Internal Audit Report Privacy Audit TxDOT Audit Office Privacy TxDOT Internal Audit – Full Scope Objective An evaluation of practices for safeguarding and transmitting non-public or private information in accordance with established policies, procedures and regulations. Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to impacting operational execution and regulatory compliance. The organization's system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Improvements are required to minimize existing process variation and control gap corrections that may result in potentially significant negative impacts to the organization including the achievement of the organization's business/control objectives. Management concurs with the above finding and prepared management action plans to address the noted deficiencies. Internal Environment The Finance Division (FIN) and Human Resources Division (HRD) have a positive tone regarding the protection of private information and are willing to take actions to ensure that private information is properly secured. A survey to obtain employees’ perspective on private information was sent to FIN, HRD and six districts. The survey indicated that 83% of the 467 respondents think their management is committed to protecting private information. However, the survey also indicated that employees are concerned about their private information. For example, 39% of the respondents were concerned with the protection of their private information on finance documents, and 35% were concerned with the protection of their private information on human resources documents. Regarding training, 66% stated they had not received any formal or informal training on the protection of private information. Regarding policies and procedures, 46% were unsure whether their district/division has policies or procedures regarding the protection of private information. In addition, respondents provided comments in their survey response. Respondents commented on the fact that hard copy documents with private information are left unsecured on desktops, in boxes and on printers and copiers. August 23, 2013 2 Privacy TxDOT Internal Audit – Full Scope Summary Results Finding Scope Area FIN Documents 1 HRD Documents Evidence Electronic and hard copy FIN documents with private information were found unsecured at sites tested: Electronic travel reimbursements were accessible for 2 of 3 (67%) FIN payment processing mailboxes in the Microsoft ® Outlook application. These mailboxes are used to store travel reimbursements submitted by employees for processing and were accessible by other employees. Unsecured hard copy documents with private information were identified at 3 of 3 (100%) FIN sites. Documents included: travel reimbursements, payroll reports and damage claim accident reports; information included names, social security numbers, and driver’s license numbers. Monitoring to protect private information was not occurring at 3 of 3 (100%) FIN sites. Electronic and hard copy HRD documents with private information were found unsecured at sites tested: Emails containing private information that were sent externally were not encrypted at 7 of 7 (100%) HRD sites. Unsecured hard copy documents with private information were identified at 3 of 7 (43%) HRD sites. Documents included: personnel files and employment applications/packets; information included names, addresses, and social security numbers. Monitoring to protect private information was not occurring at 7 of 7 (100%) HRD sites. Audit Scope The audit was performed by Julie Atchison, Milan Hawkins, Robert Juarez, Sabra Vaughan (Engagement Co-Lead) and Raymond Martinez (Engagement Lead). The audit was conducted during the period from June 10 to August 16, 2013. The audit focused on FIN and HRD. Both of these divisions recently centralized their operations, which mean that all satellite offices report to the central office in Austin. Audit testing was performed at 3 FIN sites (central office, FIN-Childress and FIN-San Antonio) and 7 HRD sites (central office, HRD-Abilene, HRD-Childress, HRD-Corpus Christi, HRD-Dallas, HRD-Pharr and HRD-San Antonio). Methodology The methodology used to complete the objectives of this audit included the following: Interviewing FIN and HRD employees to identify and observe their practices for safeguarding and transmitting private information on FIN documents (i.e., time August 23, 2013 3 Privacy TxDOT Internal Audit – Full Scope sheets and travel reimbursements) and HRD documents (i.e., personnel files and employment applications). Performing a walk through at the offices after standard work hours to identify any documents with private information that were not kept in a secured location. Surveying employees in FIN, HRD, and six districts to get their perspective on the protection of private information. Background This report is prepared for the Transportation Commission, TxDOT Administration and Management. The report presents the results of the Privacy Audit which was conducted as part of the Fiscal Year 2013 Audit Plan. The department collects, processes, transmits and stores numerous documents, which contain private information for employees, vendors and the general public. Private information on these documents includes names, addresses, social security numbers, driver’s license