Comptroller finds gaps in House of Representatives security system reviews
By John McPhaul
The Commonwealth Comptroller issued a report Wednesday on deficiencies in the Office of Technology and Information of the Puerto Rico House of Representatives, finding a lack of periodic reviews of the security system’s main operational server logs and a failure to deactivate accounts of former employees in the main server.
The audit was carried out to determine if the controls in the office were conducted in accordance with the standards generally accepted in the field and whether they were effective.
The tests carried out and the evidence gathered by the comptroller revealed that the operations of the House were conducted in accordance with the applicable norms and regulations and that the controls were effective except in the area of the review of the server logs and access accounts.
The report pointed out that entities must have processes that allow reviewing user activities in those sensitive assets that warrant it.
“The network administrator has the responsibility to review it daily to prevent and detect unwanted access authorization,” said the report. “Our examination revealed that as of May 15, 2019, the administrator network did not periodically review security logs.”
An adequate review of the logs is necessary to determine the possible violations of security that may occur on the server and on the network, and promptly take the necessary preventive and corrective measures.
“The administrator only examined these records in the event that any eventuality occurred with the information systems,” the report said. “The aforementioned situation may lead to unauthorized persons gaining access to confidential information maintained in the computerized systems and possibly misusing it. The situations discussed prevent users from being controlled by those authorized to access computerized information systems and the privileges assigned to them to establish responsibilities in case of errors or irregularities.”
In addition, the situations can lead to unauthorized persons gaining access to confidential information and improper use of the information, the commission of irregularities and the alteration, by mistake or deliberately, of the data contained in the information system, without timely detection and corrective action, the report said.
Regarding the failure to deactivate accounts of former consultants, the comptroller found that two consultants kept their access for inordinate periods of time.
“Two accounts with remote privileged connections assigned to former consultants [were sustained],” the report said, “despite the fact that 321 and 929 days [had passed] from the date of termination of their contracts.”
Also, in the case of access to accounts assigned to five employees who quit their positions, between Dec. 31, 2016 and Feb. 20, 2019, between 86 and 867 days lapsed from the date of separation of these former employees and the closing of the accounts.