Citywide Identity Management
Performance Audit
March 2014
Office of the Auditor
Audit Services Division
City and County of Denver
Dennis J. Gallagher
Auditor
The Auditor of the City and County of Denver is independently elected by the citizens of Denver.
He is responsible for examining and evaluating the operations of City agencies for the purpose of
ensuring the proper and efficient use of City resources and providing other audit services and
information to City Council, the Mayor and the public to improve all aspects of Denver’s
government. He also chairs the City’s Audit Committee.
The Audit Committee is chaired by the Auditor and consists of seven members. The Audit
Committee assists the Auditor in his oversight responsibilities of the integrity of the City’s finances
and operations, including the integrity of the City’s financial statements. The Audit Committee is
structured in a manner that ensures the independent oversight of City operations, thereby
enhancing citizen confidence and avoiding any appearance of a conflict of interest.
Audit Committee
Dennis Gallagher, Chair
Robert Bishop
Maurice Goodgaine
Jeffrey Hart
Leslie Mitchell
Timothy O’Brien, Vice-Chair
Rudolfo Payan
Audit Staff
Audrey Donovan, Deputy Director, CIA, CRMA, CGAP
Robert Pierce, IT Audit Supervisor, CISA, CISSP
Shannon Kuhn, Lead IT Auditor, CISA
Nicholas Jimroglou, Senior IT Auditor
Jacqueline Boline, Senior IT Auditor
You can obtain copies of this report by contacting us at:
Office of the Auditor
201 West Colfax Avenue, Department 705  Denver CO, 80202
(720) 913-5000  Fax (720) 913-5247
Or download and view an electronic copy by visiting our website at:
www.denvergov.org/auditor
City and County of Denver
201 West Colfax Avenue, Department 705 • Denver, Colorado 80202 • 720-913-5000 •
FAX 720-913-5247 • www.denvergov.org/auditor
Dennis J. Gallagher
Auditor
March 20, 2014
Mr. Frank Daidone, Chief Information Officer
Technology Services
City and County of Denver
Dear Mr. Daidone:
Attached is the Auditor’s Office Audit Services Division’s report of its audit of Citywide Identity
Management. The purpose of the audit was to assess the effectiveness of internal controls used
by Technology Services organizations, the Department of General Services’ Facilities
Management unit, and the Office of Human Resources to manage and monitor access to City
systems and data.
We tested both physical and logical access to City systems and facilities. For physical access, we
focused on the buildings under the control of General Services Facilities Management (GSFM) and
the Department of Human Services (DHS). For logical access, we tested all of the networks in use
throughout the City. During the course of the audit, we identified that access to all of the buildings
tested were not solely administered by GSFM and DHS. As a result, copies of this report will be
provided to all agencies where improvements are required.
We identified several areas where controls need to be improved related to identity management.
Our audit recommendations address processes related to both logical and physical access
controls. If implemented, these recommendations will enhance security across the City and help
ensure that access to sensitive information is appropriately restricted.
If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5000.
Sincerely,
Dennis J. Gallagher
Auditor
rp/DG
cc:
Honorable Michael Hancock, Mayor
Honorable Members of City Council
Members of Audit Committee
Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services
that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver
201 West Colfax Avenue, Department 705 • Denver, Colorado 80202 • 720-913-5000
FAX 720-913-5247 • www.denvergov.org/auditor
Dennis J. Gallagher
Auditor
AUDITOR’S REPORT
We have completed an audit of Citywide Identity Management. The purpose of the audit was to
assess the effectiveness of internal controls used by the City to manage and monitor access to
City systems and data. In addition to assessing overall City controls, the audit examined identify
management practices for the Departments of Aviation, Human Resources, General Services,
and Technology Services as well as the Denver County Court.
This performance audit is authorized pursuant to the City and County of Denver Charter, Article V,
Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with
generally accepted government auditing standards. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit objectives.
The audit found that the City does not have an adequate identity management governance
structure in place to ensure that the risk of inappropriate access to City facilities and systems is
mitigated. We found that the lack of consistent processes for granting and revoking physical and
logical access has resulted in former employees retaining access to information that is protected
by the federal Health Insurance Portability and Accountability Act as well as the Criminal Justice
Information System Security Policy. This report makes a number of specific recommendations that
will strengthen the governance surrounding these issues and ensure that access to City facilities
and systems is appropriate.
We extend our appreciation to Technology Services, Denver International Airport Technologies,
Denver County Court Technologies, Facilities Management, and the Office of Human Resources
and the personnel who assisted and cooperated with us during the audit.
Audit Services Division
Kip Memmott, MA, CGAP, CRMA
Director of Audit Services
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services
that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver – Office of the Auditor
Audit Services Division
REPORT HIGHLIGHTS
Citywide Identity Management Performance Audit
March 2014
The audit focused on Citywide identity management of both physical and logical access to systems and
data.
Background
Highlights
Identity management is the task of
controlling information about users
on computers. This information
includes credentials that
authenticate the identity of a user,
within systems. Information can
include user descriptions and actions
they are authorized to access and
perform. Access to physical spaces
can also be handled through identity
management when software is the
mechanism to grant and revoke
building access.
The audit found that improvements need to be made to the City’s
identity management governance with regard to both physical and
logical access. Specifically we identified:
Purpose
The purpose of this audit was to
determine whether physical and
logical access control policies are in
place and adhered to; personnel with
identity management responsibilities
are adequately trained; access
provisioning and de-provisioning is
appropriately performed; periodic
entitlement reviews are conducted
to identify unauthorized access;
password parameters align with best
practices and the Federal
Information Security Management
Act; and access is managed in
compliance with applicable
regulations.
• Thirty-eight active network accounts were not removed for former
employees and contractors who are no longer affiliated with the City.
Six of these accounts appear to have been logged into after separating
from the City.
• One hundred physical access badges were not disabled for former
employees with clearances that allowed access to doors to the Denver
Human Services Records Room, Child Welfare Office, 911 Emergency
Communications Center, District and City Attorney’s Offices, and the
City data centers.