numbers, bank accounts, and medical information. Examples of documents with private information include travel reimbursements, payroll documents, personnel files, and employment applications. Since the department collects this information, it is expected that the department properly safeguard the information to minimize the risk of an information breach. Currently, the department still uses social security numbers to identify employees. Social Security numbers are used because the Comptroller’s Office and the Employees Retirement System use them as a primary identifier, and Financial and Human Resource documents go through those agencies. An effort has begun to replace certain private information (e.g. social security numbers) on some of these documents after the Comptroller’s Office had a breach of private information. Organizations are having more information breaches. A 2012 independent survey reported that 59% of responding organizations suffered an information breach incident in the last year. Most of these incidents were caused by employees losing paper files or misplacing portable memory devices. A 2013 independent survey reported that the average cost of a data breach was $5.4 million and the average cost per breached record was $188. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. A defined set of control objectives was utilized to focus on the operational and regulatory goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against operational August 23, 2013 4 Privacy TxDOT Internal Audit – Full Scope sub-optimization or regulatory non-compliance, particularly in areas not included in the scope of this audit. Best Practice The receptacle bins at two HRD satellite offices had locks on the lids to help protect the information on the hard copy documents that were discarded into the bins. These bins were provided by a contract. August 23, 2013 5 Privacy TxDOT Internal Audit – Full Scope Detailed Finding and Management Action Plans (MAPs) Finding No. 1: Safeguarding and Monitoring Private Information Condition Electronic and hard copy FIN and HRD documents with non-public or private information were found unsecured at 10 of the 10 (100%) FIN and HRD sites that were tested. Non-public or private information found unsecured included names, addresses, social security numbers, driver’s license numbers, financial and medical information. This information was accessible to other employees who do not have a business need for the information. In addition, some of the information was accessible to contractors, visitors, and the general public. Monitoring for unsecured documents and of the practices in place to protect private information did not occur at various FIN and HRD sites tested. Effect/Potential Impact Unsecured documents with non-public or private information and not monitoring to protect private information on a regular basis can potentially lead to the following: an information breach with financial impacts identify theft of employees and third parties a negative impact on the department’s reputation The likelihood of these risks can rise given the increase in non-TxDOT personnel with access to the department’s facilities. Criteria & Cause The Texas Public Information Act states that information should be made available to the public with certain exceptions, such as confidential information, certain personnel information, and credit card information. The TxDOT Information Security Manual (Chapter 4, Section 1) states that information resources are valuable assets and measures must be taken to protect these assets against unauthorized access, disclosure, modification or destruction. The Consumer Bill of Rights published by the White House, provides a blueprint for protecting privacy in the information age as a best practice including the following principles: security – consumers have a right to secure and responsible handling of their personal data accountability – consumers have a right to have their personal data handled by companies with appropriate measures in place to assure adherence to their rights The reasons why the documents with private information were found unsecured include the following: limited department wide policies and procedures on protecting private information August 23, 2013 6 Privacy TxDOT Internal Audit – Full Scope limited FIN/HRD policies and procedures on protecting private information no monitoring to ensure private information is safeguarded no formal training after new employee orientation inconsistent employee practices reliance on a locked or badge controlled building Evidence The audit team interviewed FIN and HRD employees to identify and observe their practices for safeguarding and transmitting private information for FIN documents (i.e., time sheets and travel reimbursements) and HRD documents (i.e., personnel files and employment applications). The audit team also conducted walk throughs after standard work hours to identify any documents containing private information that were unsecured. This audit work was conducted at 3 FIN sites and 7 HRD sites. FIN Documents Electronic travel reimbursements were accessible by the auditors for 2 of 3 (67%) FIN Microsoft ® Outlook payment processing mailboxes (without requesting access). These mailboxes are used to store travel reimbursements submitted by the employees