Dennis J. Gallagher
Auditor
Office of the Auditor
Audit Services Division
City and County of Denver
PeopleSoft IT General Controls
Performance Audit
The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver’s government. He also chairs the City’s Audit Committee and oversees the City’s Comprehensive Annual Financial Report (CAFR).
The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City’s finances and operations, including the integrity of the City’s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest.
Audit Committee
Dennis Gallagher Maurice Goodgaine
Robert Haddock Jeffrey Hart
Charles Husted Bonney Lopez
Timothy O’Brien
Audit Staff
John Carlson, Deputy Audit Director, JD, CIA, CICA Stephen E. Coury, IT Audit Supervisor, CISA Robert Pierce, Lead IT Auditor, CISA
Aaron Pratt, Senior IT Auditor, CISA Brandon Blomquist, Staff IT Auditor
You can obtain free copies of this report by contacting us at:
Office of the Auditor
201 W. Colfax Avenue, Dept. 705 Denver CO, 80202
(720) 913-5000 Fax (720) 913-5026
Or view an electronic copy by visiting our website at:
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver
201 West Colfax Ave., Dept. 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor
Dennis J. Gallagher
AuditorDecember 17, 2009
Molly Rauzi, Chief Information Officer Claude Pumilia, Chief Financial Officer
Technology Services Department of Finance
City and County of Denver City and County of Denver Dear Ms. Rauzi and Mr. Pumilia:
Attached is the Auditor’s Office Audit Services Division’s report of their audit of PeopleSoft IT General Controls for the period of October 1, 2008 through September 30, 2009. The purpose of the audit was to examine and assess the IT general controls related to the PeopleSoft Human Resources and Financial Management applications to ensure they provide sound foundations to support the proper operating and security of these information systems. Audit work focused on change control, security settings, access management, and operations as they pertain to the PeopleSoft Human Resources and Financial Management applications.
The audit revealed deficiencies in the process for disabling systems access of terminated employees as well as the need for process improvements to help ensure system password settings are effective. The audit also identified a need to perform a disaster recovery test for the PeopleSoft Human Resources and Financial Management applications.
If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5029. Sincerely,
Dennis Gallagher Auditor
DJG/ect
cc: Honorable John Hickenlooper, Mayor Honorable Members of City Council Members of Audit Committee Ms. Roxane White, Chief of Staff
Mr. David T. Roberts, Chief Services Officer Mr. David Fine, City Attorney
Mr. L. Michael Henry, Staff Director, Board of Ethics
Ms. Lauri Dannemiller, City Council Executive Staff Director Ms. Beth Machann, Controller
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver
201 West Colfax Ave., Dept. 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor
Dennis J. Gallagher
AuditorAUDITOR’S REPORT
We have completed an audit of PeopleSoft IT General Controls for the period of October 1, 2008 through September 30, 2009. The purpose of the audit was to examine and assess the IT general controls related to the PeopleSoft Human Resources and Financial Management applications to ensure they provide sound foundations to support the proper operating and security of these information systems. Audit work focused on change control, security settings, access management, and operations as they pertain to the PeopleSoft Human Resources and Financial Management applications.
This audit was included in the Auditor’s Office Audit Services Division’s 2009 Annual Audit Plan and is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit revealed deficiencies in the process for disabling systems access of terminated employees as well as the need for process improvements to help ensure system password settings are effective. The audit also identified a need to perform a disaster recovery test for the PeopleSoft Human Resources and Financial Management applications.
We extend our appreciation to the personnel who assisted and cooperated with us during the audit.
Audit Services Division
TABLE OF CONTENTS
EXECUTIVE SUMMARY
1
INTRODUCTION & BACKGROUND
3
What is PeopleSoft?
3
What are IT General Controls (ITGCs)?
3
SCOPE
6
OBJECTIVES
7
METHODOLOGY
8
FINDING 1
9
Procedures for Removing System Access Are Not Fully Effective
9
FINDING 2
10
Password and Physical Access Controls Are Not Consistently Aligned with
City Policies and Procedures
10
FINDING 3
12
P a g e 1 OOffffiicceeoofftthheeAAuuddiittoorr
EXECUTIVE SUMMARY
Audit work revealed deficiencies in the process for disabling systems access of terminated employees as well as the need for process improvements to help ensure system password settings are effective. The audit also identified a need to perform a disaster recovery test for the PeopleSoft Human Resources and Financial Management applications.
These deficiencies were found in three of the four areas of Information Technology General Controls (ITGCs) reviewed for the PeopleSoft application and supporting infrastructure. The three areas with deficiencies were access management, security settings, and operations. No deficiencies were found based on the testing we performed in the change control area.
