Add to collection(s) Add to saved
  1. Business
  2. Management

Privacy_Audit.docx

advertisement 
Internal Audit Report
Privacy Audit
TxDOT Audit Office
Privacy
TxDOT Internal Audit – Full Scope
Objective
An evaluation of practices for safeguarding and transmitting non-public or private
information in accordance with established policies, procedures and regulations.
Opinion
Based on the audit scope areas reviewed, control mechanisms require improvement and
only partially address risk factors and exposures considered significant relative to impacting
operational execution and regulatory compliance. The organization's system of internal
controls requires improvement in order to provide reasonable assurance that key goals and
objectives will be achieved. Improvements are required to minimize existing process
variation and control gap corrections that may result in potentially significant negative
impacts to the organization including the achievement of the organization's
business/control objectives.
Management concurs with the above finding and prepared management action plans to
address the noted deficiencies.
Internal Environment
The Finance Division (FIN) and Human Resources Division (HRD) have a positive tone
regarding the protection of private information and are willing to take actions to ensure that
private information is properly secured.
A survey to obtain employees’ perspective on private information was sent to FIN, HRD and
six districts. The survey indicated that 83% of the 467 respondents think their management
is committed to protecting private information. However, the survey also indicated that
employees are concerned about their private information. For example, 39% of the
respondents were concerned with the protection of their private information on finance
documents, and 35% were concerned with the protection of their private information on
human resources documents. Regarding training, 66% stated they had not received any
formal or informal training on the protection of private information. Regarding policies and
procedures, 46% were unsure whether their district/division has policies or procedures
regarding the protection of private information.
In addition, respondents provided comments in their survey response. Respondents
commented on the fact that hard copy documents with private information are left
unsecured on desktops, in boxes and on printers and copiers.
August 23, 2013
2
Privacy
TxDOT Internal Audit – Full Scope
Summary Results
Finding
Scope Area
FIN Documents
1
HRD Documents
Evidence
Electronic and hard copy FIN documents with private
information were found unsecured at sites tested:
 Electronic travel reimbursements were accessible for 2
of 3 (67%) FIN payment processing mailboxes in the
Microsoft ® Outlook application. These mailboxes are
used to store travel reimbursements submitted by
employees for processing and were accessible by other
employees.
 Unsecured hard copy documents with private
information were identified at 3 of 3 (100%) FIN sites.
Documents included: travel reimbursements, payroll
reports and damage claim accident reports; information
included names, social security numbers, and driver’s
license numbers.
 Monitoring to protect private information was not
occurring at 3 of 3 (100%) FIN sites.
Electronic and hard copy HRD documents with private
information were found unsecured at sites tested:
 Emails containing private information that were sent
externally were not encrypted at 7 of 7 (100%) HRD
sites.
 Unsecured hard copy documents with private
information were identified at 3 of 7 (43%) HRD sites.
Documents included: personnel files and employment
applications/packets; information included names,
addresses, and social security numbers.
 Monitoring to protect private information was not
occurring at 7 of 7 (100%) HRD sites.
Audit Scope
The audit was performed by Julie Atchison, Milan Hawkins, Robert Juarez, Sabra Vaughan
(Engagement Co-Lead) and Raymond Martinez (Engagement Lead). The audit was
conducted during the period from June 10 to August 16, 2013.
The audit focused on FIN and HRD. Both of these divisions recently centralized their
operations, which mean that all satellite offices report to the central office in Austin. Audit
testing was performed at 3 FIN sites (central office, FIN-Childress and FIN-San Antonio) and
7 HRD sites (central office, HRD-Abilene, HRD-Childress, HRD-Corpus Christi, HRD-Dallas,
HRD-Pharr and HRD-San Antonio).
Methodology
The methodology used to complete the objectives of this audit included the following:
 Interviewing FIN and HRD employees to identify and observe their practices for
safeguarding and transmitting private information on FIN documents (i.e., time
August 23, 2013
3
Privacy


TxDOT Internal Audit – Full Scope
sheets and travel reimbursements) and HRD documents (i.e., personnel files and
employment applications).
Performing a walk through at the offices after standard work hours to identify any
documents with private information that were not kept in a secured location.
Surveying employees in FIN, HRD, and six districts to get their perspective on the
protection of private information.
Background
This report is prepared for the Transportation Commission, TxDOT Administration and
Management. The report presents the results of the Privacy Audit which was conducted as
part of the Fiscal Year 2013 Audit Plan.