• Former employees retained access to hard copy child welfare and
health information protected by the Health Insurance Portability and
Accountability Act.
• A former Technology Services employee retained remote access to
databases containing criminal information restricted by the Criminal
Justice Information Services Security Policy.
• One individual within the City Attorney’s Office did not have logical or
physical access revoked following employment.
These and other instances of inappropriate access have occurred as a
result of the City not having an adequate governance process in place to
manage all steps in granting and revoking access to facilities and
systems.
For a complete copy of this report, visit www.denvergov.org/auditor
Or Contact the Auditor’s Office at 720.913.5000
TABLE OF CONTENTS
INTRODUCTION & BACKGROUND
1
Identity Management
1
Breach Case Studies
2
Background on Applicable Laws and Regulations
3
Logical Access Controlled through Centralized Directory Services
4
Physical Access Control Systems
5
SCOPE
6
OBJECTIVE
6
METHODOLOGY
6
FINDING
8
The City Needs to Improve Governance around Identity
Management to Ensure that Access to Facilities and Systems Is
Appropriately Restricted
RECOMMENDATIONS
13
AGENCY RESPONSE
16
INTRODUCTION
& BACKGROUND
Identity Management
Identity management (IdM) is the task of controlling information about users on computers.
This information includes credentials that authenticate the identity of a user, information
that describes users, and actions users are authorized to perform. It also includes the
management of descriptive information about the users and how and by whom that
information can be accessed and modified. Managed areas typically include users,
hardware, network resources, applications, and physical premises.
Effective governance around identity management helps ensure that access to facilities
and systems is appropriately controlled and that threats related to unauthorized access
are minimized. Threats to Denver City agencies are very real. The following example
demonstrates effective identity management and physical access control and also
illustrates the type of threat that a City like Denver faces when providing numerous public
services to its citizens. On November 11, 2013, the Denver Post reported an incident
involving a woman who drove a car onto the sidewalk, set the vehicle on fire, and then
watched it burn in front of the Wellington E. Webb Municipal Office Building (Webb
Building). 1 The Webb Building houses several key City agencies including the District and
City Attorney’s Offices, the Controller’s Office, and Technology Services. The Denver Post
reported that, after lighting fire to her car, the woman briefly entered the Webb Building
at the main entrance off West Colfax Avenue. The woman was stopped before she could
pass building security and the metal detectors, but she did publicly demonstrate one type
of threat the City and County of Denver faces when providing numerous public services
to Denver citizens. In today’s world of increased threats related to computer hacking and
terrorism, effective governance around identity management is critical.
Following are a few risks associated with weak identity management:
•
Increased risk to public and employee safety
•
Loss or compromise of sensitive data protected by rules and regulations
•
Heightened risk of costly fines, negative publicity, and an erosion of public trust
•
Increased risk of fraud
•
Elevated exposure to computer network hacking and malware
1 “Denver police arrest woman suspected of setting car ablaze downtown,” Denver Post, accessed January 2, 2014,
http://www.denverpost.com/breakingnews/ci_24476139/car-erupts-into-flames-thick-smoke-near-webb.
Page 1
Office of
Office
of the
the Auditor
Auditor
Breach Case Studies
A data breach is the intentional or unintentional release of secure information to an
unsecured or non-trusted environment. Data breaches can be costly, create negative
publicity, and occur in a number of ways. Following are a few examples of breaches that
have occurred recently:
•
Target Corporation had a massive data breach on November 15, 2013, when the
company’s payment system was hacked, exposing more than 40 million debit and
credit cards. The hack occurred as a result of a third-party vendor having access
to the Target network. Corporations often allow third-party vendors remote network
access to perform periodic maintenance on information systems. It is believed that
hackers stole the third-party network credentials, which allowed them to gain
access to Target’s payment system. 2
•
The City of Springfield, Missouri, had one of its websites hacked on February 28,
2012. Hackers were able to obtain more than 6,000 records containing social
security numbers from online police records as well as more than 15,000 records
relating to warrant information, including crime data. Officials are taking steps to
notify approximately 2,100 individuals whose personal information may have been
obtained when the site was breached. 3
•
The Alaska Department of Health and Human Services (DHHS) agreed to pay the
U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential
violations of the federal Health Insurance Portability and Accountability Act
(HIPAA) Security Rule for a breach that occurred on July 26, 2012. The HHS Office
for Civil Rights’ (OCR’s) investigation followed a breach report submitted by DHHS
as required by the Breach Notification Rule within the Health Information
Technology for Economic and Clinical Health (HITECH) Act. The report indicated
that a USB thumb drive, possibly containing electronic protected health
information (ePHI), was stolen from the vehicle of a DHHS employee. Over the
course of the investigation, OCR found that DHHS did not have adequate policies
and procedures in place to safeguard ePHI. Further, DHHS had not completed a
risk analysis, implemented sufficient risk management measures, completed
security training for its workforce members, implemented device and media
controls, or addressed device and media encryption as required by the HIPAA
Security Rule. 4
2 “Target Hackers Broke in Via HVAC Company,” Krebs on Security, accessed February 6, 2014,
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/.
3 “Springfield city website hacked as part of series of hacks involving government and law enforcement,” databreaches.net,
accessed February 6, 2014, http://www.databreaches.net/mo-springfield-city-website-hacked-as-part-of-series-of-hacksinvolving-government-and-law-enforcement/.
4 “Alaska settles HIPAA security case for $1,700,000,” U.S. Department of Health and Human Services, accessed January 2,
2014, http://www.hhs.gov/news/press/2012pres/06/20120626a.html.
City and County of Denver
Page 2
Background on Applicable Laws and Regulations
Due to the breadth of services that the City provides, the City must comply with a number
of rules and regulations designed to protect the personal data of the City’s employees
and residents. Following are examples of a few applicable rules and regulations that relate
to some of the services the City and County of Denver provides:
The Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
and Security Rule: 5 HIPAA establishes national standards to protect the confidentiality,
integrity, and availability of individuals’ protected health information that is created,
received, used, or maintained by a covered entity. The Privacy Rule gives individuals rights
over their protected health information and sets rules and limits regarding who can look
at and receive that health information. The Security Rule protects health information in
electronic form by requiring entities covered by HIPAA to use physical, technical, and
administrative safeguards to ensure that electronic protected health information remains
private and secure.
