FORT WAYNE – Fort Waynes information technology department failed to perform regular reviews of who had access to city computer systems, allowing dozens of potentially unauthorized users to access city data, according to an internal city audit.
The audit detailed several concerns with computer system access by the department. In addition, it outlined concerns over the lack of a proper contingency plan were the main system to be incapacitated by a disaster.
City audit employees conducted the review by looking at activities from Jan. 1, 2009, through Sept. 30, 2011. The audit, which included a review of work done by the citys IT contractor, Atos, was released late last week.
It found 86 active user accounts – out of 2,277 – for employees who were classified as terminated. One such account had the ability to access the citys system remotely.
The audit also said new user accounts were not always properly authorized and neither the city nor Atos performed periodic reviews of user accounts.
Insufficient user access controls increase the risk of unauthorized access, disclosure, modification or destruction of critical or sensitive information on the system, the audit said.
Part of the reason the city had so many terminated employees with active accounts is because managers would ask to leave a user account open so they could receive and address any incoming email messages. The contractor then leaves the account open and waits for direction, which does not always happen.
The department, which is led by Jim Haley, responded to the audit by stating it will work with Atos to create policies to avoid access concerns. For example, upon termination, an employees account will be immediately deactivated, although the employees email will be forwarded to a supervisor. In addition, user accounts will be reviewed at least twice a year.
The improvements are to be made this year.
The audit also reported problems with contingency planning to help the city recover its computer systems in the event of a disaster – or even created an analysis showing how a disruption of computer services would affect city operations.
A backup facility has not been created because of its cost, according to the report.
Historically, the cost of eliminating the risk outweighed the benefit, according to the report.
The city even removed the goal from Atos contract that covered disaster recovery planning.
According to the department, the city began working with Allen County in 2009 to create a backup location at the Public Safety Academy of Northeast Indiana.
The facility is expected to be complete by the end of the year with the police computer system to be the first to use it.
More systems will be added as money is made available.