The Department established documented policies and controls for the use of its information systems.
However, the Department should improve its user access controls and processes for deleting inspection and
The Department’s policies require it to disable user accounts when they are no longer needed and to conduct user
access reviews. The Department also obtained a System and Organization Controls (SOC) Report for the third-party
vendor that maintains VERSA. That report did not identify any issues related to change management, policies and
procedures, and backup and recovery. Additionally, the Department established password rules and settings that
complied with its policies.
While the Department removed network access for separating employees, it did not consistently disable those users' access to VERSA in a timely manner.
In addition, the Department should improve its reviews of user access.
The Department did not have adequate controls over the deletion of inspection and complaint records. Specifically, some users have the ability to delete records without any review or approvals required. The Department also does not have processes for monitoring its inspection and complaint records to identify deletions and verify that they are authorized.
Jump to Chapter 4