There are a variety of ways in which a city may be considered a covered entity under
HIPAA, and the rule potentially impacts several departments if the city does any of the
following:
•
Administers a public health program, such as the Department of Human Services
•
Administers police and corrections departments that retain health information on
inmates
•
Contracts with or is considered a business associate of a covered entity, such as a
third-party administrator for its self-insured health plan, or is a plan sponsor under a
fully insured health plan
•
Owns medical clinics, hospitals, or ambulance services, such as the Denver 911
Emergency Communications Center
•
Performs certain health plan functions on behalf of the insurance carrier
•
Offers employees a Health Flexible Spending Account
•
Transmits individual health information electronically
Several of Denver’s agencies are considered Covered Entities under HIPAA and are
subject to the HIPAA Privacy and Security Rules that are in place to ensure the privacy of
an individual’s health information. The HHS OCR is responsible for administering and
enforcing the standards and may conduct complaint investigations and compliance
reviews of Covered Entities. Another key component of HIPAA’s HITECH Act is that
agencies are required to provide the Secretary of HHS with notice of breaches of
protected health information.
5 45 C.F.R. § 160 and Subparts A and C of § 164 (2013).
Page 3
Office of
Office
of the
the Auditor
Auditor
Criminal Justice Information System (CJIS) Security Policy: 6 Due to the need for increased
information sharing between federal, state, and local law enforcement agencies, the
Federal Bureau of Investigation (FBI) has developed the CJIS policy to provide consistent
guidelines for all law enforcement agencies to follow when securing Criminal Justice
Information (CJI). The CJIS Security Policy provides guidance for the creation, viewing,
modification, transmission, dissemination, storage, and destruction of CJI. The policy
integrates presidential directives, federal laws, FBI directives, and the criminal justice
community’s Advisory Policy Board decisions along with nationally recognized guidance
from the National Institute of Standards and Technology (NIST).
The Denver Police, Sheriff, and Fire Departments, the District and City Attorney’s Offices,
and other City agencies with access to databases containing CJI must be physically and
logically secured in compliance with CJIS requirements.
Payment Card Industry Data Security Standards (PCI DSS): 7 Any organization or merchant
that accepts, transmits, or stores any credit cardholder data must comply with PCI DSS.
PCI DSS contains twelve requirements with directives against which businesses may
measure their own payment card security policies, procedures, and guidelines. By
complying with periodic assessments performed by Qualified Security Assessors (QSAs),
businesses and entities can become accepted by the PCI Standards Council as compliant
with the twelve requirements and thus receive a compliance certification and a listing on
the PCI Standards Council website. Compliance with the PCI DSS is vital for all merchants
who accept credit cards, online or offline, due to the sensitivity of payment card data and
the risks associated with credit card fraud.
Since the City acts as a credit card merchant when providing some City services, the City
must comply with PCI requirements and receives a Report on Compliance annually. The
PCI requirements mandate that physical and logical access to cardholder data is
restricted to authorized individuals only. 8
Logical Access Controlled through Centralized Directory Services
Directory services are used to manage access across various portions of the City networks.
A log-on is used as a point of entry to gain access to the majority of City systems. Whether
connecting remotely from outside the City’s networks or in person to systems on the City’s
networks, directory services authentication is required to gain access to City data.
The City operates multiple network segments that are designed to restrict logical access
to systems and data. Although Technology Services manages a large portion of the
network, some segments are managed by other agencies.
6 “Criminal Justice Information Services Security Policy,” last modified August 9, 2013, U.S. Department of Justice.
7 PCI DSS v3.0, last modified November, 2013, https://www.pcisecuritystandards.org/.
8 Logical access refers to user based authenticated access to the application systems and data that is processed.
City and County of Denver
Page 4
Successful logon
gains logical access
to city data
Physical Badge
Access
Directory Services
Authentication
Remote Access
Unsuccessful logon
restricts logical
access to city data
Source: Created by Audit Services Division Staff
Physical Access Control Systems
Several agencies throughout the City have the
ability to grant and remove physical badge
access to facilities under their control. For
example, the Facilities Management unit within
the Department of General Services is responsible
for the administration of building badge access,
in addition to the general management,
maintenance, and daily operations of several
City-owned facilities.
Physical Badge
Access
Access to hard
copy city data
Source: Created by Audit Services Division Staff
Prior to gaining access to secured City agencies and hard copy information, physical
badge readers provide the first layer of physical security. Photo identification access
badges, used for both identification and authentication of an individual, are used to
restrict access to secured areas throughout the City. The City operates six separate
physical access control systems. Each of the physical access control systems is used to
restrict access to a number of City facilities. It is possible that an employee may have
clearance to access more than one City owned location. Clearance may be granted to
a current badge or a separate badge may be issued to provide access. Each access
control system has a number of individuals who may grant, remove, and modify physical
access clearances to their respective area. For example, we noted that the system
controlling access to the Webb Building has separate agencies that may grant and revoke
access rights to physical areas under their control. Agency representatives fill out a form
to have Facilities Management create a badge ID card, and they notify Facilities
Management when access is no longer needed. As described in the findings of this report,
we identified instances where access badges were assigned by agencies other than
Facilities Management and were not disabled by those groups following an employee’s
departure from the City.
Page 5
Office of
Office
of the
the Auditor
Auditor
SCOPE
The audit focused on Citywide identity management of both physical and logical access
to systems and data. For logical access, the audit focused on all the directory services,
which are used as the primary point of entry to access the majority of applications and
electronic data in use within the City. For physical access, the audit tested two separate
access control systems, which are used to control access to the following buildings:
•
Performing Arts Center
•
Minoru Yasui
•
City Permit Center
•
Denver Animal Shelter
•
Roslyn Building
•
DHS Main
•
Family Crisis Center
•
DHS East
•
Webb Building
•
City Data Center
•
DHS Montbello
•
911 Technologies
In accordance with Generally Accepted Government Auditing Standards the reader
should be aware that some details about information security weaknesses are considered
sensitive security information and are not disclosed within this report.
