Information systems controls review. Department of Driver Services

RUSSELL W. HINTON
STATE AUDITOR

DEPARTMENT OF AUDITS AND ACCOUNTS
IS AUDIT AND ASSURANCE SERVICES DIVISION
270 Washington Street, S.W., Suite 1-193 Atlanta, Georgia 30334-8400
Telephone (404) 651-8754 Facsimile (404) 657-5539

JAMES R. GUAY
DIRECTOR

Ladies and Gentlemen:

October 22, 2007

The accompanying report provides summary findings resulting from an information systems controls review of the Department of Driver Services' (DDS) computer operations. The Department of Driver Services was created on July 1, 2005 by the General Assembly pursuant to House Bill 501, in which the responsibilities of enforcing and administering state laws and regulations relating to driver's licenses transferred to the Department from the Department of Motor Vehicle Safety. The Department's Mission Statement is: "To continuously be the most customer-focused, results-driven, best managed organization by instilling values and demonstrating that "We C.A.R.E." while ensuring public trust and safeguarding the integrity of our services."
The scope of our review consisted of identifying and evaluating the controls supporting the License Issuance System and Automated License Renewal applications. The License Issuance System is a comprehensive system used to issue driver licenses and identification documents, maintain Georgia driver history, enforce Georgia driving statutes, interface with Georgia business and state partners for driver related records, and provide business reporting and statistical information for the Department. Automated License Renewal is a web-based application that makes renewing licenses faster and easier for the citizens of Georgia.
This review was conducted under the authority of Georgia Code 50-6-4 and 50-6-9. A copy of this report is filed as a permanent record with the State Auditor and is available to the public.

Mission Statement The Department of Audits exists to provide decision-makers with credible management information to
promote improvements in accountability and stewardship in state and local government.

Information Systems Controls Review
Department of Driver Services

Georgia Department of Audits and Accounts Information Systems Audit and Assurance Services Division

October 2007 Report 2007-03

Introduction
The Georgia Department of Audits and Accounts conducted an Information Systems Controls Review of the Georgia Department of Driver Services (DDS) to determine whether the Department has an adequate internal control system to address the effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability of information that supports the agency's business processes and objectives.
This document summarizes the scope and objectives, methodology, and findings of the assessment. The Department's management responses to the findings are also provided.
Scope and Objectives
The Georgia Department of Driver Services was created on July 1, 2005 by the General Assembly pursuant to House Bill 501, in which the responsibilities of enforcing and administering state laws and regulations relating to driver's licenses transferred to the Department from the Department of Motor Vehicle Safety. DDS consists of seven divisions: Administrative & Finance, Legal & Investigative Services, Information Technology, Customer Contact Center, Licensing and Records, Business Analysis, and Regulatory Compliance. The Department's Mission Statement is: "To continuously be the most customerfocused, results-driven, best managed organization by instilling values and demonstrating that "We
Contents
Introduction................................1 Scope and Objectives.................1 Methodology..............................2 Findings......................................2

C.A.R.E." while ensuring public trust and safeguarding the integrity of our services."
As we gained an understanding of DDS's key business objectives, processes and information systems, our scope was refined to include identifying and evaluating the controls supporting the License Issuance System and Automated License Renewal applications. The License Issuance System is a comprehensive system used to issue driver licenses and identification documents, maintain Georgia driver history, enforce Georgia driving statutes, interface with Georgia business and state partners for driver related records, and provide business reporting and statistical information for the Department. Automated License Renewal is a web-based application that makes renewing licenses faster and easier for the citizens of Georgia.
Our overall objective was to determine whether the Department of Driver Services had an adequate internal control system to achieve the following security objectives for information and information systems:
Confidentiality The security objective of confidentiality is to preserve authorized restrictions on information access and disclosure, including a means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
Integrity The security objective of integrity is to guard against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
Availability The security objective of availability is to ensure timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

