Text Size:

April 14, 2009 - Butkovitz Questions Weakness of City’s Computer Security

P R E S S    R E L E A S E

For Immediate Release:
April 14, 2009

Contact: Harvey Rice
215-686-6696 
                                                                                        

Butkovitz Questions Weakness of City’s Computer Security
       Potential for intruders & hackers to gain access to city records and financial data

Click here to view the DOT Audit FY 2008

PHILADELPHIA – City Controller Alan Butkovitz today released the 2008 General IT Controls Review of the Division of Technology (DOT) that found unauthorized access for terminated employees and ineffective standards for log-in passwords.

The Controller found that several terminated employees and contractors had active user IDs to one or more of the systems that were included within the scope of the review.

“There’s a lack of communication between the DOT and the Office of Human Resources,” said Butkovitz.  “Once an employee or contractor is no longer with the City, all of their user ID and password information must be terminated immediately.  The current practice exposes the City to substantial risks by allowing access to important financial data by unauthorized personnel.”

In addition, the City has a relatively weak password requirement that permits easy access to its computer applications. This can lead to a breach of its data and access to other resources by intruders or hackers.  The Controller’s review recommends the DOT establish a more stringent password length, complexity and expiration intervals.

"Strict security measures for computer applications are a necessity to prevent financial theft via the Internet as well as a barrier to identity theft," said Butkovitz.  "The more difficult the City makes it for a hacker to access information the less likely that data can be stolen through the Internet.”

Along with weak password requirements, the review found security standards are not formally documented for items such as firewall configuration, anti-virus configuration and account lockout settings.  

“A lack of documented security standards could lead to inconsistent security configuration settings across the City’s IT environments that could result in unauthorized access to financial information,” said Butkovitz.  “If security information is not clearly documented and communicated to all City IT personnel, then there is a substantial risk that confidentiality and integrity of the City’s financial information could be compromised.”

The DOT is one of at least 26 different City departments responsible for information technology.  It is responsible for over 100 of the City’s estimated 400 production applications.  

Click here to view the DOT Audit FY 2008