The details of all findings, however, have been presented to Technology Services and
Facilities Management. As part of our regular follow-up for audit issues, we will return at a
future date to ensure that all findings have been addressed.
OBJECTIVE
The purpose of the audit was to assess the effectiveness of internal controls used by
Technology Services, the Department of General Services’ Facilities Management unit,
and the Office of Human Resources to manage and monitor access to City facilities,
systems, and data. Audit objectives included an assessment of provisioning and deprovisioning processes for user accounts.
METHODOLOGY
We used several methodologies to achieve the audit objectives. Our evidence-gathering
techniques included, but were not limited to:
•
Interviewing agency staff with identity management responsibilities
•
Reviewing existing policies and procedures related to access provisioning and deprovisioning
City and County of Denver
Page 6
•
Querying the Office of Human Resources system of record to identify former and
current employees for testing
•
Using data analytics to compare the listing of both current and former employees
against the listing of users with logical and physical access
o
•
User accounts were judgmentally selected from the full populations of
potentially active accounts for former employees based on the risk associated
with what each account had access to. We selected the following samples:

Access de-provisioning:
85 samples

Access provisioning:
20 samples

Privileged accounts:
20 samples

Physical de-provisioning: 100 samples
Reviewing applicable laws, rules, and regulations related to identity management
including:
o
Federal Information Security Management Act of 2002 (FISMA)
o
Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA)
o
HIPAA’s Health Information Technology for Economic and Clinical Health
(HITECH) Act
o
Payment Card Industry Data Security Standard (PCI DSS version 3.0 November
2013)
o
Criminal Justice Information Services Security Policy (CJIS version 5.2 August
2013)
•
Querying Technology Services’ help desk ticketing system to identify whether
individuals’ access was provisioned in accordance with existing policies
•
Reviewing existing security awareness training content
•
Reviewing relevant audits conducted in the past related to DIA information security
awareness training
•
Performing tail-gate testing to determine the effectiveness of the physical badge
control system
Page 7
Office of
Office
of the
the Auditor
Auditor
FINDING
The City Needs to Improve Governance around Identity Management
to Ensure that Access to Facilities and Systems Is Appropriately Restricted
Audit work identified several weaknesses related to the City’s identity management
governance structure for both physical and logical access to facilities and systems. With
regard to physical access, we found inconsistent application of procedures used to
provision and de-provision employee physical access badges, which resulted in former
employees having active badges after they no longer worked for the City. With regard to
logical access, we found that some individuals who no longer worked for the City still had
active credentials, allowing them to access City systems, some of which contain sensitive
information. To mitigate the risk associated with unauthorized access to City facilities and
systems, we recommend that the City create a comprehensive information security
governance structure including security awareness training, periodic entitlement reviews,
a list of third-party workers, and procedures for requesting and removing access.
Physical Access to Some City Facilities and Secured Areas Is Not Restricted
to Authorized Individuals
Physical access controls prevent unauthorized individuals from accessing City buildings.
The City uses a variety of idenfication tools to ensure that physical access is only granted
to City employees and only to the extent that they need access to perform their job duties.
However, in the course of our audit work, we found a number of instances where
individuals who no longer work for the City still had active badges that would grant them
entry to secured facilities.
During the audit, we tested two badging systems controlling access to the Wellington E.
Webb Municipal Office Building (Webb Building), Performing Arts Center, Denver Animal
Shelter, City data centers, Minoru Yasui Building, Roslyn Building, City Permit Center, 911
Technologies, and Department of Human Services facilities.
A Significant Number of Badges for Previous City Employees Remain
Active
New City employees are issued photo identification badges to access secured City
facilities and rooms. Badges are provisioned upon receipt of a signed access request form
from the new employee’s agency. To test the badge-provisioning process, we compared
the list of all former City employees since 2000 against the list of active badge holders. Our
testing identified 972 active badges for employees who are no longer on the City’s
centralized payroll system. Some of these active badges could be legitimately active if a
former employee was rehired but is paid outside of the City’s centralized payroll system;
however, since there is no list of these contractors, volunteers, or interns, we were not able
to make that determination.
City and County of Denver
Page 8
We performed additional testing on 100 of the potentially
unauthorized badges based on the sensitivity of the areas to
Auditors found
which the badges allowed access. Testing showed that all 100 of
100 active
the badges were for former employees who were no longer
badges for
authorized to have access. These active badges allowed access
to areas including the City Attorney’s Office, the District
former
Attorney’s Office, City data centers, 911 technologies, child
employees with
welfare offices, the Department of Human Services human
access to high
resources file room, and the Department of Human Services
risk areas.
records room. We found that agency representatives do not
follow a consistent process to revoke badge access so we were
unable to identify a single root cause for why the badges were not disabled following an
employee’s employment with the City.
After identifying active badges for employees who were no longer authorized to have
access, we attempted to identify the date of the last activity for each of the unauthorized
badges. This testing showed that no unauthorized badges accessed sensitive areas at the
Department of Human Services after the individuals assigned to those badges separated
from the City. For sensitive areas within 911 technologies, the Webb Building, City data
centers, and the City and District Attorney’s Offices, we were able to determine that no
unauthorized individuals accessed those facilities within the past six months. 9 Facilities
Management should determine whether the remaining badges are for active employees
who require access or whether the badges need to be disabled. Facilities Management
should also perform additional testing to ensure that no breaches occurred related to
former employees accessing high-risk areas.
