[ISN] Auditor critical of county's computer operations

From: InfoSec News (isnat_private)
Date: Thu May 15 2003 - 00:36:46 PDT

  • Next message: InfoSec News: "[ISN] Feds To Refocus on Cybersecurity"

    http://www.dailyherald.com/kane/main_story.asp?intID=3775583
    
    By Charles Keeshan 
    Daily Herald Staff Writer
    Posted May 14, 2003 
    
    McHenry County has no plan for how it would recover and reinstate tax
    records, property deeds and thousands of other files stored on its
    computers should the county government center in Woodstock suffer a
    natural or technological disaster.
    
    That was one of several criticisms leveled Tuesday at the county's
    Information Technology Department by an auditor examining how the
    county conducted its business during the last fiscal year. The
    department also lacks proper supervision, does not have adequate
    security measures in place and acts too slowly to deny fired workers
    access to county computers, according to the audit.
    
    "Procedures and controls need to be strengthened over at (Information
    Technology)," said Linda Abernathy, a representative of the county's
    auditing firm McGladrey and Pullen.
    
    The critique of the Information Technology Department was about the
    only fault in county practices Abernathy highlighted Tuesday when she
    detailed her firm's 160-page comprehensive annual financial report to
    the county board's finance committee.
    
    The findings were not unexpected by committee members or Information
    Technology Director Tom Sullivan, who said they're aware of the
    problems and are addressing them as quickly as possible.
    
    "I don't think there's anything in there that really surprises us,"  
    Sullivan said. "We're working on these things and we have to allocate
    some dollars to make it happen."
    
    Finance committee Chairman Marc Munaretto said the county is taking
    the criticism seriously and hopes to fix the problems outlined in the
    audit report by the end of the year.
    
    According to the report, auditors found three main flaws with how the
    county's information technology department - in charge of all
    computers and related technology - operates. First among them was the
    lack of a plan to keep county operations functioning in the event of
    severe computer problems.
    
    "Although tape back-up storage is maintained off-site, there is no
    written disaster recovery plan addressing such things as a site where
    to operate, how to procure necessary hardware, how much hardware would
    be necessary, how to install the backed-up information, testing the
    plan and responsibility for executing the plan," the report states.
    
    The report also outlines security issues with information technology,
    including employees sharing their passwords with co-workers, leaving
    their work stations unattended and poor monitoring of employees'
    computer usage.
    
    Munaretto said the security issues will be addressed, but noted there
    have not been any problems because of a lack of security to date.
    
    "We're not aware of one incident in which there's been unauthorized
    access (to the county network)," he said.
    
    In a written response to the report, Sullivan states that his
    department does not have the resources to properly monitor the
    computer usage of county workers.
    
    Sullivan also states that the creation of a disaster plan is in the
    works, but that implementing it would require additional funding to
    his department.Computer: Director says more staffing required
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 15 2003 - 03:03:58 PDT