Georgia Department of Audits and Accounts

Page 1

Our examination included reviews of controls in the areas of Access Control, Systems and Communications Protection, Contingency Planning, Identification and Authentication, System and Services Acquisition, and Audit and Accountability.
Methodology
The methodology for detailed testing included:
Conducting interviews and evaluating DDS's operations.
Reviewing any existing policies and procedures addressing Access Control, Systems and Communications Protection, Contingency Planning, Identification and Authentication, System and Services Acquisition, and Audit and Accountability.
Assessing the adequacy and effectiveness of procedures and security controls employed within the information systems.
Our examination was performed in accordance with professional standards established by the Information System Audit and Control Foundation and included those procedures we considered necessary to conduct our review. The Georgia Technology Authority (GTA) Enterprise Information Security Policies, the ISO/IEC 17799 (Information Technology Code of Practice for Information Security Management), the Center for Internet Security (CIS), and various publications from the National Institute of Standards and Technology (NIST) were the primary industry standards and best practices applied. Our examination addressed policies, procedures, and operations in effect during the period February, 2007 through September, 2007.
Findings
We found that DDS controls were generally functioning adequately. However, as described below, we are recommending certain improvements. Security is a process and cannot be achieved through a single security review. Security must be designed, implemented, and managed seamlessly from a full enterprise perspective to ensure the continued success of an organization's business operations. Consequently, we would encourage the Department to not only address the following findings resulting from our limited, point-intime examination, but to also seek opportunities to bring about improvements in information systems

controls in other areas of the enterprise on a continual basis.
Finding #1
We found passwords for high-level, high-privilege accounts are not routinely and periodically changed and that the Department's Password Policy 5003 is not compliant with the Georgia Technology Authority's Password Use Standard.
During our audit, we reviewed the Department's password management controls. Based on the results of the review, we concluded that overall password management controls were effective. However, we found that a sample of the Department's Internet facing servers had non-expiring passwords for highprivilege "administrator" accounts, which deviates from the Department's password policy. A deficiency was also noted in the Department's Password Policy 5003 that all system-level account passwords must be changed on at least a quarterly basis. This time frame does not meet the minimum requirements established by GTA's Password Use Standard 9.3.1, which requires all system-level passwords be changed on at least a monthly basis.
With all of the advances in security technology, one aspect remains constant: passwords are still a primary means to control access to systems. The difficulty with passwords is that all too often they are the easiest security mechanism to defeat. Weak password controls put data at risk from unknown threats. With high-privilege "administrator" accounts, once an attacker has gained access he can make alterations to the operating system or gain access to confidential data. Since passwords are vulnerable to compromise whenever used, stored, or known, changing administrator passwords with a greater frequency adds more complexity for the attacker.
Recommendation(s):
The Department should update Password Policy 5003 to ensure that it meets the minimum requirements set by GTA's Password Use Standard 9.3.1.
Additionally, it is recommended that the Department employ an automated password management solution for administrator and user accounts on non-domain servers to ensure compliance with Password Policy 5003.

Page 2

Georgia Department of Audits and Accounts

Department Response to Finding #1
The department is extremely sensitive to security measures due to the high level of sensitivity of our data. We will take the appropriate corrective action to insure the continued level of security and trust our customers have in our handling of their personal information.
DDS will update Password Policy 5003 while we are updating all of our agency security policies.
The non-expiring password accounts which were noted by DOAA are default guest accounts embedded in the operating system which are disabled.
Finding #2
We found no evidence of an existing system development life cycle methodology (SDLC).
The Department is in the Initiation Phase of the Centralized Processing of License Renewal project. After reviewing the Department's Project Management Playbook and the project's charter, we determined that DDS has not implemented a system development life cycle methodology. Additionally, the project charter does not address information security nor does it include the Information Security Officer on the project team to support the Department's mission of providing customer services in a secure and innovative technical manner.
Security is most effective if it is planned and managed throughout the life cycle of a system or application, versus applying a third-party package after the development phase. Many security risks, analyses, and events occur during a product's lifetime, and these issues should be dealt with from the initial planning stage and continue through the design, coding, implementation, and operational stages. If security is added at the end of a project development rather than at each step of the life cycle, the cost and time of adding security increases dramatically and is less effective. Not including security throughout the SDLC may lead to an insecure application where the confidentiality, integrity, and availability of the data the application supports are in jeopardy of being compromised.
Recommendation(s):
It is recommended that the Department:
Develop and establish a system development

lifecycle (SDLC) that incorporates information security steps in all phases of the lifecycle.
Ensure that the steps meet best practice guidelines such as National Institute of Standards and Technology (NIST) Special Publication 800-64, Security Considerations in the Information System Development Life Cycle.
Develop and establish policies and procedures to ensure that security considerations are incorporated into all phases of the system development life cycle.
Additionally, the Department should:
Address issues pertaining to security integrity, confidentiality, and availability of the Centralized Processing of License Renewal project before it proceeds any further and ensure that the project will follow SDLC best practice guidelines such as NIST SP 800-64 provides.
Add a member of the information security group to the project team.
Department Response to Finding #2
DDS has developed a draft Business Planning and Analysis (BPA) document, the steps of which are currently being utilized by the agency in project development and implementation. The BPA document has not been formally reviewed, approved or adopted at this time. The BPA methodology for projects was implemented as a DDS standard in 2006 and processes are being refined and implemented.
The suggested recommendations will be included in the agency's BPA document and the information security review will be included as an adjunct to the process. The department will review and align the BPA standards document with the NIST SP 800-64 document standards. DDS will solicit review of the Centralized Processing of Licenses Project by the agency's security officer and ensure that security policy recommendations and deficiencies as noted by the security officer pertaining to this project are addressed throughout the project lifecycle. The DDS security officer will be asked to review the NIST SP 800-64 guidelines to ensure that they are applied to the project appropriately.