for processing and were found to be accessible by other employees. (Note: two additional payment processing mailboxes used by FIN were found to be secured). Unsecured hard copy documents with private information were identified at 3 of 3 (100%) FIN sites. Documents included travel reimbursements, payroll reports and damage claim accident reports, and the information included names, social security numbers, and driver’s license numbers. Monitoring to protect private information was not occurring at 3 of 3 (100%) FIN sites. The audit team did not find any written procedures or established practices for monitoring the protection of private information such as performing a walk through after standard work hours. Note: that the Finance Division has already taken proper steps to secure the two Outlook payment processing mailboxes that were accessible by the auditors for the electronic travel reimbursements. HRD Documents Emails containing private information that were sent externally were not encrypted at 7 of 7 (100%) HRD sites. These various emails contain human resource documents with private information. Unsecured hard copy documents with private information were identified at 3 of 7 (43%) HRD sites. These documents included personnel files and employment applications/packets, and the information included names, addresses, and social security numbers. Monitoring to protect private information was not occurring at 7 of 7 (100%) HRD sites. The audit team did not find any written procedures or established practices for monitoring the protection of private information such as performing a walk through after standard work hours. August 23, 2013 7 Privacy TxDOT Internal Audit – Full Scope Management Action Plan (MAP): MAP Owners: Lanny Wadle, FIN Deputy Director and Paul Campbell, FIN Director of Payments Services MAP 1.1 – FIN will develop written policies and procedures on protecting the nonpublic/private information on electronic and hard copy documents to ensure that the information is adequately safeguarded at point of collection, processing point, during transmission and in storage. These directives will include the following: • defining private information • establishing required safeguards for protecting non-public/private information • providing training on how to safeguard non-public/private information • establishing a process to monitor and assure non-public/private information is safeguarded Completion Date: October 15, 2013 MAP Owner: Lanny Wadle, FIN Deputy Director MAP 1.2 – A high priority ticket was entered in TxDOT Now on 8/7/13, and with the help of NTT Data personnel, access rights to FIN payment processing mailboxes were reviewed and changed to restrict access to only those employees who have a business need. The four FIN Regional Accounting Managers, the FIN Business Analyst and NTT Data personnel tested the new access rights to ensure the mailboxes were secure. In the future during FIN’s semiannual mainframe security access review, these mailboxes will be tested for accessibility by FIN management. Completion Date: Completed MAP Owner: Janine Mays, HRD Director MAP 1.3 – HRD will work with the encryption tool provided by Information Technology Division (ITD) and with the TxDOT Now Help Desk, as needed, to ensure that emails with documents containing private information that are sent outside the department by HRD employees are properly protected. Unsecured hard copies have been addressed by making all HR employees aware of the need to ensure that documents, especially in badged areas, are secured within the work areas. This is a practice that managers have been instructed to review and reiterate with HR staff on a consistent basis. Examples would include discussions/reminders at weekly staff meetings. This is an agenda item on the weekly managers’ meeting starting with the week of August 15, 2013. It will continue on an ongoing basis. Keeping this process as an ongoing discussion will reinforce the importance of protecting employee data. All HR employees have or will have a task in the evaluation that addresses the need for protecting the confidentiality of all HR related documents. This will be implemented in the August 23, 2013 8 Privacy TxDOT Internal Audit – Full Scope 2013 evaluation cycle (December 2013). Badge access will also be reviewed to determine the need for accessibility. The review of badge access will be conducted on an annual basis to determine the ongoing need of accessibility to file areas. Currently the badge system is being reviewed and revised in the district field offices. Completion Date: December 15, 2013 MAP Owner: Mark Evans, ITD Director of Information Technology (IT) Performance and Management MAP 1.4 – TxDOT currently has a policy specifically addressing the encryption of confidential or personal information sent via email outside of the agency. ITD has approved a specific program as the tool to encrypt documents. This program is available for download at the ITD Crossroads page. Completion Date: Completed August 23, 2013 9 Privacy TxDOT Internal Audit – Full Scope Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with the Finance Division and Human Resources Division Directors. We appreciate the assistance and cooperation received from all the division staff contacted during this audit. August 23, 2013 10