Office of the Legislative Auditor - Financial Audit Division
Department of Administration
System-wide Access to Mainframe Data Follow-up
The Department of Administration's InterTechnologies Group (InterTech) has made substantial progress in addressing the security weaknesses that we identified in our prior audit of system-wide access to mainframe data. However, none of the six recommendations in that report have been fully completed, and some security weaknesses still exist.
To improve controls, InterTech needs to continue working to fully complete the six recommendations that were in our prior report:
InterTech should define ACF2 security groups that are appropriate for specific job functions.
InterTech should evaluate the need for powerful group clearances permitted in ACF2 security rules.
InterTech should deploy the ACF2 recommended compensating controls over all accounts that do not require passwords.
InterTech should remove powerful ACF2 privileges from those people who do not need those privileges.
InterTech should discontinue using the exit that allows read-only access to all data that is not secured by rules.
InterTech and state agency security officers should develop written documentation for the ACF2 security infrastructure to facilitate security administration duties.