The Department implemented high-level security policies stating that access to state information resources shall be appropriately managed. Those policies referenced the requirements in Title 1, Texas Administrative Code, Chapter 202, and Texas Government Code, Section 2054.134. However, auditors identified the following areas in which the Department should strengthen its information technology controls:
• The Department did not have detailed documented and approved policies and procedures governing its information technology operations in the areas of (1) assigning administrative access, (2) patching servers, (3) configuring hardware and software, and (4) using firewall hardware and software.
• The Department did not limit access to update data in ACT! based on each user’s job duties. Two users without a business need to update data in ACT! had update access to that application.
• The Department did not provide security requirements to its information technology vendor before it contracted with that vendor to manage the Department’s information technology resources
• The Department did not monitor the activities of its information technology vendor, which operates portions of the Department’s technology environment.
Jump to Chapter 4