Badge Administrators Not Consistently Informed of Need for Badge
Deactivation
We found that badge administrators do not know when an employee’s badge should be
disabled unless the employee’s manager or agency representative notifies the
administrator and requests access to be revoked. In the event that a badging
administrator is not notified to revoke access for a former employee, access for that
individual may remain active following employment. We also found that some badging
administrators cannot verify whether an individual’s badge access is authorized because
they do not have access to the Office of Human Resources system of record showing
current City employees. For example, after we identified active badges that appear to
belong to former employees, Facilities Management personnel could not confirm whether
any of these individuals still require access to City facilities. Therefore badge administration
personnel rely solely on City agencies to notify them when badge access should be
removed. In addition, there is no documented process that City agency representatives
follow to consistently disable badge access. In the absence of a consistent process,
9
Auditors were only able to inspect badge activity for the past six months due to the size of the reports, and Facilities
Management had difficulty configuring them to report activity for high-risk areas only. Facilities Management should configure
and run additional reports to determine whether any former employees accessed sensitive areas after they were employed by
the City over the past two years.
Page 9
Office of
Office
of the
the Auditor
Auditor
agency representatives may notify badging administrators to disable badges in a number
of ways. For example, some requests to disable access are phoned in, others are emailed,
and still more are sent via electronic forms to Technology Services. After performing
additional audit procedures and contacting supervisors of former employees, we found
that at least 100 of the badges with access to high-risk areas should be disabled.
There Are No Controls to Prevent Former Employees with
Deactivated Badges from Entering Certain City Facilities
We found that it is possible for individuals who separate from the City to access some
secure facilities, circumventing the metal detectors. This can occur when employees do
not turn in their badges following employment. Additional information related to this issue
has been provided confidentially to the appropriate City agency.
Logical Access to City Systems Is Not Appropriately Restricted
Logical access controls prevent unauthorized users from accessing the City’s computer
information systems. The City has a variety of identification and authorization tools in place
to ensure that logical access is only granted to City employees and only to the extent that
they need access to perform their job duties. However, in the course of our audit work, we
found a number of instances where individuals who no longer work for the City still had
active credentials, allowing them to access the City’s network. To determine whether any
former employees retained active network credentials, we first obtained a list of all users
in the City’s directory services. We also obtained a list of the folders and groups the users
had access to as employees and their last log-on dates. Then we generated a list of
current City employees by running queries against the Office of Human Resources system
of record, as well as by generating a list of all former employees since 2000. We used data
analytics to compare the current and former employee lists against the active user
accounts within each of the City’s directory services. On three of the five City networks
tested, we found that some individuals had retained network access following
employment.
City Government Directory Services Issues
We identified three issues related to inappropriate logical access. First, some employees
have retained network access following employment with the City; second, some
contractor accounts have not been set up or disabled in accordance with established
policy; and third, some user accounts are not being set up with appropriate password
requirements.
Some accounts have not been deactivated following employee separation – We identified
fourteen network accounts for former employees who should no longer have network
access to City systems. Six of the fourteen individuals appeared to have accessed their
accounts after separating from the City.
Accounts should be disabled timely when an individual is no longer employed. In the event
that Technology Services needs to access the account, the account should be added as
an extension to an existing employee’s account rather than using the former employee’s
City and County of Denver
P a g e 10
account. Rules and regulations such as HIPAA, PCI, and CJIS mandate that certain data
is protected and access is restricted to authorized individuals only.
One of the accounts retained remote access to crimerelated information following employment. The account
that retained remote access to crime-related information
is regulated by the CJIS security policy. 10 Other directory
services details have been provided confidentially to the
appropriate agency separate from this report.
A former City
employee retained
remote access to a
crime database.
Some contractor accounts are not being provisioned or
de-provisioned in accordance with policy – Many City contractors are provided with
logical access to City networks to perform their job duties. We found that contractor
accounts are not always end dated within the directory services and therefore may
remain active after a contractor is no longer working for the City. For example, we
identified several former Department of Human Services (DHS) contractors who retained
access to data after they were no longer authorized. One contractor also retained remote
access to DHS files and folders after the individual was no longer working on behalf of DHS.
Upon further inquiry with DHS personnel, a determination could not be made as to whether
former employees retained access to client files.
In total, we identified twenty-four manually provisioned accounts that were not end dated
across agencies managed by Technology Services. As a result, these twenty-four
individuals had active network accounts after they were no longer employed by the City.
Contractor end-dating is also required by the City’s LAN and Email Policy. End dating
contractor accounts helps mitigate risks to data.
Some account passwords are not set to expire in accordance with policy – We identified
forty-one user accounts set with passwords that never expire. Passwords are required to
be changed every ninety days in accordance with the City’s LAN and Email Policy.
Passwords that have been in place for long periods of time increase the risk of
unauthorized access to systems. Some of the accounts we tested during the audit have
passwords that have not been changed since 2002.
Increased Governance Is Needed to Mitigate Physical and Logical Identity
Management Risks
To remediate identified issues and increase both physical and logical access security, the
City should perform periodic entitlement reviews, develop and maintain a comprehensive
and accurate listing of third-party workers, establish procedures for requesting and
removing access to City facilities and systems, and implement security awareness training.
Procedures for disabling physical and logical access should include a process for verifying
10
CJIS security violations must be reported to the regional CJIS Systems Officer, the national CJIS Director, as well as the Federal
Bureau of Investigation (FBI). Upon notification, the FBI has the right to investigate any report of unauthorized use and suspend
or terminate access and services. We were able to determine that the account in question did not access CJIS data following
separation from the City. As a result, there was no CJIS violation; however, the City was out of compliance with the CJIS security
policy and the individual could have remotely accessed crime related data following separation from the City.
P a g e 11
Office of
Office
of the
the Auditor
Auditor
that access has been removed and specifically identify the parties that are responsible for
removing access upon notification.
Periodic entitlement reviews – The City does not perform periodic access entitlement
reviews to determine whether physical and logical user access remains authorized over
time. These types of reviews can help identify accounts that are no longer authorized when
the processes to remove access are not performed. DIA performs limited entitlement
reviews related to financial systems; however, these reviews do not include areas related
to privileged accounts, such as database and domain administrators. Entitlement reviews
also help ensure that access is commensurate with job duties. For example, high-risk file
shares containing protected or sensitive data should be identified and individuals with
access to the high-risk file shares should be periodically reviewed to ensure that access is
appropriate. Without a periodic review process in place, it is possible that accounts that
are no longer authorized to have access, such as those identified within this audit, go
unnoticed and uncorrected.