The department collects, processes, transmits and stores numerous documents, which
contain private information for employees, vendors and the general public. Private
information on these documents includes names, addresses, social security numbers,
driver’s license numbers, bank accounts, and medical information. Examples of documents
with private information include travel reimbursements, payroll documents, personnel files,
and employment applications. Since the department collects this information, it is expected
that the department properly safeguard the information to minimize the risk of an
information breach.
Currently, the department still uses social security numbers to identify employees. Social
Security numbers are used because the Comptroller’s Office and the Employees Retirement
System use them as a primary identifier, and Financial and Human Resource documents go
through those agencies. An effort has begun to replace certain private information (e.g.
social security numbers) on some of these documents after the Comptroller’s Office had a
breach of private information.
Organizations are having more information breaches. A 2012 independent survey reported
that 59% of responding organizations suffered an information breach incident in the last
year. Most of these incidents were caused by employees losing paper files or misplacing
portable memory devices. A 2013 independent survey reported that the average cost of a
data breach was $5.4 million and the average cost per breached record was $188.
We conducted this performance audit in accordance with Generally Accepted Government
Auditing Standards and in conformance with the International Standards for the
Professional Practice of Internal Auditing. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives.
A defined set of control objectives was utilized to focus on the operational and regulatory
goals for the identified scope areas. Our audit opinion is an assessment of the health of the
overall control environment based on (1) the effectiveness of the enterprise risk
management activities throughout the audit period and (2) the degree to which the defined
control objectives were being met. Our audit opinion is not a guarantee against operational
August 23, 2013
4
Privacy
TxDOT Internal Audit – Full Scope
sub-optimization or regulatory non-compliance, particularly in areas not included in the
scope of this audit.
Best Practice
The receptacle bins at two HRD satellite offices had locks on the lids to help protect the
information on the hard copy documents that were discarded into the bins. These bins were
provided by a contract.
August 23, 2013
5
Privacy
TxDOT Internal Audit – Full Scope
Detailed Finding and Management Action Plans (MAPs)
Finding No. 1: Safeguarding and Monitoring Private Information
Condition
Electronic and hard copy FIN and HRD documents with non-public or private information
were found unsecured at 10 of the 10 (100%) FIN and HRD sites that were tested.
 Non-public or private information found unsecured included names, addresses,
social security numbers, driver’s license numbers, financial and medical information.
 This information was accessible to other employees who do not have a business
need for the information. In addition, some of the information was accessible to
contractors, visitors, and the general public.
Monitoring for unsecured documents and of the practices in place to protect private
information did not occur at various FIN and HRD sites tested.
Effect/Potential Impact
Unsecured documents with non-public or private information and not monitoring to protect
private information on a regular basis can potentially lead to the following:
 an information breach with financial impacts
 identify theft of employees and third parties
 a negative impact on the department’s reputation
The likelihood of these risks can rise given the increase in non-TxDOT personnel with access
to the department’s facilities.
Criteria & Cause
The Texas Public Information Act states that information should be made available to the
public with certain exceptions, such as confidential information, certain personnel
information, and credit card information.
The TxDOT Information Security Manual (Chapter 4, Section 1) states that information
resources are valuable assets and measures must be taken to protect these assets against
unauthorized access, disclosure, modification or destruction.
The Consumer Bill of Rights published by the White House, provides a blueprint for
protecting privacy in the information age as a best practice including the following principles:
 security – consumers have a right to secure and responsible handling of their
personal data
 accountability – consumers have a right to have their personal data handled by
companies with appropriate measures in place to assure adherence to their rights
The reasons why the documents with private information were found unsecured include the
following:
 limited department wide policies and procedures on protecting private information
August 23, 2013
6
Privacy





TxDOT Internal Audit – Full Scope
limited FIN/HRD policies and procedures on protecting private information
no monitoring to ensure private information is safeguarded
no formal training after new employee orientation
inconsistent employee practices
reliance on a locked or badge controlled building
Evidence
The audit team interviewed FIN and HRD employees to identify and observe their practices
for safeguarding and transmitting private information for FIN documents (i.e., time sheets
and travel reimbursements) and HRD documents (i.e., personnel files and employment
applications). The audit team also conducted walk throughs after standard work hours to
identify any documents containing private information that were unsecured. This audit work
was conducted at 3 FIN sites and 7 HRD sites.
FIN Documents
 Electronic travel reimbursements were accessible by the auditors for 2 of 3 (67%) FIN
Microsoft ® Outlook payment processing mailboxes (without requesting access).
These mailboxes are used to store travel reimbursements submitted by the
employees for processing and were found to be accessible by other employees.
