Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Massachusetts Highway Department

MAY 31, 2001 · Read the full official report (PDF) ↗ · official site ↗

Published MAY 31, 2001 Audit covers July 1, 1999 – May 31, 2001 Under A. Joseph DeNucci · 1987–2011

In plain English
The audit found that MassHighway needed better computer access controls and a real, tested backup plan for keeping key systems running after a disaster.
source
“Based upon our examination of general controls, we found that internal control practices needed to be strengthened to provide reasonable assurance that only authorized users would have access to IT resources and that mission-critical and essential functions supported by technology can be recovered within an acceptable period of time.”
Read the plain-English breakdown
What is this?

This is a State Auditor review of information-technology controls at the Massachusetts Highway Department, focused on computer access and disaster recovery planning.

“We performed an information technology (IT) audit at the Massachusetts Highway Department for the period July 1, 1999 through May 31, 2001.”
Why was it audited?

Auditors were checking whether problems found in an earlier IT audit had been fixed.

“The primary objective of our audit was to determine whether the issues and recommendations regarding logical access security and business continuity planning from our prior IT audit report (No. 93-0506-4C) had been addressed.”
Why it matters

Weak access controls could let the wrong people see, change, delete, or misuse important highway department data.

“Without proper system access restrictions, persons could gain unauthorized access to system data, and/or programs, thereby placing the MHD at risk of unauthorized use, which could lead to modifications to, and deletions or disclosure of critical or confidential data.”
What's in it for me?

For residents, this matters because MassHighway relies on these systems to support highway and bridge planning, construction, operations, and maintenance.

“As a result, MHD would be hindered from obtaining information needed for administrative functions or for information related to planning, designing, constructing, operating, and maintaining the state’s highways and bridges.”
The bottom line

The department had some controls, but they were not strong enough; it also lacked a fully developed and tested continuity plan at the time of the audit.

“Disaster recovery procedures and business continuity planning for the MHD were not in place at the beginning of the audit, although by the end of our audit field work, the Department had initiated an effort to develop appropriate business continuity plans.”
What happens next

MassHighway said it would disable invalid accounts, improve termination notices, review active users twice a year, and build a more detailed continuity plan.

“The Department acknowledges the necessity to develop a more detailed plan that includes:”
Why it's significant

The report is significant because it found real gaps: 70 active user IDs belonged to people who were not current employees or contractors, and disaster recovery plans were not yet tested.

“Our tests of the WAN and LAN indicated that 70 (or 6%) out of 1,190 users were not employees or contractor personnel as of February 24, 2001.”
Jargon, unpacked

“Logical access security” means the rules and safeguards that decide who can log in and what systems or files they can use.

“We reviewed logical access security procedures used to prevent, detect, and potentially correct unauthorized access or attempts to access MHD files and software installed on various MHD systems.”

What the Auditor checked

What the Auditor found

Logical access controls did not ensure that only authorized users had active access to systems, data, and programs.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Unauthorized users could gain access to system data or programs, creating risk of unauthorized use, modification, deletion, or disclosure of critical or confidential data.

Standard: MHD's Internal Control Manual and sound access security practices required active user IDs to be limited to authorized users. ( MHD’s “Internal Control Manual” )

6 recommendations
  • Remove user IDs for individuals who are no longer current staff or contractors.agency: agreed
  • Notify security administration of terminations or leaves of absence and retain notification records as an audit trail.agency: agreed
  • Review user IDs against the list of authorized users at least semi-annually.agency: agreed
  • Reissue network access forms and maintain copies with Human Resources and IT during the Windows 2000 upgrade.agency: agreed
  • Use unique user numbers in user profiles so accounts can be reconciled to HR/CMS and MMARS.agency: agreed
  • Secure contractor logon privileges with start and end dates synchronized to the associated contract.agency: agreed
Agency response & Auditor reply
Agency: "We are in agreement with your recommendations and will take the following action:"
Auditor: "We are pleased that MHD is taking immediate action to address system access security concerns."
The department did not have a documented and tested business continuity plan for timely restoration of mission-critical and essential functions.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The department might be unable to restore essential systems and obtain information needed for administrative and highway-related operations within an acceptable time period after a disruption.

Standard: Generally accepted practices and industry standards for computer operations require an ongoing business continuity planning process with risk assessment and contingency and recovery plans. ( Generally accepted practices and industry standards for computer operations )

5 recommendations
  • Establish a business continuity planning framework incorporating critical and impact assessments, plan development, risk management, testing, maintenance, training, and communication.agency: agreed
  • Conduct a formal risk analysis of IT-related components, including outsourced ITD services, annually or after major changes.agency: agreed
  • Ensure the business continuity plan includes recovery strategies for all potential disaster scenarios.agency: agreed
  • Identify alternative sites for business operations and data processing.agency: agreed
  • Test, formally review, approve, periodically update, distribute, and store the business continuity plan off site.agency: agreed
Agency response & Auditor reply
Agency: "The Department acknowledges the necessity to develop a more detailed plan that includes:"
Auditor: "We reiterate the need to maintain, test, and review and approve business continuity plans and establish a framework for business continuity planning with procedures requiring risk management, recovery, contingency plan testing, business continuity plan maintenance, and appropriate training for assigned business continuity responsibilities."

Prior findings revisited

Still a problem
"Our audit included a review of the status of audit results and recommendations regarding logical access security and business continuity planning noted in our prior IT audit report (No. 93-0506-4C), issued June 30, 1993."