the Authority’s progress toward implementation of our
recommendations in our next audit.
Nicholas W. Jannite, Chief of Finance, provided responses to our findings.
AUDITORS’ OPINION
Our auditors stated the Illinois State Toll Highway Authority’s December
31, 1998 financial statements are fairly presented.
____________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:TEE:pp
SPECIAL ASSISTANT AUDITORS
Clifton Gunderson L.L.C. were our special assistant auditors for this
engagement.
DIGEST FOOTNOTES
#1: INCOMPLETE DISASTER CONTINGENCY PLAN – Previous Agency Responses
1997: "The Disaster Contingency Plan has been completed with the help of a
consultant. A copy of the plan has been submitted to the Auditor General’s Office and
to their representative, Clifton Gunderson L.L.C. for comments. Once we receive any
comments on the plan, the Authority will begin testing of the plan."
1996: "The Authority agrees that the completion of the formalization of its
disaster recovery plan is a priority goal within the MIS Department. The Authority has
contracted with an outside contractor to assist it in the review and completion of this
plan. Procedures for periodic review and testing of the plan will be determined once the
plan itself has been formalized. The Authority anticipates it will meet the
recommendations of the auditors during calendar year 1997. While the creation of a secure
site is still under consideration, no formal plans for contracts will be awarded in
relation to this prior to the completion of the formal written disaster contingency plan.
The Authority presently has an agreement with Unisys Corporation to provide off-site
emergency services. The Authority has tested this contingency plan by running a test of
its payroll system."
1995: "As indicated in last year’s responses, the Authority recognizes
and agrees with the finding that we should be able to perform vital operations in the
event of an emergency. Since the original finding appeared in 1987, the Authority has
taken measures to improve the Computer Center environment, through the installation of
physical safeguards. The Authority is currently negotiating the terms of an agreement with
the mainframe manufacturer for the use of their facility as an alternate site.
Additionally, the Authority is migrating the Toll Collection and Revenue Accounting System
to the same environment. This migration will consolidate all critical mainframe
applications onto a single hardware vendor. Therefore, the Authority continues to work
toward completing a plan."
1994: "As indicated in last year’s responses, the Authority recognizes
and agrees with the finding that we should be able to perform vital operations in the
event of an emergency. Since the original finding appeared in 1987, the Authority has
taken measures to improve the Computer Center environment, through the installation of
physical safeguards, such as smoke detection, fire detection, uninterruptible power
supplies and halon extinguishing system. By spring of 1995, the Authority will establish a
committee to develop a business recovery plan."
1992: "The Authority recognizes and agrees with the audit finding that we
should be able to perform vital operations in the event of an emergency. However, the
Authority no longer supports the recommendation on how the plan should be structured or
the minimal requirements of an alternate site for processing data. It is now our belief
that this determination can best be made upon completion of a two (2) phase analysis of
the risk, cost, and impact of a business recovery plan which will actually support the
business continuity of the Authority.
The Authority has studied our requirements for the development of a Computer Disaster
Recovery Plan over the course of several years. It is our belief that a Computer Disaster
Recovery Plan would not guarantee our ability to sustain business operations or financial
obligations in the event of a disaster unless such a disaster was contained within the
Computer Center room itself. Because of the safeguards built into the Computer Center,
such as smoke detection, water detection, uninterruptible power supplies and halon
extinguishing system, the risk in losing computer resources contained in the room is
minimal. However, there is a broader issue regarding continuity of operations if our
administrative headquarters and/or any outlying plaza or maintenance facility are rendered
inoperable. This realization caused the Authority to re-evaluate the objectives of
disaster contingency and to focus on the necessity for business continuity planning. In
recognition of the dynamic scope contained in this type of approach, the Authority plans
to perform this project in phases over the course of the next several years. We have
solicited and are reviewing proposals from two (2) major accounting firms for services to
conduct the first two (2) phases of this project: Vulnerability/Risk Assessment and
Business Impact Analysis. The time estimated to complete these phases ranges from four (4)
to eight (8) months. We plan to receive board approval to begin this project in the second
quarter of calendar year 1994."
1991: "With our relocation to a new facility, the Authority has
incorporated a number of physical safeguards against data loss, such as uninterruptible
power sources; has current plans showing the layout of equipment and cabling requirements;
and has utilized off-site storage facilities. We anticipate reviewing a comprehensive
disaster recovery plan within the year. We will continue with efforts to implement and
maintain an adequate disaster recovery plan."