(Note: two additional payment processing mailboxes used by FIN were found to be
secured).
 Unsecured hard copy documents with private information were identified at 3 of 3
(100%) FIN sites. Documents included travel reimbursements, payroll reports and
damage claim accident reports, and the information included names, social security
numbers, and driver’s license numbers.
 Monitoring to protect private information was not occurring at 3 of 3 (100%) FIN
sites. The audit team did not find any written procedures or established practices for
monitoring the protection of private information such as performing a walk through
after standard work hours.
Note: that the Finance Division has already taken proper steps to secure the two Outlook
payment processing mailboxes that were accessible by the auditors for the electronic travel
reimbursements.
HRD Documents
 Emails containing private information that were sent externally were not encrypted at
7 of 7 (100%) HRD sites. These various emails contain human resource documents
with private information.
 Unsecured hard copy documents with private information were identified at 3 of 7
(43%) HRD sites. These documents included personnel files and employment
applications/packets, and the information included names, addresses, and social
security numbers.
 Monitoring to protect private information was not occurring at 7 of 7 (100%) HRD
sites. The audit team did not find any written procedures or established practices for
monitoring the protection of private information such as performing a walk through
after standard work hours.
August 23, 2013
7
Privacy
TxDOT Internal Audit – Full Scope
Management Action Plan (MAP):
MAP Owners: Lanny Wadle, FIN Deputy Director and Paul Campbell, FIN Director of
Payments Services
MAP 1.1 – FIN will develop written policies and procedures on protecting the nonpublic/private information on electronic and hard copy documents to ensure that the
information is adequately safeguarded at point of collection, processing point, during
transmission and in storage. These directives will include the following:
•
defining private information
•
establishing required safeguards for protecting non-public/private information
•
providing training on how to safeguard non-public/private information
•
establishing a process to monitor and assure non-public/private information is
safeguarded
Completion Date: October 15, 2013
MAP Owner: Lanny Wadle, FIN Deputy Director
MAP 1.2 – A high priority ticket was entered in TxDOT Now on 8/7/13, and with the help of
NTT Data personnel, access rights to FIN payment processing mailboxes were reviewed and
changed to restrict access to only those employees who have a business need. The four FIN
Regional Accounting Managers, the FIN Business Analyst and NTT Data personnel tested the
new access rights to ensure the mailboxes were secure. In the future during FIN’s semiannual mainframe security access review, these mailboxes will be tested for accessibility by
FIN management.
Completion Date: Completed
MAP Owner: Janine Mays, HRD Director
MAP 1.3 – HRD will work with the encryption tool provided by Information Technology
Division (ITD) and with the TxDOT Now Help Desk, as needed, to ensure that emails with
documents containing private information that are sent outside the department by HRD
employees are properly protected.
Unsecured hard copies have been addressed by making all HR employees aware of the
need to ensure that documents, especially in badged areas, are secured within the work
areas. This is a practice that managers have been instructed to review and reiterate with
HR staff on a consistent basis. Examples would include discussions/reminders at weekly
staff meetings. This is an agenda item on the weekly managers’ meeting starting with the
week of August 15, 2013. It will continue on an ongoing basis. Keeping this process as an
ongoing discussion will reinforce the importance of protecting employee data.
All HR employees have or will have a task in the evaluation that addresses the need for
protecting the confidentiality of all HR related documents. This will be implemented in the
August 23, 2013
8
Privacy
TxDOT Internal Audit – Full Scope
2013 evaluation cycle (December 2013). Badge access will also be reviewed to determine
the need for accessibility. The review of badge access will be conducted on an annual basis
to determine the ongoing need of accessibility to file areas. Currently the badge system is
being reviewed and revised in the district field offices.
Completion Date: December 15, 2013
MAP Owner: Mark Evans, ITD Director of Information Technology (IT) Performance and
Management
MAP 1.4 – TxDOT currently has a policy specifically addressing the encryption of confidential
or personal information sent via email outside of the agency. ITD has approved a specific
program as the tool to encrypt documents. This program is available for download at the ITD
Crossroads page.
Completion Date: Completed
August 23, 2013
9
Privacy
TxDOT Internal Audit – Full Scope
Summary Results Based on Enterprise Risk Management Framework
Closing Comments
The results of this audit were discussed with the Finance Division and Human Resources
Division Directors. We appreciate the assistance and cooperation received from all the
division staff contacted during this audit.
August 23, 2013
10
Related documents
Exercise Chapter 15
Exercise Chapter 15
Look Ahead Feature To access the application that
Look Ahead Feature To access the application that
Download
advertisement