Develop a list of contractors, volunteers, and interns who are not on the City’s payroll – In
addition to regular employees, the City occasionally uses contractors, volunteers, and
interns to perform work and services on behalf of the City. These third party workers may
be granted access to City systems and buildings to perform their work. However, we found
that Technology Services and Facilities Management organizations do not have a record
of the current employment status for City workers who are paid outside of the centralized
payroll system. A centralized list that includes all City employees and third-party individuals
would assist in determining the full population of valid City workers and is essential for
performing periodic account reviews.
PeopleSoft, the Office of Human Resources system of record, is the only source for tracking
active employees, which in turn serves as the control for authorization of access to City
networks through an automated tool. When a third-party worker is not in PeopleSoft, it is
difficult to determine whether a particular individual is authorized to have access.
Currently third-party workers not paid through PeopleSoft are manually provisioned and
de-provisioned, which has resulted in some of the issues identified within this audit. For
example, we identified instances where manual processes failed to remove network
access for former third-party workers. We used data analytics to identify manually
provisioned accounts for former employees and noted that sixteen of the twenty accounts
(80 percent) tested were not disabled following employment.
Establish a consistent process for requesting and removing access to City facilities and
systems – As discussed throughout this report, the City does not have a consistent
governance process to grant or remove an individual’s access to City facilities and
systems. Access changes may be requested through help desk tickets, electronic forms, or
hard copy forms, and there is no training provided regarding which forms to use under
certain circumstances. In the absence of an established process, access change requests
are inconsistently sent to Technology Services and Facilities Management, which has
resulted in access remaining active for some former employees, such as those identified
within this audit report.
City and County of Denver
P a g e 12
Additionally, we identified that electronic forms are filled out by hiring managers or agency
representatives to disable physical badge access to the Webb Building, yet these forms
are never sent to Facilities Management to facilitate removal of access. Instead, these
forms are sent to Technology Services, but no action is taken to disable the badges. Our
audit found that even though Facilities Management has developed building-specific
access control criteria available through the City’s intranet site, there are no procedures
that address the creation and termination process for administration of employee badges.
In the absence of such a guide to help ensure a consistent process is used, auditors
sampled 100 badges for further testing and found that access was assigned and removed
inconsistently. 11
Technology Services and Facilities Management should develop consistent processes for
granting and removing access to facilities and systems and then ensure that employees
are trained on the processes. Such procedures should include a process for verifying that
access has been removed.
Security awareness training – Security awareness training is
not provided consistently throughout the City. While all
More than half of the
Department of Aviation employees receive security
City’s employees are
awareness training, only about 40 percent of the remaining
City employees receive the training. This type of training
not trained on
informs employees of the types of threats with which cities
current information
and other entities are being targeted. For example, some
security threats.
City employees were recently targeted through an email
scam attempting to collect their user IDs and passwords.
This type of threat could severely compromise the security of the City’s data network.
Currently, 60 percent of employees are not trained on how to identify these types of threats
and effectively protect their personal access credentials. Therefore, we recommend that
security awareness training should be developed jointly by Technology Services and
Facilities Management to promote employee awareness of known threats to their access
credentials.
RECOMMENDATIONS
11
1.1.
The Director of Facilities Management should disable active badges for former
employees identified within this audit and work with other badging administrators to
ensure that any other potentially active accounts for former employees are disabled.
1.2.
The Director of Facilities Management should install badge readers on the secured
facility identified within the confidential findings provided to Facilities Management.
1.3.
The Chief Information Security Officer should update the network and email account
management policy to reflect the current process for network credential creation and
termination. The policy should also be adopted by Technology Services so that
See the Methodology section of this report for all sampling methodology used during the audit.
P a g e 13
Office of
Office
of the
the Auditor
Auditor
individuals responsible for access control understand the logical access requirements
and comply with them. A separate process should be developed and implemented for
interns, contractors, and volunteers to ensure that network accounts are provisioned and
de-provisioned consistently.
1.4.
The IT Governance Manager should disable active network accounts for former
employees and contractors within this audit and ensure that any other active accounts
for former employees are disabled.
1.5.
The IT Governance Manager should ensure that password and group policy settings align
with the City’s LAN and Email Policy.
1.6.
The IT Governance Manager should ensure that access to data protected by rules and
regulations such as HIPAA and CJIS is periodically monitored and controlled
appropriately over time.
1.7.
The Chief Information Security Officer and the Director of Facilities Management should
work together to develop and implement security awareness training for all City
employees, contractors, volunteers, and interns who receive physical or logical access
credentials. The format and extent of the security awareness training is at the discretion
of Technology Services and Facilities Management; however, these entities should take
the following high-risk areas into consideration when developing the program:
1.8.
•
The nature of sensitive material and physical assets employees may come in
contact with, such as privacy concerns and government classified information
•
Employee and contractor responsibilities in handling sensitive information,
including review of employee nondisclosure agreements
•
Requirements for proper handling of sensitive material in physical form, including
marking, transmission, storage, and destruction
•
Proper methods for protecting sensitive information on computer systems,
including password policy and use of two-factor authentication
•
Proper methods for protecting physical access credentials, such as not sharing
badges, reporting lost or stolen badges immediately, etc.
•
Computer security concerns, including malware, phishing, social engineering,
etc.
•
Workplace security, including building access, wearing of security badges,
reporting of incidents, forbidden articles, etc.
•
Consequences of failure to properly protect information, including potential loss
of employment, economic consequences to the City, damage to individuals
whose private records are divulged, and possible civil and criminal penalties
The Chief Information Security Officer and the Director of Facilities Management should
implement periodic entitlement reviews and help facilitate agency access reviews,
taking into consideration the following:
•
All accounts should be reviewed on a pre-defined basis (monthly, quarterly, or
annually)
City and County of Denver
P a g e 14
1.9.
