Auditors identified a total of 19 user accounts that granted DPS programmers inappropriate administrative access to the servers, application, and production databases for the Computerized Criminal History System.
All seven changes that auditors tested for changes programmers made to the Computerized Criminal History System in fiscal year 2015 were properly approved, including two changes that were categorized as emergency changes. DPS also performed a post-implementation review to verify that there were no unexpected effects on the system due to the two emergency changes. However, a lack of segregation of duties among staff involved in the change management process increases the risk of unauthorized changes to the Computerized Criminal History System. Specifically:
• Five (71.43 percent) of the 7 changes were released into production by the same programmer who created the change.
DPS had an adequate process to recover data from its local virtual tape library backup; however, as of December 2015, DPS reported that it had not performed and documented a full recovery test.
Furthermore, DPS did not have a documented process to recover data from its remote location. DPS policy requires it to review its offsite backup storage procedures annually.
Jump to Chapter 4-A