Inspector general finds deficiencies in DTOP’s information systems
By The Star Staff
The Office of the Inspector General of Puerto Rico (OIG by its Spanish initials) identified severe deficiencies in the controls and protection of information, including citizens’ data, in the Department of Transportation and Public Works (DTOP).
As detailed in a press release Tuesday, the findings are the result of a compliance examination and evaluation of documents and information collected on the access controls granted and the security of the Drivers and Vehicles Information Databases Plus (DAVID+) system established by DTOP and the Highways and Transportation Authority (ACT by its Spanish initials).
The deficiencies in information controls include the use of technology and servers where the DAVID+ system resides that are obsolete and lacking technical support from the manufacturer. At the time of the examination, the two servers where DAVID+ resides, the IBM Model Power 570, are obsolete and do not have technical support. IBM withdrew the equipment from the market on Jan. 7, 2011, and discontinued its technical support on March 31, 2019.
A Cisco 7606 router used for connection to the network of a service company is also obsolete and lacks technical support because it was withdrawn from the market on July 24, 2016.
As part of the evaluation of the internal controls on the accesses granted and DAVID+ security, officials requested a copy of the risk analysis and the DTOP Security Plan. Upon examination, it was revealed that DTOP did not have a risk analysis of computerized information systems or a current security plan.
On April 20 of this year, the ACT, through its executive director, certified to the OIG that it does not have a current incident management plan and work is underway to create one.
The evaluation conducted by the OIG included 15 findings related to the information systems in the DTOP and the ACT that include, among other findings: lack of an alternate center for the recovery of communications, lack of a plan and record for handling security incidents, deficiencies related to the administration of active access accounts for former employees in the DAVID+ system, lack of continuous training for users on the use of information systems and on security policies, and other deficiencies in policy implementation.
The draft results and findings of the examination were submitted for comments and responses on April 24 to the DTOP secretary. The secretary, through her legal counsel, submitted her comments on the results and findings through a letter received on May 17, where she established, among other things, the following:
“Currently the DTOP is evaluating each of the indicated findings and we are working on the first drafts of the corrective actions,” read the response letter from DTOP Secretary Eileen Vélez Vega. “This is for the purpose of addressing each of the findings in order to timely comply with the laws referred to in said report.”