Access Management
Through the use of Computer Assisted Auditing Techniques (CAATs) we independently matched terminated employees to the full database of 11,159 active network accounts and found that 76 former employees (over 6% of the 1,235 terminated) from 16 agencies still had active network accounts. Further analysis of the 76 terminated employee accounts showed that 14 had accessed City systems after termination. These users had much of the same access as if they were still a current employee. We also found that eight had the capability to connect remotely to the City network from outside City facilities. Of those eight with remote access, three had logged in subsequent to termination. The failure to disable the login accounts of terminated employees exposes City information systems and data to unauthorized modification, disclosure or destruction.
Security Settings
Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have adequate controls over their passwords. It is important that users follow good password practices as set by management. Passwords provide the primary control over user access to computer resources and their effectiveness tends to diminish over time. A lack of security parameters weakens security controls, which could lead to unauthorized access to the system and the subsequent disclosure, misuse and/or destruction of City data. Specifically, these security weaknesses could result in unauthorized individuals gaining access to the system and possibly changing, modifying, or deleting sensitive system files, or viewing confidential documents stored within the information systems environment.
P a g e 2
C
CiittyyaannddCCoouunnttyyooffDDeennvveerr
Operations
P a g e 3 OOffffiicceeoofftthheeAAuuddiittoorr
INTRODUCTION
& BACKGROUND
What is PeopleSoft?
The City and County of Denver uses the PeopleSoft Enterprise system for a variety of key business functions, such as, Human Resources (Payroll, Employee Benefits, Time and Labor) and Financials (General Ledger, Purchasing, Payables, Projects and Grants, Asset Management). PeopleSoft is an Enterprise Resource Planning (ERP) system that allows for integration of business functions and a single access control model.
Although many city agencies use the various PeopleSoft modules, we identified the Office of the Controller as a key business owner and user of PeopleSoft. The Technology Services organization provides the technical support and IT general controls environment for PeopleSoft through its Enterprise Applications Services and Operations groups.
What are IT General Controls (ITGCs)?
Information Technology GeneralP a g e 4
C
CiittyyaannddCCoouunnttyyooffDDeennvveerr
Change Control
Strong procedures over change control ensure that changes introduced into production are authorized and tested to maintain the integrity and availability of both software applications and data.
To ensure the PeopleSoft systems operate as intended and continue to operate without disruption, the City tests and implements changes through three separate processing environments known as Test, Quality Assurance, and Production. Effective change
controls provide for separation of duties between software developers, system testers, and production users.
The software developer makes system changes in the Test environment but cannot implement the changes into production. Persons other than the software developer perform software testing functions in the Quality Assurance environment. After approval by the requesting party or business owner, the change is then implemented into the Production environment.
P a g e 5 OOffffiicceeoofftthheeAAuuddiittoorr
Security Settings
There are four levels of security controls for the PeopleSoft application: the Application Level, the Database Level, the Operating System Level, and the Physical Security Level.
Application Level – Users can login to PeopleSoft in one
of two ways. Most access the system via a Web interface that uses their general network ID and password. Some sign directly onto
PeopleSoft using an ID and password separate from their network credentials, which are stored and maintained within PeopleSoft itself.
Application Level security settings affect the design and functioning of login IDs and passwords for direct logins, such as their minimum length and how often they must be changed. Changing passwords periodically helps prevent unauthorized system access through compromised passwords.
Database Level – The PeopleSoft application stores data in an Oracle database.
Database Administrators perform configuration and maintenance of the database. These individuals have highly privileged access, including the capability to modify data if necessary outside of the application controls. The IDs and passwords at this level are controlled by settings within the Oracle database. Again, changing passwords periodically helps prevent unauthorized system access through compromised passwords.
Operating System Level – Both the PeopleSoft application and the Oracle
database run on servers controlled by the AIX operating system. System Administrators configure servers to support the integrity and protection of the data. System Administrators can have local accounts on the server that are separate from their general network logins. Password controls over these local accounts are configured in the AIX operating system. Changing passwords periodically helps protect unauthorized system access in the event passwords are unknowingly compromised.
P a g e 6
C
CiittyyaannddCCoouunnttyyooffDDeennvveerr
uses it. The root password should be changed periodically and changed immediately when anyone knowing the password transfers out of the department or terminates employment with the City.