1990: "With our relocation to a new facility, the Authority has
incorporated a number of physical safeguards against data loss, such as uninterruptible
power sources. The Authority also has current plans showing the layout of equipment and
cabling requirements and utilized off site storage facilities. We anticipate reviewing a
comprehensive disaster contingency plan within the year. We will continue with efforts to
implement and maintain an adequate disaster contingency plan."
1988: "It must be pointed out that even though the Computer Aided Dispatch
is considered part of the Authority’s data processing organization, the ability to
service patrons and provide law enforcement is never jeopardized. Reciprocal agreements
already exist throughout all Illinois State Police Districts. District 15 coverage would
be distributed across Districts 1, 2, 3, 4 and 5, respectively according to geographical
location of a tollway incident. We also utilize CB radios in our maintenance operations.
In addition, all computerized systems have offsite storage of program software and
documentation. A copy of the Disaster Recovery Plan is also stored offsite and reviewed
every six months and updated when necessary. A proposal from an outside firm to design a
contingency plan has been obtained and an agreement will be entered into in 1989. The
Authority will continue with all efforts to develop an adequate disaster contingency
plan."
1987: "The statement that "a more detailed plan has not been developed
because there is not sufficient interest by the Authority in having an overall contingency
plan" is not true. The finding also neglected to point out that the Authority has a
written agreement with one vendor (UNISYS) for resource availability in the event of a
disaster to the Authority’s financial system. While "alternate site
processing" may be the best theoretical solution to the development of a disaster
contingency plan, it is the most expensive and complex method of providing such a plan and
may not be the most practical method for the Authority. The Authority does realize the
importance of a disaster contingency plan. However, the complexity of the alternatives,
including the one recommended in the finding, is such that all possible alternatives,
taking into account current environment and future changes, must be thoroughly reviewed
and evaluated. The Authority will initiate the procedure it deems best for the Authority
as soon as the most appropriate plan is identified."
#2 INADEQUATE COMPUTER SECURITY – Previous Agency Responses
1997: "The Authority agrees in part with the recommendations.
·
Passwords are unique
and a minimum of five (5) characters. The security software in use, however, does not
compare login I.D. with the user’s password. New security software would have to be
purchased in order to have this particular feature.
·
The Authority currently
changes passwords every ninety (90) days with a maximum of five (5) grace logins. The
Authority believes this is adequate to meet both security needs and to maintain user
comfort with the network.
·
The Authority operates on
a twenty-four (24) hour, seven (7) days a week basis. The Authority must provide
reasonable and routine access to accounts during operating hours of the Tollway, which
includes twenty-four (24) hour Police, plaza and maintenance operations. Time restrictions
have been tested and resulted in numerous user complaints and created unnecessary
administration burdens.
·
Security activity and
violations will be logged quarterly."
1996: "The Authority agrees that network security should remain a high
priority, and additional security measures should be implemented in an effort to continue
to improve upon network security. Presently, all users have passwords, passwords are
required to be five characters in length, and users are encouraged to use unique
passwords. Our present policy of changing passwords every 90 days have proven to be
adequate to both meet security needs, and to maintain user comfort with the network. The
Authority is willing to consider a more frequent schedule of password changes if required.
Account usage is presently reviewed using BindView, and inactive accounts are disabled
after 21 days, since the first quarter of 1997 (a shorter time period than that
recommended by the auditors). All users are presently allowed only a single network
session. Access to programs is determined by each department based on each user’s job
responsibilities. Additional security features are being investigated for implementation
within the Authority, including replacement of the Cheyenne Backup system with a more
secure password protected backup system. The MIS Department is presently seeking the
participation of Authority system users in an evaluation of the impact which new security
measures presently under consideration would have on users and their managers.
A number of management issues surrounding the installation and expansion of the
Authority’s LAN/WAN created a temporary environment where select security features
were temporarily overridden for managerial installation and testing needs. These
procedures do not represent standard security procedures at the Authority."
1995: "The Authority accepts the value of the recommendations of the
extensive Information Systems Audit performed by the Office of the Auditor General. The
Authority has recently established a MIS Steering Committee. The initial task of this
committee will be to establish guidelines for security of the LAN systems to be completed
by the third quarter of 1996."
1994: "The Authority agrees with the Auditor General on the importance of a
secure Local Area Network. The systems analysis software utilized by the Auditor General
is a useful tool for monitoring the security of the system. The Authority will consider
acquisition of the analysis software to assist in the monitoring of security features and
the enhancement of the existing security structure to meet the Auditor General
recommendations."