•
High-risk access permissions should be identified, and periodic account reviews
should assess the appropriateness of high-risk access over time
•
Account reviews should be assigned to a designated system owner with a
general understanding of the appropriateness of access
•
Account reviews should incorporate segregation of duties
•
Reviews should be based on system-generated access reports
The Executive Director of Human Resources should work closely with the Chief
Information Officer and other agencies to implement a centralized method for tracking
contractor, volunteer, and intern (contingent) workers to allow these types of workers to
be tracked and thereby have their network access provisioned and de-provisioned
through an automated tool.
1.10. The Executive Director of Human Resources should work closely with the IT Governance
Manager and independent IT departments across the City to train hiring managers and
supervisors on provisioning and de-provisioning processes, taking into consideration the
following when developing the training:
•
A role-based approach for access provisioning
•
Avoid mirroring accounts based on job functionality
•
Develop a consistent agreed-upon method for physical and logical access
provisioning and de-provisioning (e.g., required forms, approvals)
•
Develop a consistent method for handling contractors and other manually
provisioned accounts (e.g., account end dating)
1.11. The Director of Facilities Management should create procedures that define daily badge
management processes. Facilities Management should then train all badging
administrators on the procedures to ensure that access is consistently provisioned and
de-provisioned.
1.12. The Director of Facilities Management should consider centralizing the badge
administration process and minimize the number of administrators assigning badge
access.
P a g e 15
Office of
Office
of the
the Auditor
Auditor
AGENCY RESPONSE
Technology Services
201 West Colfax Avenue
Department 301
Denver, CO 80202
March 7, 2014
Mr. Kip R. Memmott, MA, CGAP,
CRMA Director of Audit Services
Office of the Auditor
City and County of Denver
201 West Colfax Avenue, Dept. 705
Denver, Colorado 80202
Dear Mr. Memmott:
The Office of the Auditor has conducted a performance audit of Citywide
Identity Management.
This memorandum provides a written response for each reportable condition noted
in the Auditor’s Report final draft that was sent to us on February 13, 2014. This
response complies with Section 20-276 (b) of the Denver Revised Municipal Code
(D.R.M.C.).
AUDIT FINDING 1
The City Needs to Improve Governance around Identity Management to Ensure that
Access to Facilities and Systems Is Appropriately Restricted
RECOMMENDATION 1.1
The Director of Facilities Management should disable active badges for former employees
identified within this audit and work with other badging administrators to ensure that any
other potentially active accounts for former employees are disabled.
Agree or Disagree with
Recommendation
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
N/A
City and County of Denver
P a g e 16
Name and phone number
of specific point of contact
for implementation
Narrative for Recommendation 1.1
N/A – Recommendation not addressed to Technology Services.
RECOMMENDATION 1.2
The Director of Facilities Management should install badge readers on the secured
facility identified within the confidential findings provided to Facilities Management.
Target date to complete
Name and phone number
Agree or Disagree with
implementation activities
of specific point of contact
Recommendation
(Generally expected
for implementation
within 60 to 90 days)
N/A
Narrative for Recommendation 1.2
N/A – Recommendation not addressed to Technology Services.
RECOMMENDATION 1.3
The Chief Information Security Officer should update the network and email account
management policy to reflect the current process for network credential creation and
termination. The policy should also be adopted by Technology Services so that
individuals responsible for access control understand the logical access requirements and
comply with them. A separate process should be developed and implemented for interns,
contractors, and volunteers to ensure that network accounts are provisioned and deprovisioned consistently.
Target date to complete
Name and phone number
Agree or Disagree with
implementation activities
of specific point of contact
Recommendation
(Generally expected
for implementation
within 60 to 90 days)
Agree
Technology Services
Alena Gouveia
September 30, 2014
720-913-4964
Narrative for Recommendation 1.3
Technology Services will align policies with processes for network credential creation
and termination. Personnel will be trained accordingly. We will develop a new process
for the provisioning and de-provisioning of interns, contractors, and volunteers.
RECOMMENDATION 1.4
The IT Governance Manager should disable active network accounts for former
employees and contractors identified within this audit and ensure that any other
active accounts for former employees are disabled.
P a g e 17
Office of
Office
of the
the Auditor
Auditor
Agree or Disagree with
Recommendation
Agree
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Technology Services
Completed
Denver County Courts
Completed
Name and phone number
of specific point of contact
for implementation
Alena Gouveia
720-913-4964
Kris Griffin
720-865-7703
Narrative for Recommendation 1.4
Technology Services immediately disabled all network accounts identified in this audit
and has since conducted a review of network accounts belonging to City employees
(individuals paid via the City’s payroll system). The control verification will also be
conducted on a monthly basis going forward.
The Court Information Department immediately disabled all network accounts identified in
this audit and has implemented improved procedures to address the de-provisioning of user
accounts.
RECOMMENDATION 1.5
The IT Governance Manager should ensure that password and group policy settings align
with the City’s LAN and Email Policy.
Agree or Disagree with
Recommendation
Agree
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Technology Services
June 30, 2014
Name and phone number
of specific point of contact
for implementation
Alena Gouveia
720-913-4964
Narrative for Recommendation 1.5
Technology Services will review our policies for password and security settings for LAN
and email accounts and align our practices accordingly.
City and County of Denver
P a g e 18
RECOMMENDATION 1.6
The IT Governance Manager should ensure that access to data protected by rules and
regulations such as HIPAA and CJIS is periodically monitored and controlled
appropriately over time.
Agree or Disagree with
Recommendation
Agree
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Technology Services
June 30, 2014
Name and phone number
of specific point of contact
for implementation
Alena Gouveia
720-913-4964
Narrative for Recommendation 1.6
Technology Services will develop a pilot data classification program with an initial agency
to segregate and protect data kept in file shares according to the appropriate rules and
regulations, such as HIPAA, CJIS, etc. Upon demonstration that the pilot is viable, we will
promote the model to additional agencies. We will also develop a model for conducting
periodic entitlement reviews.
