Civil Service Commission
April 22, 2011 · Read the full official report (PDF) ↗
source
“Based on our review, we have concluded that, except for the issues addressed in the Audit Results section of this report, during the audit period ended November 8, 2010, CSC maintained adequate internal controls regarding system access security, inventory controls over computer equipment, business continuity planning, and selected controls regarding the protection of personal information.”
Read the plain-English breakdown
This is a Massachusetts State Auditor report on information technology controls at the Civil Service Commission.
“In accordance with Chapter 11, Section 12, of the General Laws, we performed an audit of information technology controls at CSC.”
Auditors checked whether CSC had reasonable safeguards for system access, computer equipment, continuity planning, personal information, and physical security.
“Our audit included a review of system access security, inventory controls over computer equipment, business continuity planning, and selected controls regarding the protection of personal information per Executive Order 504 and Chapter 93H of the General Laws.”
CSC handles appeals from public employees and job applicants, so its systems and records support decisions that can affect people’s jobs and careers.
“The mission of CSC is to adjudicate appeals of public employees and job applicants under the civil service laws.”
If you are a public employee, job applicant, or taxpayer, this matters because CSC is supposed to treat people fairly and keep its case information and equipment under control.
“It is CSC’s responsibility to ensure that individuals who come before it are treated fairly and impartially.”
The big takeaway is that CSC needed stronger basic housekeeping: better computer inventory records and a written plan for keeping operations going after a serious IT disruption.
“However, we found that CSC did not have a formal, documented business continuity plan that would help ensure that mission-critical business operations can be recovered in a timely manner.”
CSC agreed to make changes and said it planned to carry out the recommendations by June 30, 2011.
“In regard to those areas where the Audit recommends improvements, we have already taken steps to implement some of those recommendations and plan on implementing all of the recommendations by the end of this fiscal year (June 30, 2011).”
The report is significant because missing or weak IT controls could make it harder for CSC to find equipment, detect losses, or continue serving the public during an outage.
“The absence of a sufficiently reliable inventory of computer equipment hinders CSC’s ability to properly account for IT resources, evaluate the allocation of equipment, identify missing equipment, and support IT configuration management objectives.”
“Business continuity planning” means having written steps so an agency can keep doing essential work if systems, offices, or data access are disrupted.
“Contingency planning is an essential part of continuing an agency’s business operations.”
What the Auditor checked
- Complied Determine whether system access security controls were in place to ensure that only authorized personnel had access privileges to the network and that password controls were sufficient.
- Partially Determine whether adequate inventory controls were in place and in effect to properly record and safeguard computer equipment.
- Did not comply Determine whether a business continuity plan was in place to provide detailed guidance for restoring mission-critical and essential business operations in a timely manner.
- Complied Determine whether controls were in place to secure both electronic and hard copy records containing personal information.
What the Auditor found
Why it matters: CSC could not reliably account for IT resources, identify missing equipment, or support IT configuration management objectives.
Standard: Office of the State Comptroller inventory requirements and Chapter 647 of the Acts of 1989. ( Chapter 647 of the Acts of 1989; Office of the State Comptroller inventory requirements )
4 recommendations
- Develop and implement internal control policies, procedures, and practices regarding inventory control of IT resources.agency: agreed
- Update inventory fields to include cost, purchase date, and verified serial numbers.agency: agreed
- Report all unaccounted-for variances, losses, and thefts to the Office of the State Auditor.agency: agreed
- Surplus obsolete and non-functional IT equipment and remove it from inventory records.agency: agreed
Agency response & Auditor reply
Agency: "In regard to those areas where the Audit recommends improvements, we have already taken steps to implement some of those recommendations and plan on implementing all of the recommendations by the end of this fiscal year (June 30, 2011)."
Why it matters: CSC risked disruption of service and delays in accessing mission-critical systems if IT capabilities or network connectivity were interrupted.
Standard: Executive Orders 144, 475, and 490, and generally accepted business practices and industry standards for computer operations. ( Executive Order No. 144; Executive Order No. 475; Executive Order No. 490 )
4 recommendations
- Work with ITD and EOAF to develop a comprehensive business continuity plan for accessing mission-critical applications after a disaster.agency: agreed
- Formally review, test, approve, and periodically update the business continuity plan.agency: agreed
- Include detailed staff instructions, contacts, alternate-site procedures, and IT recovery responsibilities.agency: agreed
- Follow Executive Orders 144, 475, and 490 for continuity planning, documentation, maintenance, and training.agency: agreed
Agency response & Auditor reply
Agency: "The Commission acknowledges, however, that there is no written formalized business continuity plan regarding computer operations that currently exists."
More audits of this entity
Other Office of the State Auditor reports on Civil Service Commission .
-
Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Civil Service Commission (November 8, 2024)Authority / Commission · November 8, 2024 - Audit of the Civil Service Commission (CSC)Authority / Commission · November 8, 2019
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Civil Service Commission (January 28, 2025)Authority / Commission · January 28, 2025