REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES – BUREAU OF COMMUNICATIONS AND COMPUTER SERVICES SERVICE ORGANIZATION CONTROL REPORT For the Year Ended: June 30, 2013 Release Date: July 2013 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov This Service Organization Control Report covers the Department of Central Management Services, Bureau of Communications and Computer Services’ State of Illinois Information Technology Environment throughout the period July 1, 2012 to June 30, 2013. We examined the Description of System and the suitability of the design and operating effectiveness of controls to meet the security, availability, and processing integrity principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. (AICPA, Technical Practice Aids). The Department of Central Management Services’ (Department) Bureau of Communications and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services. The Department provides data processing services to approximately 103 agencies. The Department provides state government agencies, boards, and commissions an Information Technology infrastructure in which to host their applications and data. The system description herein only relates to the mainframe computing environment and excludes the midrange computing environment. The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the processing integrity, availability, and security of computerized data and functions. We identified 4 control deficiencies. First, a suitable change management process over applications maintained by the Department was not in place from July 2012 to November 30, 2012. In addition, application changes after November 2012 did not comply with the Application Lifecycle Management Manual. Second, the approved process to control mainframe password resets was not being followed by the Department’s Coordinator resulting in a control deficiency over the process to make changes and updates to user profiles. Third, according to the security policies, the Department and security personnel were responsible for the monitoring, auditing, tracking, and validating compliance with the policies and procedures. However, we were unable to determine who within the Department was responsible, resulting in a control deficiency over procedures to provide that issues of noncompliance with security policies are promptly addressed. Finally, risk assessments are to be performed periodically; however, formal risk assessments had not been performed, resulting in a control deficiency over the performance of risk assessments. See pages 5 to 9 of the report for additional information. In our opinion, except for the matters referred to above, the description is fairly stated and the controls were suitably designed. WILLIAM G. HOLLAND Auditor General Mainframes: 3 Units Configured as 12 Production Systems and 9 Test Systems Customer Service Center: - IT Incident Opened – 103,007 - IT Incidents Resolved – 106,126 - Password Resets – 34,976 - IT Service Requests Opened – 38,386 - IT Service Requests Closed – 39,219 As of March 2013 State Agency Users: 103 Bureau Employees: - 2010 -- 641 - 2011 -- 577 - 2012 -- 558 - 2013 -- 501 Historical Growth Trend: ** 2010 -- 3,908 -- MIPS 2011 -- 4,184 -- MIPS 2012 -- 4,184 -- MIPS 2013 -- 4,099 -- MIPS -- Million Instructions Per Second ** In the month of April for each year listed DEPARTMENT DIRECTOR AND DEPUTY DIRECTOR/BUREAU MANAGER During Audit Period and Current: Director: Malcom E. Weems During Audit Period and Current: Deputy Director/Bureau Manager: Rich Fetter Office of the Auditor General, Iles Park Plaza, 740 E. Ash St., Springfield, IL 62703 • Tel: 217-782-6046 or TTY 888-261-2887 This Report Digest and a Full Report are also available on the internet at www.auditor.illinois.gov