RECOMMENDATION 1.7
The Chief Information Security Officer and the Director of Facilities Management should
work together to develop and implement security awareness training for all City
employees, contractors, volunteers, and interns who receive physical or logical access
credentials. The format and extent of the security awareness training is at the discretion
of Technology Services and Facilities Management; however, these entities should take
the following high-risk areas into consideration when developing the program:
• The nature of sensitive material and physical assets employees may come in
contact with, such as privacy concerns and government classified information
• Employee and contractor responsibilities in handling sensitive information,
including review of employee nondisclosure agreements
• Requirements for proper handling of sensitive material in physical form,
including marking, transmission, storage, and destruction
• Proper methods for protecting sensitive information on computer systems,
including password policy and use of two-factor authentication
• Proper methods for protecting physical access credentials, such as not sharing
badges, reporting lost or stolen badges immediately, etc.
• Computer security concerns, including malware, phishing, social engineering, etc.
• Workplace security, including building access, wearing of security badges, reporting
of incidents, forbidden articles, etc.
• Consequences of failure to properly protect information, including potential loss of
employment, economic consequences to the City, damage to individuals whose
private records are divulged, and possible civil and criminal penalties.
Agree or Disagree with
Recommendation
Target date to complete
implementation activities
(Generally expected
P a g e 19
Name and phone number
of specific point of contact
for implementation
Office of
Office
of the
the Auditor
Auditor
Agree
within 60 to 90 days)
Technology Services
December 31, 2014
Alena Gouveia
720-913-4964
Narrative for Recommendation 1.7
Technology Services will collaborate with Facilities Management to develop and
implement a security awareness training program for all City employees, contractors,
volunteers, and interns who receive physical or logical access credentials.
RECOMMENDATION 1.8
The Chief Information Security Officer and the Director of Facilities Management should
implement periodic entitlement reviews and help facilitate agency access reviews, taking
into consideration the following:
• All accounts should be reviewed on a pre-defined basis (monthly, quarterly, or
annually)
• High-risk access permissions should be identified, and periodic account reviews
should assess the appropriateness of high-risk access over time
• Account reviews should be assigned to a designated system owner with a general
understanding of the appropriateness of access
• Account reviews should incorporate segregation of duties
• Reviews should be based on system-generated access reports
Agree or Disagree with
Recommendation
Agree
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Technology Services
September 30, 2014
Denver County Courts
Completed
Name and phone number
of specific point of contact
for implementation
Alena Gouveia
720-913-4964
Kris Griffin
720-865-7703
Narrative for Recommendation 1.8
Technology Services and Facilities Management will develop entitlement review
procedures for logical and physical badge access.
The Denver County Court IT department has implemented quarterly entitlement audits to
determine if an account should be removed or disabled and has implemented procedures for
the recovery of badges.
City and County of Denver
P a g e 20
RECOMMENDATION 1.9
The Executive Director of Human Resources should work closely with the Chief
Information Officer and other agencies to implement a centralized method for tracking
contractor, volunteer, and intern (contingent) workers to allow these types of workers to
be tracked and thereby have their network access provisioned and de-provisioned through
an automated tool.
Target date to complete
Name and phone number
implementation activities
Agree or Disagree with
of specific point of contact
Recommendation
(Generally expected
for implementation
within 60 to 90 days)
Agree
Technology Services
Alena Gouveia
720-913-4964
Office of Human Resources
Christopher Lujan
March 31, 2015
720-913-5672
Narrative for Recommendation 1.9
Technology Services will work with the Office of Human Resources and other agencies
as necessary to develop an automated method for tracking, provisioning and deprovisioning contractor, volunteer, and intern (contingent) workers.
.
RECOMMENDATION 1.10
The Executive Director of Human Resources should work closely with the IT
Governance Manager and independent IT departments across the City to train hiring
managers and supervisors on provisioning and de-provisioning processes, consider the
following when developing the training:
•
•
•
•
A role-based approach for access provisioning
Avoid mirroring accounts based on job functionality
Develop a consistent agreed-upon method for physical and logical access
provisioning and de-provisioning (e.g., required forms, approvals)
Develop a consistent method for handling contractors and other manually provisioned
accounts (e.g., account end dating).
Agree or Disagree with
Recommendation
Agree
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Technology Services
Office of Human Resources
March 31, 2015
P a g e 21
Name and phone number
of specific point of contact
for implementation
Alena Gouveia
720-913-4964
Christopher Lujan
720-913-5672
Office of
Office
of the
the Auditor
Auditor
Narrative for Recommendation 1.10
Technology Services will work with the Office of Human Resources to incorporate
provisioning and de-provisioning processes training in the required supervisor courses.
RECOMMENDATION 1.11
The Director of Facilities Management should create procedures that define daily badge
management processes. Facilities Management should then train all badging
administrators on the procedures to ensure that access is consistently provisioned and deprovisioned.
Agree or Disagree with
Recommendation
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Name and phone number
of specific point of contact
for implementation
N/A
Narrative for Recommendation 1.11
N/A – Recommendation not addressed to Technology Services.
RECOMMENDATION 1.12
The Director of Facilities Management should consider centralizing the badge
administration process and minimize the number of administrators assigning badge
access.
Agree or Disagree with
Recommendation
Target date to complete
implementation activities
(Generally expected
within 60 to 90 days)
Name and phone number
of specific point of contact
for implementation
N/A
Narrative for Recommendation 1.12
N/A – Recommendation not addressed to Technology Services.
City and County of Denver
P a g e 22
Please contact Alena Gouveia at 720-913-4967 with any questions.
Sincerely,
Frank Daidone
Chief Information Officer
cc:
Audrey Donovan, City Auditor’s Office
Robert M. Pierce, City Auditor’s Office
Nita Henry, Office of Human Resources
James Williamson, Facilities Management
Chris Larivee, Denver International Airport
Kris Griffin, Denver County Courts
Peter Duffy, Denver Human Services
Christopher Lujan, Office of Human Resources
Stephen E. Coury, Technology Services
Alena Gouveia, Technology Services
Jacqueline Boline, City Auditor’s Office
Shannon Kuhn, City Auditor’s Office
Nicholas Jimroglou, City Auditor’s Office
P a g e 23
Office of
Office
of the
the Auditor
Auditor