Comptroller issues opinion on Labor Dept. computing systems office operations

By John McPhaul

The Comptroller’s Office of Puerto Rico on Monday issued a qualified opinion on the operations of the Department of Labor and Human Resources’ Office of Computing and Information Systems.

The report revealed that the Operational Plan and the Contingency Plan approved in 2017 for the continuity of operations was not updated.

According to the comptroller’s report, both plans had contact names for former officials and former employees, and made reference to an alternate location and external vault that no longer exist. In particular, the Contingency Plan did not contain the necessary requirements for addressing emergency situations such as details of the configuration of critical equipment or procedures for when the network cannot provide services.

Furthermore, the Labor Department had not identified an alternate center for restoring the computerized operations of the network operations center in the event of an emergency. The referenced situations can promote improvisation and represent a high risk of incurring excessive expenses or prolonged interruptions of services to users, the comptroller’s report noted.

The audit of three findings indicates that a copy of the data backups, such as the driver’s social security, financial and human resources applications and others, was not kept outside Labor Department premises, but instead on a shelf located in the same place as the backup.

A similar situation had been commented on in Audit Report TI-09-14 of 2009. The report recommends that the chief information officer make sure to draft a procedure that requires that a copy of the backups be kept in a safe place and away from the Labor Department operations center.

Meanwhile, contrary to current regulations on information systems security, the parameters on the main server were not configured to allow failed access attempts, before blocking an account (account lockout threshold). This situation encourages irregularities to be committed or data contained in the systems to be altered, the report said.

The report covers the period from April 29 to Oct. 25, 2019, and is available at