Physical Security Level – The physical servers that support all the aforementioned
levels reside in a protected data center. Proximity badge readers control access to the data center. The City issues access security cards to authorized individuals. These individuals scan the cards by a specialized reader mounted near the door, which verifies the card and unlocks the door accordingly. As the card is the sole control for physical access, a person should have only one card and every card should be registered to a known and authorized individual.
Access Management
Employees are granted access rights to the City’s information systems upon being hired. Job requirements determine specific access rights and such rights are modified when job responsibilities change. Access is disabled or removed when individuals terminate their employment with the City. These controls are designed to ensure that only authorized individuals have access to City systems and data and that such access is limited according to their specific job requirements.
Operations
Controls over operations of systems help to ensure the confidentiality, integrity, and availability of information systems. These controls include regularly backing up system data, storing backup media offsite, and regularly testing system recovery capability in the event of a disaster.
SCOPE
P a g e 7 OOffffiicceeoofftthheeAAuuddiittoorr
OBJECTIVES
Audit objectives included evaluating the Information Technology General Controls for the following areas:
Change controls providing separation of processing environments for test, quality assurance, and production, and separation of duties for the roles of software developers, system testers, and end users. Including system changes being authorized, tested, and approved before implemented into production.
Security settings limiting access to authorized individuals for PeopleSoft at the application, database, operating system, and physical security levels.
Access management controls ensuring employee access is limited to specific job functions and access to City systems and data is removed when individuals terminate their employment with the City.
P a g e 8
C
CiittyyaannddCCoouunnttyyooffDDeennvveerr
METHODOLOGY
We utilized multiple methodologies to achieve audit objectives. These evidence gathering and analysis techniques included, but were not limited to:
Interviewing personnel in the Controller’s Office and Technology Services and reviewing selected policies and procedures related to PeopleSoft and its infrastructure.
Independently executing queries to obtain complete populations of new and changed users within PeopleSoft and testing for supervisor approval.
Utilizing Computer Assisted Auditing Techniques (CAATs) to compare the population of 1,235 employees terminated during the audit period to the entire population of 11,159 Active Directory accounts, and the population of 13,068 employees with access to PeopleSoft.
Directly observing physical access controls in place at the data centers and ensuring that none of the 1,235 terminated employees had access to the data centers supporting the PeopleSoft application.
Observing the execution of queries to obtain a complete population of changed database objects for the Human Resources and Financial Management applications. Changed objects included software patches, HR tax updates, salary grade changes, benefit selections, stimulus grant reporting, and changes to access privileges.
Independently testing a sample of changes from the Human Resources and Financial Management applications using Stat, the change and access management tool used by Technology Services.
Directly observing environmental controls in place at the data centers supporting the PeopleSoft application through onsite inspection and examination of maintenance records.
Examining evidence of backup and off-site storage of media.
Obtaining access to Active Directory Users and Computers (ADUC) for examining login account access and information.
Executing scripts to extract system and password configuration settings for the infrastructure supporting PeopleSoft (Oracle database and AIX servers).
P a g e 9 OOffffiicceeoofftthheeAAuuddiittoorr
76 Terminated Employees
Still Had Active Network
Login Accounts
FINDING 1
Procedures for Removing System Access Are Not Fully Effective
Through the use of Computer Assisted Auditing Techniques (CAATs) we independently matched terminated employees to the full database of 11,159 active network accounts and found that 76 former employees (over 6% of the 1,235 terminated) from 16 agencies still had active network accounts. One of the 76 still had access to PeopleSoft. Further analysis of the 76 terminated employee accounts showed that 14 had accessed City systems after termination. These users had much of the same access as if they were still a current employee. We also found that eight had the capability to connect remotely to the City network from outside City facilities. Of those eight with remote access, three had logged in subsequent to termination. The failure to disable the login accounts of terminated employees exposes City information systems and data to unauthorized modification, disclosure or destruction.The number of terminations used above (1,235) occurred during the audit scope period of October 1, 2008 through September 30, 2009. The actual number of terminated employees with active network accounts may increase if the time period were expanded to include prior years.
Recommendations
Working with the Controller’s Office, we recommend that Technology Services:
1. Investigate and immediately deactivate all terminated employee login accounts, including those from prior years.
2. Determine the root cause for the breakdown within the termination process. 3. Revise procedures to improve the effectiveness of the termination process.
4. Add compensating controls to support the revised termination procedures. For example, scanning inactive accounts or adopting a periodic comparison of active accounts against terminated employees.
