The Examination Of Information Technology-Related Controls At The Taunton District Court
JANUARY 4, 2011 · Taunton District Court · Read the full official report (PDF) ↗
source
“However, our audit revealed that control practices needed to be implemented and strengthened for disaster recovery and business continuity planning for TDC’s automated systems, and password administration for the MassCourt Lite application system.”
Read the plain-English breakdown
This is a follow-up state audit of IT-related controls at Taunton District Court, covering issues like computer access, passwords, equipment tracking, backups, and emergency planning.
“The Office of the State Auditor’s follow-up audit focused on a review of certain IT-related general controls over TDC’s computer operations.”
Auditors came back to see whether problems found in a prior audit had been corrected.
“The primary objective of our audit was to determine whether corrective action had been taken with respect to our prior audit results.”
Weak password controls can let unauthorized people get into sensitive court systems or gain more access than they should have.
“Insufficient control practices over password administration places TDC at increased risk for unauthorized access to sensitive data residing on its mission-critical application.”
If you live in or have court business involving Taunton or nearby towns, these systems help handle cases, scheduling, docketing, and court records.
“TDC, which is located at 120 Cohannet Street, Taunton, Massachusetts, has jurisdiction for all criminal and most civil matters for the city of Taunton and the towns of Berkley, Dighton, Easton, Raynham, Rehoboth, and Seekonk.”
The court improved physical security, environmental protections, inventory tracking, and user account controls, but still had unresolved weaknesses in passwords and disaster recovery planning.
“Our review of the status of audit results from our prior audit report No. 2004-1191-4T, issued December 24, 2004, indicated that corrective action had been taken to strengthen controls regarding physical security and environmental protection, user account management, and inventory control over computer equipment.”
The auditor recommended that the court and the Administrative Office of the Trial Court create, document, test, and update a business continuity plan, and strengthen password rules.
“We recommend that TDC, in conjunction with the AOTC, develop a documented business continuity plan, including detailed user area plans specific to TDC’s operations.”
The biggest public-service risk is that without tested backup plans, a serious outage could slow the court’s ability to process cases.
“An extended loss of processing capabilities could adversely affect TDC’s ability to perform its primary business functions and could result in significant delays in processing caseloads.”
MassCourt Lite is the main case-management system the court used for entering cases, scheduling, docketing, financial tracking, reports, notices, forms, and storing case documents.
“The MassCourt Lite application, which is the primary system used by TDC, is a comprehensive case management system that provides case entry, docketing, scheduling, case-related financial management, automated reports, notices and forms, and electronic storage of case documents available through the Trial Court Intranet.”
What the Auditor checked
- Partially Determine whether corrective action had been taken with respect to prior audit results.
- Complied Determine whether adequate controls were in place to ensure that only authorized TDC personnel had access to automated systems used by the Taunton District Court.
- Did not comply Determine whether TDC, in conjunction with AOTC, was actively monitoring password administration.
- Did not comply Determine whether TDC, in conjunction with AOTC, had developed a documented business continuity plan.
What the Auditor found
Why it matters: This increased the risk of unauthorized access to sensitive data and inappropriate access privileges.
Standard: Computer industry standards recommend documented and approved password policies with an appropriate and enforced frequency of password changes.
2 recommendations
- Enhance IT security policies and procedures to include more detailed requirements regarding password administration.agency: agreed
- Implement a system to prompt users to change passwords within established time frames for MassCourt Lite.agency: agreed
Agency response & Auditor reply
Agency: "We will work in conjunction with the AOTC to set up and implement guidelines to help strengthen the mandatory time frame for password changes and procedures to stop unauthorized access attempts."
Why it matters: TDC risked being unable to restore mission-critical operations within an acceptable period and could face significant caseload processing delays.
Standard: Generally accepted practices and industry standards for computer operations support an ongoing business continuity planning process.
3 recommendations
- Develop a documented business continuity plan, including detailed user area plans specific to TDC operations.agency: agreed
- Test, review, update, distribute, and train appropriate staff on the business continuity plan.agency: agreed
- Request input, instructions, and guidelines from AOTC to ensure continuity of IT and business operations if applications become unavailable.agency: agreed
Agency response & Auditor reply
Agency: "We will work in conjunction with the AOTC to set up and implement guidelines to ensure continuity of IT and business operations should the Court become inoperable or inaccessible due to an unforeseen disaster."
Auditor: "We acknowledge TDC’s intent to address business continuity planning."
Prior findings revisited
"Our review of the status of audit results from our prior audit report No. 2004-1191-4T, issued December 24, 2004, indicated that corrective action had been taken to strengthen controls regarding physical security and environmental protection, user account management, and inventory control over computer equipment."
"Our prior audit indicated that there was limited evidence that formal planning had been performed to restore TDC-based business operations in the event that automated systems and supporting technology were inoperable or inaccessible, or that operational areas within the courthouse were inaccessible."
"Our follow-up review noted that TDC has relocated to another facility that provides improved controls regarding physical security and environmental protection for its operations."
"Our current audit confirmed that TDC, in conjunction with AOTC, had strengthened inventory controls over IT equipment."
"Regarding our current audit, we found that user account management controls were in place and in effect for the application systems utilized by TDC and provided reasonable assurance that users were properly authorized to access the systems."