Jail Management System - Maricopa County

More documents

Recommendations

Info

Security Awareness Training MCSO’s TOC training focuses on authorized access and dissemination of criminal justice information, but does not include all of the security awareness areas required in CJIS policy. CJIS mandates specific training topics regarding the proper handling of criminal justice information, based on a user’s exposure to and involvement with the criminal justice information. Account Access Reviews Although MCSO validates TOC identification numbers through a semi-annual, Arizona Department of Public Safety (DPS) review and reconciliation process, it does not have a formalized process for validating all JMS and operating system user accounts and their associated access permissions. Effect Personnel Screening - Incomplete personnel screening processes may leave MCSO vulnerable to potential abuse of sensitive law enforcement data. Security Awareness Training - JMS users that do not receive the mandated CJIS training may inadvertently mishandle criminal justice information. Account Access Reviews - Informally managed user permissions increases the risk that unauthorized users may inappropriately access or modify criminal justice information. Cause Personnel Screening - MCSO has not developed a formalized background check policy for JMS users without ACJIS database permissions. Security Awareness Training - Although MCSO’s TOC training program aligns with DPS guidance, these requirements do not meet the minimum CJIS Security Policy standards. Account Access Reviews - MCSO has relied on the extensive hands-on experience of longtenured employees to compensate for formalized procedures, and has invested its resources on day-to-day functions rather than documenting its operations. Recommendations MCSO should consider: A. Developing a personnel screening policy that covers JMS users who do not access ACJIS data. B. Enhancing the security awareness training program to align with the CJIS Security Policy requirements. C. Developing formalized policies and procedures to periodically review and validate JMS access accounts and permissions. Leading practices suggest user access reviews be conducted at least annually. Maricopa County Internal Audit 11 Jail Management System–May 2012
Issue 4 Change Management Summary MCSO does not have a formalized change management process for authorizing, testing, and approving the Jail Management System (JMS) changes. JMS developers have unrestricted access to the application. If unauthorized or untested changes are introduced into JMS, they could create data integrity and system availability issues. MCSO should strengthen its change management controls. Criteria COBIT recommends the following change management practices: Condition Ensuring applications are aligned with business requirements Managing IT changes in a formal, documented, and controlled fashion MCSO has not formalized its change management policy and procedures. Change management procedures standardize the system change processes. Currently, the MCSO Technology Bureau receives and coordinates requested changes via email with the agency requestor. Approvals are handled informally and are not consistently documented before being moved into production (where “live” transaction processing occurs). Developer access to the JMS production environment is not appropriately restricted. Effect Formal change management procedures introduce system changes in a controlled and coordinated manner and prevent unplanned, unauthorized, and untested changes to JMS. Effective change management procedures also reduce the risk of service disruption and associated costs. Cause MCSO Technology Bureau staff report that resource constraints have prevented them from documenting change management procedures. Instead, they have relied on their extensive JMS experience to compensate for this control weakness. Recommendations MCSO should: A. Develop a formalized process for authorizing, testing, and approving JMS changes. B. Limit developers’ access to JMS and/or implement system monitoring controls to identify and review the appropriateness of system changes. Maricopa County Internal Audit 12 Jail Management System–May 2012
Page 1 and 2: A Report to the Board of Supervisor
Page 3 and 4: 301 West Jefferson St Suite 660 Phx
Page 5 and 6: Introduction Background The Jail Ma
Page 7 and 8: JMS Environment Because JMS is a mi
Page 9 and 10: (Blank Page) Maricopa County Intern
Page 11 and 12: Condition Through observation, limi
Page 13: Issue 3 Personnel Screening and Acc
Page 17 and 18: Recommendations MCSO should conside
Page 19 and 20: Sheriff’s Office Response Maricop
Page 21 and 22: Jail Management System (JMS) Sherif

Jail Management System - Maricopa County

Create successful ePaper yourself

Delete template?

Save as template?