5. Consider the implementation of more sophisticated or automated access management tools.
Terminated Employees with Active Logins
Type Number of Employees
Terminated Employees 1,235
Active Login Accounts 76
Accessed Since Termination 14
Remote Access Capability 8
Accessed since termination and have Remote Access
3
P a g e 10
C
CiittyyaannddCCoouunnttyyooffDDeennvveerr
FINDING 2
Password and Physical Access Controls Are Not Consistently
Aligned with City Policies and Procedures
Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have adequate controls over their passwords. It is important that users follow good password practices as set by management. Passwords provide the primary control over user access to computer resources and their effectiveness tends to diminish over time. By requiring periodic passwords changes, the City will reduce risk of unauthorized access to applications and the information stored within them. A password character setting requiring too few characters can result in more easily guessed passwords, and an undefined threshold of bad password attempts could result in users continued attempts to access unauthorized systems without having their ID suspended.
A lack of security parameters weakens security controls, which could lead to unauthorized access to the system and the subsequent disclosure, misuse and/or destruction of City data. Specifically, these security weaknesses could result in unauthorized individuals gaining access to the system and possibly changing, modifying, or deleting sensitive system files, or viewing confidential documents stored within the information systems environment.
PeopleSoft Password Controls are not configured for users authenticating outside of Active Directory
The majority of PeopleSoft users authenticate (gain access) to PeopleSoft using their Active Directory user ID and password. However, there are 43 users that access PeopleSoft outside of the Active Directory authentication. As a result, these users do not follow the Active Directory required password settings. Permitting access to PeopleSoft without using Active Directory password controls allows users to circumvent the Active Directory password requirements. There are no password requirements configured in PeopleSoft for users that do not authenticate through Active Directory.
Inadequate Password Controls for Oracle Accounts
Audit work reviewed password controls related to Oracle databases supporting PeopleSoft HR and Financials and determined that no password controls are enabled for Oracle user accounts. Inadequate password controls could lead to unauthorized individuals gaining access to the system and possibly changing, modifying, or deleting sensitive system files, key financial data/programs or viewing confidential documents stored within the Oracle environment.
Password Controls Not Enforced for AIX Administrative and User Accounts
P a g e 11 OOffffiicceeoofftthheeAAuuddiittoorr
Denver Acceptable Use Agreement or password standards. We reviewed AIX files indicating the last password change date for accounts and noted highly privileged administrative and user accounts without any forced password change date. Some highly privileged accounts have not had their password changed since 2005.
Unaccountable Physical Access to Data Center
In addition to issues involving password control weaknesses, audit work also identified data center access cards that were not assigned to specific authorized persons. Without full accountability for who has access to the data centers, unknown persons could cause system disruption, physical damage or steal valuable assets.
The majority of ID cards which grant access to the City’s data centers are logged in the C*Cure system with a unique card number. Audit reviewed C*Cure access listings for two data centers and noted the following:
Four active cards on the data center access lists that had no identifiable card number.
Five cards within the C*Cure system had no employee or contractor listed as the card owner.
Six test cards were still active.
Four individuals were assigned multiple cards with access to one or both of the data centers.
Recommendations
We recommend that Technology Services:
1. Enforce Established Password Controls
Technology Services should configure password requirements within PeopleSoft software, Oracle databases, and AIX operating systems to ensure that all users follow City and County of Denver password requirements outlined in the Acceptable Use Policy. An excerpt of the Acceptable Use Policy relating to password requirements is listed below:
Users shall construct passwords with at least eight (8) characters, including three of the following four character types: upper case alphabetic, lower case alphabetic, numeric, special characters (symbols, punctuation marks). For additional security, Users are recommended to create “pass phrases” that contain at least fifteen (15) characters. Passwords are case sensitive. Passwords will expire after 90 days and Users will not be permitted to reuse any of the last fifteen (15) passwords used. After five (5) failed login attempts, the User’s account will be disabled. The User must then personally contact Technology Services to manually reset their account.
2. Overhaul Data Center Access Lists
P a g e 12
C
CiittyyaannddCCoouunnttyyooffDDeennvveerr
should complete a review of all cards with access to the City’s data centers for appropriateness and consider establishing formal, regular review procedures for physical access listings. Review procedures should identify and remedy: inactive badges, badges belonging to transferred or terminated personnel, duplicate IDs, and any inappropriate access not commensurate with a user’s job function.
FINDING 3
Disaster Recovery Procedures Are Not Tested on a Periodic Basis
Business owners and Technology Services have not performed a test of the existing disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the last year. Testing is an essential part of disaster recovery planning. An effective disaster recovery plan requires testing on a periodic basis, or there is a risk that the plan will not work when needed.Recommendation
P a g e 13 OOffffiicceeoofftthheeAAuuddiittoorr
P a g e 14
C
P a g e 16
C