Georgia Department of Audits and Accounts

Page 3

Finding #3
The Department's Business Continuity/Disaster Recovery plans are outdated.
The Department was found to have Business Continuity/Disaster Recovery (BC/DR) plans which were inherited from the now defunct Department of Motor Vehicle Services. However, the plans have not been updated to address the Department's specific operations. Therefore, the DDS has no assurances that the plans are effective.
A Business Continuity/Disaster Recovery (BC/DR) plan can quickly become outdated due to personnel turnover, reorganizations, and undocumented changes. An out-of-date BC/DR plan may provide the Department with a false sense of security, which could be devastating if and when a disaster actually takes place. Risk management from the Business Continuity/Disaster Recovery perspective is an on going effort. According to the National Institute of Standards and Technology (NIST) Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, "IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., shortterm power outage, disk drive failure) to severe (e.g., equipment destruction, fire). Many vulnerabilities may be minimized or eliminated through technical, management, or operational solutions as part of the organization's risk management effort; however, it is virtually impossible to completely eliminate all risks."
To be effective, it is essential that the contingency plan be reviewed and updated in a timely manner and that it accurately reflects system requirements, procedures, organizational structure, and policies to ensure that the Department can properly react to any type of disaster or disruption. A cost-effective and process-efficient way to keep a plan up to date is to incorporate it within the change management process of the organization. When properly integrated with change management processes, it stands a much better chance of being continually updated and improved upon.
Recommendation(s):
The Department should review and update their Business Continuity/Disaster Recover (BC/DR) plan for accuracy and completeness. This should be done at least annually, as well as upon significant changes to any element of the plan, system,

business processes supported by the system, resources used for recovery procedures or lessons learned from exercising and testing the plan.
Additionally, the Department should develop and establish a Continuity Planning Policy to ensure it meets the minimum requirements set by the Georgia Technology Authority's (GTA) Enterprise Information Security Policies in Policy 11.1.1, Disaster Recovery and Business Continuity Planning.
The Department should consider the following actions to keep the plan updated:
Make business continuity a part of every business decision.
Perform regular drills that use the plan.
Integrate the business continuity plan into the current change management process. The plan should be a living document that is updated regularly to remain current with system enhancements.
Maintenance schedules should be stated in the contingency planning policy statement.
Department Response to Finding #3
The department understands and appreciates the need for a current and complete Business Continuity and Disaster Recovery Plan. We have met with GTA several times over the past year to discuss the acquisition and use of the Strohl's Living Disaster Recovery Planning Software (LDRPS) and Business Impact Analysis (BIA) tool. DDS plans to fully utilize both software tools to develop a comprehensive plan for our headquarters and each of our local Customer Service Centers (CSC) around the state. A policy will be developed to accompany these plans requiring regular review, testing, and integration into our change management process.
DDS plans to partner with GTA using the Strohl's LDRPS and BIA tool to update and fully develop our Disaster Recovery and Business Continuity Plans.
The Continuity Planning Policy will be established along with the update of our agency security policies.

