Auditor critical of county's computer operations

[InfoSec News <isn () c4i org>]

http://www.dailyherald.com/kane/main_story.asp?intID=3775583

By Charles Keeshan 
Daily Herald Staff Writer
Posted May 14, 2003 

McHenry County has no plan for how it would recover and reinstate tax
records, property deeds and thousands of other files stored on its
computers should the county government center in Woodstock suffer a
natural or technological disaster.

That was one of several criticisms leveled Tuesday at the county's
Information Technology Department by an auditor examining how the
county conducted its business during the last fiscal year. The
department also lacks proper supervision, does not have adequate
security measures in place and acts too slowly to deny fired workers
access to county computers, according to the audit.

"Procedures and controls need to be strengthened over at (Information
Technology)," said Linda Abernathy, a representative of the county's
auditing firm McGladrey and Pullen.

The critique of the Information Technology Department was about the
only fault in county practices Abernathy highlighted Tuesday when she
detailed her firm's 160-page comprehensive annual financial report to
the county board's finance committee.

The findings were not unexpected by committee members or Information
Technology Director Tom Sullivan, who said they're aware of the
problems and are addressing them as quickly as possible.

"I don't think there's anything in there that really surprises us,"  
Sullivan said. "We're working on these things and we have to allocate
some dollars to make it happen."

Finance committee Chairman Marc Munaretto said the county is taking
the criticism seriously and hopes to fix the problems outlined in the
audit report by the end of the year.

According to the report, auditors found three main flaws with how the
county's information technology department - in charge of all
computers and related technology - operates. First among them was the
lack of a plan to keep county operations functioning in the event of
severe computer problems.

"Although tape back-up storage is maintained off-site, there is no
written disaster recovery plan addressing such things as a site where
to operate, how to procure necessary hardware, how much hardware would
be necessary, how to install the backed-up information, testing the
plan and responsibility for executing the plan," the report states.

The report also outlines security issues with information technology,
including employees sharing their passwords with co-workers, leaving
their work stations unattended and poor monitoring of employees'
computer usage.

Munaretto said the security issues will be addressed, but noted there
have not been any problems because of a lack of security to date.

"We're not aware of one incident in which there's been unauthorized
access (to the county network)," he said.

In a written response to the report, Sullivan states that his
department does not have the resources to properly monitor the
computer usage of county workers.

Sullivan also states that the creation of a disaster plan is in the
works, but that implementing it would require additional funding to
his department.Computer: Director says more staffing required



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.