Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

The Examination Of Information Technology-Related Controls At The Taunton District Court

JANUARY 4, 2011 · Taunton District Court · Read the full official report (PDF) ↗

Published JANUARY 4, 2011 Audit covers July 1, 2009 – August 18, 2010 Under A. Joseph DeNucci · 1987–2011

In plain English
The audit found that Taunton District Court had fixed several earlier technology control problems, but still needed stronger password rules and a real, tested plan for keeping court work going during an IT outage or disaster.
source
“However, our audit revealed that control practices needed to be implemented and strengthened for disaster recovery and business continuity planning for TDC’s automated systems, and password administration for the MassCourt Lite application system.”
Read the plain-English breakdown
What is this?

This is a follow-up state audit of IT-related controls at Taunton District Court, covering issues like computer access, passwords, equipment tracking, backups, and emergency planning.

“The Office of the State Auditor’s follow-up audit focused on a review of certain IT-related general controls over TDC’s computer operations.”
Why was it audited?

Auditors came back to see whether problems found in a prior audit had been corrected.

“The primary objective of our audit was to determine whether corrective action had been taken with respect to our prior audit results.”
Why it matters

Weak password controls can let unauthorized people get into sensitive court systems or gain more access than they should have.

“Insufficient control practices over password administration places TDC at increased risk for unauthorized access to sensitive data residing on its mission-critical application.”
What's in it for me?

If you live in or have court business involving Taunton or nearby towns, these systems help handle cases, scheduling, docketing, and court records.

“TDC, which is located at 120 Cohannet Street, Taunton, Massachusetts, has jurisdiction for all criminal and most civil matters for the city of Taunton and the towns of Berkley, Dighton, Easton, Raynham, Rehoboth, and Seekonk.”
The bottom line

The court improved physical security, environmental protections, inventory tracking, and user account controls, but still had unresolved weaknesses in passwords and disaster recovery planning.

“Our review of the status of audit results from our prior audit report No. 2004-1191-4T, issued December 24, 2004, indicated that corrective action had been taken to strengthen controls regarding physical security and environmental protection, user account management, and inventory control over computer equipment.”
What happens next

The auditor recommended that the court and the Administrative Office of the Trial Court create, document, test, and update a business continuity plan, and strengthen password rules.

“We recommend that TDC, in conjunction with the AOTC, develop a documented business continuity plan, including detailed user area plans specific to TDC’s operations.”
Why it's significant

The biggest public-service risk is that without tested backup plans, a serious outage could slow the court’s ability to process cases.

“An extended loss of processing capabilities could adversely affect TDC’s ability to perform its primary business functions and could result in significant delays in processing caseloads.”
Jargon, unpacked

MassCourt Lite is the main case-management system the court used for entering cases, scheduling, docketing, financial tracking, reports, notices, forms, and storing case documents.

“The MassCourt Lite application, which is the primary system used by TDC, is a comprehensive case management system that provides case entry, docketing, scheduling, case-related financial management, automated reports, notices and forms, and electronic storage of case documents available through the Trial Court Intranet.”

What the Auditor checked

What the Auditor found

Password controls for the MassCourt Lite application were not strong enough.
cybersecurityinternal controls

Why it matters: This increased the risk of unauthorized access to sensitive data and inappropriate access privileges.

Standard: Computer industry standards recommend documented and approved password policies with an appropriate and enforced frequency of password changes.

2 recommendations
  • Enhance IT security policies and procedures to include more detailed requirements regarding password administration.agency: agreed
  • Implement a system to prompt users to change passwords within established time frames for MassCourt Lite.agency: agreed
Agency response & Auditor reply
Agency: "We will work in conjunction with the AOTC to set up and implement guidelines to help strengthen the mandatory time frame for password changes and procedures to stop unauthorized access attempts."
TDC had not documented and tested business continuity and disaster recovery plans.
internal controlsrecordkeeping/documentation

Why it matters: TDC risked being unable to restore mission-critical operations within an acceptable period and could face significant caseload processing delays.

Standard: Generally accepted practices and industry standards for computer operations support an ongoing business continuity planning process.

3 recommendations
  • Develop a documented business continuity plan, including detailed user area plans specific to TDC operations.agency: agreed
  • Test, review, update, distribute, and train appropriate staff on the business continuity plan.agency: agreed
  • Request input, instructions, and guidelines from AOTC to ensure continuity of IT and business operations if applications become unavailable.agency: agreed
Agency response & Auditor reply
Agency: "We will work in conjunction with the AOTC to set up and implement guidelines to ensure continuity of IT and business operations should the Court become inoperable or inaccessible due to an unforeseen disaster."
Auditor: "We acknowledge TDC’s intent to address business continuity planning."

Prior findings revisited

Fixed
"Our review of the status of audit results from our prior audit report No. 2004-1191-4T, issued December 24, 2004, indicated that corrective action had been taken to strengthen controls regarding physical security and environmental protection, user account management, and inventory control over computer equipment."
Still a problem
"Our prior audit indicated that there was limited evidence that formal planning had been performed to restore TDC-based business operations in the event that automated systems and supporting technology were inoperable or inaccessible, or that operational areas within the courthouse were inaccessible."
Fixed
"Our follow-up review noted that TDC has relocated to another facility that provides improved controls regarding physical security and environmental protection for its operations."
Fixed
"Our current audit confirmed that TDC, in conjunction with AOTC, had strengthened inventory controls over IT equipment."
Fixed
"Regarding our current audit, we found that user account management controls were in place and in effect for the application systems utilized by TDC and provided reasonable assurance that users were properly authorized to access the systems."