|Public Release Date: December 11, 1998||No. 98-63|
The Statewide Employee Management System (SEMA4) is an integrated human resource and payroll system that is used by most state agencies. SEMA4 data resides in a database at the central mainframe computer center managed by the Department of Administration's Intertechnologies Group (Intertech). Access to this data is provided by a software package called DB2. ACF2, SEMA4, and DB2 security software help prevent unauthorized access to sensitive payroll and personnel data. ACF2 authenticates the identity of users who try to access Intertech's central mainframe computer. Once authenticated, users also need a special security profile within SEMA4. These security profiles limit different types of users to the specific screens that they will need to fulfill their job responsibilities. Finally, DB2 prevents users from directly accessing the database without using the appropriate SEMA4 screens.
This audit focused on how the Departments of Employee Relations and Finance prevent unauthorized users from directly accessing DB2 and the underlying SEMA4 data tables. We refer to these types of connections as "backdoor" access methods because they provide users with an opportunity to circumvent important SEMA4 screen edits.
Our audit revealed that the Departments of Employee Relations and Finance do not have effective security administration procedures to protect the SEMA4 database. The departments do not have a detailed understanding of pertinent database security risks or formal procedures to control those risks. Instead, the departments place a great deal of reliance on security administration duties performed by employees in the Department of Administration's Intertechnologies Group (Intertech). We feel that this level of reliance may be unjustified because each agency's security administration roles and responsibilities have not been clearly defined.
We found significant weaknesses when reviewing detailed security data. Of greatest significance, some users may have more clearance than they need to fulfill their normal job duties. We also found that the data used by DB2 and ACF2 to control access to the SEMA4 database has not been properly maintained. Unauthorized changes to critical data could occur and remain undetected because the departments do not log the activities of all users with powerful backdoor security clearances. Finally, the departments' procedures for controlling user accounts and passwords are susceptible to abuse.
The Departments of Employee Relations and Finance agreed with the findings and recommendations in this report.