Page 4

Georgia Department of Audits and Accounts

Finding #4
The Department lacks a Wireless Policy. Problems were also noted with wireless configurations on laptops that were not properly secured.
The Department has not established a wireless policy to convey wireless usage restrictions and implementation guidance for wireless technologies to the staff. The lack of policy has contributed to the insecure wireless laptop configurations that were detected.
We detected Department laptops scanning for Access Points1 (AP) to associate with. When wireless workstations or laptops continuously scan for APs, information on the computer may be exposed if it connects to a neighbor or intruder's AP. For example, an attacker may set up an AP to accept association requests from wireless computers and then hack into them. If these computers are also connected to a wired network and network bridging capability is turned on (the Microsoft Windows operating system has bridging capability but is turned off by default), an attacker could potentially gain access to the internal wired network. Thus, improperly secured wireless configurations on the Department's laptops compromise network security even though the Department has not deployed a wireless network. Failure to identify and maintain comprehensive wireless policies and procedures may also increase the risk of unsuccessfully prosecuting unauthorized access to systems and data.
It should be noted that the Department has acquired wireless local area network2 (WLAN) equipment and will begin to implement the solution soon. The Department should follow the recommendations below before proceeding any further with the implementation.
Recommendation(s):
It is recommended that the Department:
Create and establish a Wireless Policy and ensure it meets the minimum requirements set forth by GTA's Enterprise Information Security Policy 9.4.2, Wireless Network Access and
1 An Access Point is a hardware device or a computer's software that acts as a communication hub for users of a wireless device to connect to a wired local area network. (Source: Webopedia.com) 2 A Wireless Local-Area Network is a type of local area network that uses high-frequency radio waves rather than wires to communicate between nodes. (Source: Webopedia.com)

GTA's WLAN (WiFi) Standard S-06-003.01.
Comply with GTA's Enterprise Information Security Policy section 9.4.2, Wireless Network Access and GTA's WLAN (WiFi) Standard S-06-003.01 when implementing their WLAN solution.
Disable the laptops' wireless interface to avoid unintended AP association until the Department's WLAN implementation. When the WLAN is in place, the Department should ensure that wireless-enabled equipment use 802.1x mutual authentication protocols, such as EAP-TLS, to prevent fake AP attacks.
Department Response to Finding #4
The department is rapidly expanding our use of laptops in several agency divisions including Legal / Investigative Services, Regulatory Compliance, and Licensing and Records. Laptops have become a necessary "mobile office" for many agency personnel including our executive staff. The department recognizes the value of providing security and integrity of our systems and data while performing our daily job duties via laptops. DDS will comply with all GTA policies that fall into this area.
The Wireless Policy is being developed in conjunction with the update of all agency security policies.
The DDS is looking into best practices for developing a solution to limit and secure wireless use on agency laptops.
Finding #5
The Department's existing network and remote access system notification messages do not fully communicate all components recommended by best practices.
Failure to maintain a comprehensive system notification message may possibly increase the risk of unsuccessfully prosecuting unauthorized access to systems and data.
System use notification messages should contain components recommended by best practices, such as the National Institute of Standards and Technology (NIST) in Special Publication 800-53, Recommended Security Controls for Federal Information Systems.

Georgia Department of Audits and Accounts

Page 5

Control AC-8, System Use Notification, recommends the following components:
1. That the user is accessing a State of Georgia information system.
2. That system usage may be monitored, recorded, and subject to audit.
3. That unauthorized use of the system is prohibited and subject to criminal and civil penalties.
4. That use of the system indicates consent to monitoring and recording
5. Appropriate privacy and security notices (based on associated privacy and security policies or summaries).
We noted the following deficiencies as compared to these best practice recommendations:
The network (LAN) system use notification message was found to lack the verbiage contained in items 4 and 5.
The remote access system use notification message was found to lack the verbiage contained in items 2, 4, and 5.
Recommendation(s):
The Department should update the network (LAN) and remote access system use notification messages to ensure they meet best practice recommendations, such as those established by NIST Special Publication 800-53's AC-8, System Use Notification, control.

ed policy and procedures governing audit and accountability help eliminate security lapses and oversights, give new personnel sufficiently detailed instructions, and provide a quality assurance function to help ensure operations will be performed correctly and efficiently.
Recommendation(s):
The Department should develop and establish Audit and Accountability policies and procedures.
Additionally, the Department should ensure that these policies and procedures meet best practice guidelines, such as those established by National Institute of Standards and Technology (NIST) in Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Audit and Accountability control family.
Department Response to Finding #6
The department understands and appreciates the need for Audit and Accountability policies and procedures. These items will be addressed as we are addressing all of our agency security policies.
The Audit and Accountability Policy is being developed along with all agency security policies.

Department Response to Finding #5
The department has taken corrective measures to meet this finding.
This item was corrected on the date of our meeting with DOAA on 9/4/07. We are now compliant with NIST 800-53.
Finding #6

Audit and Accountability policy and procedures do not exist.
Although our review found the Department's auditing and logging controls to be sufficient, we did note that an audit and accountability policy and procedures have not been developed. Formalized and document-

Page 6

Georgia Department of Audits and Accounts

For additional information, please contact:

James R. Guay, Director Information Systems Audit and Assurance Services Division
270 Washington Street, SW, Room 1-193 Atlanta, GA 30334

(404) 651-8754

guayjr@audits.ga.gov